CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
15251 CVE-2006-6032 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter in add_block.php or (2) the entry parameter in index.php, different vectors than CVE-2005-1135. NOTE: this has been reported to affect 0.8, but as of 20061121, the most recent version is only 0.4.9.
15252 CVE-2006-6022 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in login_form.asp in BestWebApp Dating Site allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
15253 CVE-2006-6020 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in announce.php in Blog Torrent Preview 0.92 allows remote attackers to inject arbitrary web script or HTML via the left parameter.
15254 CVE-2006-6019 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
15255 CVE-2006-6008 +Priv 2006-11-21 2008-09-05
6.5
User Remote Low Single system Partial Partial Partial
ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, does not check the return status of certain seteuid, setgid, and setuid calls, which might allow remote authenticated users to gain privileges if these calls fail in cases such as PAM failures or resource limits, a different vulnerability than CVE-2006-5778.
15256 CVE-2006-5986 XSS 2006-11-20 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
admin/options.php in Extreme CMS 0.9, and possibly earlier, does not require authentication, which might allow remote attackers to conduct unauthorized activities. NOTE: this issue can be combined with another vulnerability to expand the scope of a cross-site scripting (XSS) attack without authentication. NOTE: the provenance of this information is unknown; details are obtained from third party sources.
15257 CVE-2006-5985 XSS 2006-11-20 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in admin/options.php in Extreme CMS 0.9, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) bg1, (2) bg2, (3) text, or (4) size parameters. NOTE: the provenance of this information is unknown; details are obtained from third party sources.
15258 CVE-2006-5984 XSS 2006-11-20 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable.
15259 CVE-2006-5983 XSS 2006-11-20 2018-10-17
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user parameter to (a) CMD_SHOW_RESELLER or (b) CMD_SHOW_USER in the Admin level; the (2) TYPE parameter to (c) CMD_TICKET_CREATE or (d) CMD_TICKET, the (3) user parameter to (e) CMD_EMAIL_FORWARDER_MODIFY, (f) CMD_EMAIL_VACATION_MODIFY, or (g) CMD_FTP_SHOW, and the (4) name parameter to (h) CMD_EMAIL_LIST in the User level; or the (5) user parameter to (i) CMD_SHOW_USER in the Reseller level.
15260 CVE-2006-5981 22 Dir. Trav. 2006-11-20 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in SeleniumServer FTP Server 1.0, and possibly earlier, allow remote attackers to list arbitrary directories, read arbitrary files, and upload arbitrary files via directory traversal sequences in the (1) DIR (LIST or NLST), (2) GET (RETR), and (3) PUT (STOR) commands.
15261 CVE-2006-5975 XSS 2006-11-20 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in comments.asp in BlogMe 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) URL, or (3) Comments field.
15262 CVE-2006-5966 399 2006-11-17 2018-10-17
6.4
None Remote Low Not required Partial None Partial
Panda ActiveScan 5.53.00, and other versions before 5.54.01, allows remote attackers to (1) reboot the system using the Reinicializar method in the ActiveScan.1 ActiveX control, or (2) determine arbitrary file existence and size via the ObtenerTamano method in the PAVPZ.SOS.1 ActiveX control.
15263 CVE-2006-5960 XSS 2006-11-16 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in account_login.asp in A+ Store E-Commerce allow remote attackers to inject arbitrary web script or HTML via the (1) username (txtUserName) and (2) password (txtPassword) parameters. NOTE: portions of these details are obtained from third party information.
15264 CVE-2006-5958 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in INFINICART allow remote attackers to inject arbitrary web script or HTML via the (1) username and (2) password fields in (a) login.asp, (3) search field in (b) search.asp, and (4) email field in (c) sendpassword.asp.
15265 CVE-2006-5944 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in csm/asp/listings.asp in MGinternet Car Site Manager (CSM) allows remote attackers to inject arbitrary web script or HTML via the s parameter.
15266 CVE-2006-5942 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in inventory/display/display_results.asp in Website Designs For Less Inventory Manager allows remote attackers to inject arbitrary web script or HTML via the category parameter.
15267 CVE-2006-5915 XSS 2006-11-15 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in ls.php in SAMEDIA LandShop allow remote attackers to inject arbitrary web script or HTML via the (1) start, (2) CAT_ID, (3) keyword, (4) search_area, (5) search_type, (6) infield, or (7) search_order parameter.
15268 CVE-2006-5913 2006-11-15 2018-10-17
6.4
None Remote Low Not required None Partial Partial
Microsoft Internet Explorer 7 allows remote attackers to (1) cause a security certificate from a secure web site to appear invalid via a link to res://ieframe.dll/sslnavcancel.htm with the target site in the anchor identifier, which displays the site's URL in the address bar but causes Internet Explorer to report that the certificate is invalid, or (2) trigger a "The webpage no longer exists" report via a link to res://ieframe.dll/http_410.htm, a variant of CVE-2006-5805.
15269 CVE-2006-5905 2006-11-15 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Web Directory Pro allows remote attackers to (1) backup the database and obtain the backup via a direct request to admin/backup_db.php or (2) modify configuration via a direct request to admin/options.php.
15270 CVE-2006-5900 XSS 2006-11-15 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the incubator/tests/Zend/Http/_files/testRedirections.php sample code in Zend Framework Preview 0.2.0 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
15271 CVE-2006-5894 Dir. Trav. 2006-11-14 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in lang.php in Rama CMS 0.68 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by lang.php.
15272 CVE-2006-5875 Exec Code 2006-12-13 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
eoc.py in Enemies of Carlotta (EoC) before 1.2.4 allows remote attackers to execute arbitrary commands via shell metacharacters in an "SMTP level e-mail address".
15273 CVE-2006-5866 Dir. Trav. 2006-11-10 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in Mdoc/view-sourcecode.php for phpManta 1.0.2 and earlier allows remote attackers to read and include arbitrary files via ".." sequences in the file parameter.
15274 CVE-2006-5856 Exec Code Overflow 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the Adobe Download Manager before 2.2 allows remote attackers to execute arbitrary code via a long section name in the dm.ini file, which is populated via an AOM file.
15275 CVE-2006-5853 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in logon.aspx in Immediacy CMS (Immediacy .NET CMS) 5.2 allows remote attackers to inject arbitrary web script or HTML via the lang parameter, which is returned to the client in a lang cookie.
15276 CVE-2006-5846 22 Dir. Trav. 2006-11-09 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in index.php in FreeWebshop 2.2.2 and earlier allows remote attackers to read and include arbitrary files via a .. (dot dot) in the page parameter, a different vector than CVE-2006-5773.
15277 CVE-2006-5845 434 Exec Code 2006-11-09 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in index.php in Speedywiki 2.0 allows remote authenticated users to upload and execute arbitrary PHP code by setting the upload parameter to 1.
15278 CVE-2006-5843 79 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in Speedywiki 2.0 allows remote attackers to inject arbitrary web script or HTML via the showRevisions parameter.
15279 CVE-2006-5830 XSS 2006-11-09 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) topid, (2) forid, and (3) catid parameters to code/cp_forum_view.php; (4) choosed_language parameter to cp_dpage.php; (5) orderdir parameter to cp_links_search.php; (6) order_field parameter to (a) cp_show_ec_products.php and (b) cp_users_online.php; and the (7) signature and (8) fiscal code fields in the user profile.
15280 CVE-2006-5829 89 Exec Code Sql 2006-11-09 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) choosed_language parameter to (a) cp_dpage.php, (b) cp_news.php, (c) cp_forum_view.php, (d) cp_edit_user.php, (e) cp_newsletter.php, (f) cp_links.php, (g) cp_contact_us.php, (h) cp_login.php, and (i) cp_codice_fiscale.php in public/code/; (2) news_category parameter to public/code/cp_news.php; (3) nlmsg_nlcatid parameter to public/code/cp_newsletter.php; (4) links_category parameter to public/code/cp_links.php; (5) product_category_id parameter to public/code/cp_show_ec_products.php; (6) order_field parameter to public/code/cp_show_ec_products.php; (7) firstrow parameter to public/code/cp_users_online.php; and (8) orderdir parameter to public/code/cp_links_search.php.
15281 CVE-2006-5827 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in phpComasy CMS 0.7.9pre and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) username or (2) password parameters.
15282 CVE-2006-5811 Exec Code File Inclusion 2006-11-08 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[srcdir] parameter.
15283 CVE-2006-5810 XSS 2006-11-08 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter.
15284 CVE-2006-5799 XSS 2006-11-08 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in default.asp in xenis.creator CMS allow remote attackers to inject arbitrary web script or HTML via the (1) contid or (2) search parameters.
15285 CVE-2006-5775 XSS 2006-11-06 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in profile.php in FunkBoard 0.71 before 4 November 2006 at 18:16 GMT allows remote attackers to inject arbitrary web script or HTML, possibly via the name parameter.
15286 CVE-2006-5770 XSS 2006-11-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in ac4p Mobile allow remote attackers to inject arbitrary web script or HTML via (1) Bloks, (2) Newnews, (3) lBlok, and (4) foooot parameter in (a) index.php; Newnews, (5) newmsgs, and Bloks parameter in (b) MobileNews.php; Newnews parameter in (c) polls.php; (6) cats parameter in (d) send.php; (7) footer parameter in (e) up.php; and (8) pagenav parameter in (f) cp/index.php.
15287 CVE-2006-5767 94 Exec Code File Inclusion 2006-11-06 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/xhtml.php in Drake CMS 0.2.2 alpha rev.846 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the d_root parameter.
15288 CVE-2006-5746 2006-11-06 2018-10-17
6.4
None Remote Low Not required Partial Partial None
The console in AirMagnet Enterprise before 7.5 build 6307 does not properly validate the Enterprise Server certificate, which allows remote attackers to read network traffic via a man-in-the-middle (MITM) attack, possibly related to the use of self-signed certificates.
15289 CVE-2006-5731 Exec Code Dir. Trav. 2006-11-06 2017-10-18
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in classes/index.php in Lithium CMS 4.04c and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the siteconf[curl] parameter, as demonstrated by a POST to news/comment.php containing PHP code, which is stored under db/comments/news/ and included by classes/index.php.
15290 CVE-2006-5729 2006-11-06 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
Yazd Discussion Forum before 3.0 beta does not properly manage forum permissions, which allows remote authenticated users to (1) reply to a message in an arbitrary forum, if authorized to create a message in any forum; and (2) perform certain unauthorized forum actions, related to an "error in how the permissions were assembled" that assigns extra permissions to users.
15291 CVE-2006-5705 Dir. Trav. 2006-11-03 2008-09-05
6.0
None Remote Medium Single system Partial Partial Partial
Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request.
15292 CVE-2006-5704 2006-11-03 2017-07-19
6.2
Admin Local High Not required Complete Complete Complete
HP NonStop Server G06.29, when running Standard Security T6533G06 before T6533G06^ABK, does not properly evaluate access permissions to OSS directories when no optional ACL entry exists, which allows local users to read arbitrary files.
15293 CVE-2006-5676 Exec Code Sql 2006-11-02 2017-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in consult/classement.php in Uni-Vert PhpLeague 0.82 and earlier allows remote attackers to execute arbitrary SQL commands via the champ parameter.
15294 CVE-2006-5673 Exec Code File Inclusion 2006-11-02 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in bb_func_txt.php in miniBB 2.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pathToFiles parameter.
15295 CVE-2006-5661 XSS 2006-11-02 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in nquser.php in VIRtech Netquery allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
15296 CVE-2006-5647 DoS Exec Code Mem. Corr. 2006-11-01 2008-09-05
6.4
None Remote Low Not required None Partial Partial
Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for Linux before 5.0.10, and other platforms before 4.11 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via a malformed CHM file with a large name length in the CHM chunk header, aka "CHM name length memory consumption vulnerability."
15297 CVE-2006-5643 XSS 2006-10-31 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in search_de.html in foresite CMS allows remote attackers to inject arbitrary web script or HTML via the query parameter.
15298 CVE-2006-5634 94 Exec Code File Inclusion 2006-10-31 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2.1 Beta allow remote attackers to execute arbitrary PHP code via a URL in the (1) reqpath parameter to (a) body.inc.php and (b) body_blog.inc.php in users/include/; or the (2) usrinc parameter in users/include/upload_ht.inc.php.
15299 CVE-2006-5632 XSS 2006-10-31 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop 1.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vulnerability than CVE-2006-5631. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
15300 CVE-2006-5631 XSS 2006-10-31 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop 1.4 allows remote attackers to inject arbitrary web script or HTML via arbitrary query strings when the action parameter is not "1", as demonstrated using script in the action parameter, a different vulnerability than CVE-2006-5632.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.