# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
67851 |
CVE-2006-3389 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the issue does not leak any target-specific information. |
67852 |
CVE-2006-3388 |
|
|
XSS |
2006-07-06 |
2018-10-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter. |
67853 |
CVE-2006-3387 |
|
|
Exec Code Dir. Trav. |
2006-07-06 |
2017-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Directory traversal vulnerability in sources/post.php in Fusion News 1.0, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the fil_config parameter, which can be used to execute PHP code that has been injected into a log file. |
67854 |
CVE-2006-3386 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
index.php in Vincent Leclercq News 5.2 allows remote attackers to obtain sensitive information, such as the installation path, via a mail[] parameter with invalid values. |
67855 |
CVE-2006-3385 |
|
|
XSS |
2006-07-06 |
2018-10-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Cross-site scripting (XSS) vulnerability in divers.php in Vincent Leclercq News 5.2 allows remote attackers to inject arbitrary web script or HTML via the (1) id and (2) disabled parameters. |
67856 |
CVE-2006-3384 |
|
|
Exec Code Sql |
2006-07-06 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in divers.php in Vincent Leclercq News 5.2 allows remote attackers to execute arbitrary SQL commands via the (1) id and (2) texte parameters. |
67857 |
CVE-2006-3383 |
|
|
XSS |
2006-07-06 |
2017-07-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in mAds 1.0 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as onmouseover within a URL. NOTE: the provenance of this information is unknown; the details are obtained solely from third party reports. |
67858 |
CVE-2006-3382 |
|
|
XSS |
2006-07-06 |
2018-10-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in search.php in mAds 1.0 allows remote attackers to inject arbitrary web script or HTML via the "search string". |
67859 |
CVE-2006-3380 |
|
|
DoS |
2006-07-06 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Algorithmic complexity vulnerability in FreeStyle Wiki before 3.6.2 allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case. |
67860 |
CVE-2006-3379 |
|
|
DoS |
2006-07-06 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Algorithmic complexity vulnerability in Hiki Wiki 0.6.0 through 0.6.5 and 0.8.0 through 0.8.5 allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case. |
67861 |
CVE-2006-3377 |
|
|
XSS |
2006-07-06 |
2018-10-18 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
Cross-site scripting (XSS) vulnerability in JMB Software AutoRank PHP 3.02 and earlier, and AutoRank Pro 5.01 and earlier, allows remote attackers to inject arbitrary web script or HTML via the (1) Keyword parameter in search.php and the (2) Username parameter in main.cgi. |
67862 |
CVE-2006-3373 |
|
|
|
2006-07-06 |
2018-10-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Unspecified vulnerability in the client/bin/logfetch script in Hobbit 4.2-beta allows local users to read arbitrary files, related to logfetch running as setuid root. |
67863 |
CVE-2006-3372 |
|
|
DoS |
2006-07-06 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Apple Safari 2.0.4/419.3 allows remote attackers to cause a denial of service (application crash) via a DHTML setAttributeNode function call with zero arguments, which triggers a null dereference. |
67864 |
CVE-2006-3371 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Eupla Foros 1.0 stores the inc/config.inc file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information, including the database configuration. |
67865 |
CVE-2006-3370 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Blueboy 1.0.3 stores bb_news_config.inc under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information, including the database configuration. |
67866 |
CVE-2006-3369 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Kamikaze-QSCM 0.1 stores config.inc under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information, including the database configuration. |
67867 |
CVE-2006-3368 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Efone 20000723 stores config.inc under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information. |
67868 |
CVE-2006-3367 |
|
|
+Info |
2006-07-06 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Mp3 JudeBox Server (Mp3NetBox) Beta 1 stores config.inc under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information, including the database configuration. |
67869 |
CVE-2006-3366 |
|
|
XSS |
2006-07-06 |
2018-10-18 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...". |
67870 |
CVE-2006-3365 |
200 |
|
+Info |
2006-07-06 |
2018-10-18 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
V3 Chat allows remote attackers to obtain the installation path via (1) an invalid id parameter to mail/index.php or (2) membername parameter to messenger/online.php, which displays the path in an error page due to an incorrect SQL statement. |
67871 |
CVE-2006-3363 |
|
|
Exec Code File Inclusion |
2006-07-06 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in index.php in the Glossaire module 1.7 for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the pa parameter. |
67872 |
CVE-2006-3362 |
|
|
Exec Code |
2006-07-06 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in connectors/php/connector.php in FCKeditor mcpuk file manager, as used in (1) Geeklog 1.4.0 through 1.4.0sr3, (2) toendaCMS 1.0.0 Shizouka Stable and earlier, (3) WeBid 0.5.4, and possibly other products, when installed on Apache with mod_mime, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension and a trailing extension that is allowed, such as .zip. |
67873 |
CVE-2006-3361 |
|
|
Exec Code File Inclusion |
2006-07-06 |
2017-07-19 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the (1) _PHPLIB[libdir] parameter in studip-phplib/oohforms.inc and (2) ABSOLUTE_PATH_STUDIP parameter in studip-htdocs/archiv_assi.php. |
67874 |
CVE-2006-3360 |
|
|
Dir. Trav. |
2006-07-06 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in index.php in phpSysInfo 2.5.1 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence and a trailing null (%00) byte in the lng parameter, which will display a different error message if the file exists. |
67875 |
CVE-2006-3358 |
|
|
Sql XSS |
2006-07-06 |
2018-10-18 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site scripting (XSS) vulnerabilities in index.php in NewsPHP 2006 PRO allow remote attackers to inject arbitrary web script or HTML via the (1) words, (2) id, (3) cat_id, and (4) tim parameters, which are not sanitized before being returned in an error page. NOTE: it is possible that some of these vectors are resultant from an SQL injection issue. |
67876 |
CVE-2006-3356 |
|
|
DoS |
2006-07-06 |
2017-07-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and earlier allows remote user-assisted attackers to cause a denial of service (application crash) via an invalid tag value in a TIFF image, possibly triggering a null dereference. NOTE: This is a different issue than CVE-2006-1469. |
67877 |
CVE-2006-3354 |
|
|
DoS |
2006-07-05 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Microsoft Internet Explorer 6 allows remote attackers to cause a denial of service (crash) by setting the Filter property of an ADODB.Recordset ActiveX object to certain values multiple times, which triggers a null dereference. |
67878 |
CVE-2006-3353 |
|
|
DoS |
2006-07-05 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Opera 9 allows remote attackers to cause a denial of service (crash) via a crafted web page that triggers an out-of-bounds memory access, related to an iframe and JavaScript that accesses certain style sheets properties. |
67879 |
CVE-2006-3352 |
|
|
|
2006-07-05 |
2018-10-18 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
** DISPUTED ** Cross-domain vulnerability in Mozilla Firefox allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object. NOTE: this description was based on a report that has since been retracted by the original authors. The authors misinterpreted their test results. Other third parties also disputed the original report. Therefore, this is not a vulnerability. It is being assigned a candidate number to provide a clear indication of its status. |
67880 |
CVE-2006-3351 |
|
|
DoS Exec Code Overflow |
2006-07-05 |
2018-10-18 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
Buffer overflow in Windows Explorer (explorer.exe) on Windows XP and 2003 allows user-assisted attackers to cause a denial of service (repeated crash) and possibly execute arbitrary code via a .url file with an InternetShortcut tag containing a long URL and a large number of "file:" specifiers. |
67881 |
CVE-2006-3350 |
|
|
Exec Code Overflow |
2006-07-27 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Stack-based buffer overflow in AutoVue SolidModel Professional Desktop Edition 19.1 Build 5993 allows user-assisted remote attackers to execute arbitrary code via a long filename in a (1) ARJ, (2) RAR, or (3) ZIP archive. |
67882 |
CVE-2006-3345 |
|
|
XSS |
2006-07-03 |
2018-10-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in AliPAGER, possibly 1.5 and earlier, allows remote attackers to inject arbitrary web script or HTML via a chat line. |
67883 |
CVE-2006-3342 |
|
|
XSS |
2006-07-03 |
2017-07-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in Arctic 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search cmd. |
67884 |
CVE-2006-3340 |
|
|
Exec Code File Inclusion |
2006-07-03 |
2017-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Multiple PHP remote file inclusion vulnerabilities in Pearl For Mambo module 1.6 for Mambo, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the (1) phpbb_root_path parameter in (a) includes/functions_cms.php and the (2) GlobalSettings[templatesDirectory] parameter in multiple files in the "includes" directory including (b) adminSensored.php, (c) adminBoards.php, (d) adminAttachments.php, (e) adminAvatars.php, (f) adminBackupdatabase.php, (g) adminBanned.php, (h) adminForums.php, (i) adminPolls.php, (j) adminSmileys.php, (k) poll.php, and (l) move.php. |
67885 |
CVE-2006-3339 |
|
|
+Info |
2006-07-03 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message. |
67886 |
CVE-2006-3338 |
|
|
XSS |
2006-07-03 |
2017-07-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page. |
67887 |
CVE-2006-3337 |
|
|
XSS |
2006-07-03 |
2018-10-18 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter. |
67888 |
CVE-2006-3336 |
|
|
Exec Code Bypass |
2006-07-05 |
2008-09-05 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory. |
67889 |
CVE-2006-3333 |
|
|
Sql XSS |
2006-06-30 |
2017-07-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in Zorum Forum 3.5 allows remote attackers to inject web script or HTML via the multiple unspecified parameters, including the (1) frommethod, (2) list, and (3) method, which are reflected in an error message. NOTE: some of these vectors might be resultant from SQL injection. |
67890 |
CVE-2006-3331 |
|
|
|
2006-06-30 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Opera before 9.0 does not reset the SSL security bar after displaying a download dialog from an SSL-enabled website, which allows remote attackers to spoof a trusted SSL certificate from an untrusted website and facilitates phishing attacks. |
67891 |
CVE-2006-3330 |
|
|
Exec Code XSS |
2006-06-30 |
2018-10-18 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site scripting (XSS) vulnerability in AddAsset1.php in PHP/MySQL Classifieds (PHP Classifieds) allows remote attackers to execute arbitrary SQL commands via the (1) ProductName ("Title" field), (2) url, and (3) Description parameters, possibly related to issues in add1.php. |
67892 |
CVE-2006-3328 |
|
|
XSS |
2006-06-30 |
2017-07-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
new_ticket.cgi in Hostflow 2.2.1-15 allows remote attackers to steal and replay authentication credentials via an IMG tag in the desc parameter ("Ticket Description" field) that points to a URL that captures referer URLs, possibly due to a cross-site scripting (XSS) vulnerability or a leak of credentials in referer URLs. |
67893 |
CVE-2006-3327 |
|
|
XSS |
2006-06-30 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Custom dating biz dating script 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) sn20_special_cases parameter ("Special Cases" field) in profile/mini.php, (2) tyxx01_album_name parameter ("Album Name" field) in profile/photo_create.php, and the (3) u parameter in admin/user_view.php. |
67894 |
CVE-2006-3326 |
|
|
Dir. Trav. |
2006-06-30 |
2017-07-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Directory traversal vulnerability in QuickZip 3.06.3 allows remote user-assisted attackers to overwrite arbitrary files or directories via .. (dot dot) sequences in filenames within (1) TAR,(2) GZ, and (3) JAR archives. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
67895 |
CVE-2006-3325 |
|
|
|
2006-06-30 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files. |
67896 |
CVE-2006-3324 |
|
|
|
2006-06-30 |
2018-10-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer. |
67897 |
CVE-2006-3322 |
|
|
Exec Code Sql |
2006-06-30 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in includes/functions_logging.php in phpRaid 3.0.5, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the log_hack function. |
67898 |
CVE-2006-3321 |
|
|
XSS |
2006-06-30 |
2017-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in openforum.asp in OpenForum 1.2 Beta and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ofdisp and (2) ofmsgid parameters. |
67899 |
CVE-2006-3320 |
|
|
XSS |
2006-06-29 |
2018-10-18 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in command.php in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the command parameter. |
67900 |
CVE-2006-3319 |
|
|
XSS |
2006-06-29 |
2018-10-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in rss/index.php in PHP iCalendar 2.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the cal parameter. |