CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14601 CVE-2006-6400 119 Exec Code Overflow 2006-12-09 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in JustSystems Hanako 2004 through 2006, Hanako viewer 1.x, Ichitaro 2004, Ichitaro 2005, Ichitaro Lite2, Ichitaro viewer 4.x, and Sanshiro 2005 allows remote attackers to execute arbitrary code via the (1) Keyword and (2) Title fields, related to string length fields.
14602 CVE-2006-6393 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Jonas Gauffin Publicera 1.0-rc2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the InputFilter::getString function.
14603 CVE-2006-6391 Dir. Trav. 2006-12-07 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include arbitrary files via a .. (dot dot) in the config[db_type] parameter to (1) actions_admin/other.php and (2) actions_client/gallery.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14604 CVE-2006-6390 Dir. Trav. 2006-12-07 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the config[db_type] parameter to (1) categories.php, (2) couriers.php, (3) orders.php, and (4) products.php in actions_admin/; and (5) orders.php and (6) products.php in actions_client/; as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by one of these PHP scripts.
14605 CVE-2006-6389 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in ac4p Mobile allow remote attackers to inject arbitrary web script or HTML via the (1) Taaa parameter to (a) up.php, or the (2) pollhtml and (3) Bloks parameters to (b) polls.php, different vectors than CVE-2006-5770.
14606 CVE-2006-6388 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in naprednaPretraga.php in LINK Content Management Server (CMS) allows remote attackers to inject arbitrary web script or HTML via the txtPretraga parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14607 CVE-2006-6386 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.
14608 CVE-2006-6382 2006-12-07 2017-07-28
6.8
Admin Local Low Single system Complete Complete Complete
The control panel for Positive Software H-Sphere before 2.5.0 RC3 creates log files in a user's directory with insecure permissions, which allows local users to append log data to arbitrary files via a symlink attack. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14609 CVE-2006-6380 XSS 2006-12-07 2017-10-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.asp in Ultimate HelpDesk allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.
14610 CVE-2006-6375 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in display.php in Simple Machines Forum (SMF) 1.1 Final and earlier allows remote attackers to inject arbitrary web script or HTML via the contents of a file that is uploaded with the image parameter set, which can be interpreted as script by Internet Explorer's automatic type detection.
14611 CVE-2006-6372 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in pbguestbook.php in JAB Guest Book 20061205 allow remote attackers to inject arbitrary web script or HTML via the (1) topic or (2) message parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14612 CVE-2006-6371 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in pbguestbook.php in JAB Guest Book allows remote attackers to inject arbitrary web script or HTML via the author parameter.
14613 CVE-2006-6366 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in includes/elements/spellcheck/spellwin.php in Cerberus Helpdesk 0.97.3, 2.0 through 2.7, 3.2.1, and 3.3 allows remote attackers to inject arbitrary web script or HTML via the js parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14614 CVE-2006-6364 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in error.php in Inside Systems Mail (ISMail) 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter.
14615 CVE-2006-6363 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin.pl in BlueSocket Secure Controller (BSC) before 5.2, or without 5.1.1-BluePatch, allows remote attackers to inject arbitrary web script or HTML via the ad_name parameter.
14616 CVE-2006-6359 79 XSS 2006-12-07 2017-07-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Stefan Frech online-bookmarks 0.6.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14617 CVE-2006-6357 XSS 2006-12-06 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in templates/cat_temp.php in PHPNews 1.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14618 CVE-2006-6356 XSS 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in templates/link_temp.php in PHPNews 1.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) url, (2) id, (3) subject, (4) username, or (5) time parameter.
14619 CVE-2006-6348 XSS 2006-12-06 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in board.php in mowdBB RC-6 allows remote attackers to inject arbitrary web script or HTML via the forum_name[] parameter.
14620 CVE-2006-6347 2006-12-06 2018-10-17
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in TFT-Gallery allows remote authenticated administrators to upload arbitrary .php files, possibly using admin/index.php. NOTE: this can be leveraged with CVE-2006-1412 to create a remote unauthenticated vector.
14621 CVE-2006-6343 Exec Code Sql 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in polls.php in Neocrome Seditio 1.10 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
14622 CVE-2006-6339 Exec Code Sql 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in sites/index.php in deV!L`z Clanportal (DZCP) before 1.3.6.1 allows remote attackers to execute arbitrary SQL commands via the show element in a GET request.
14623 CVE-2006-6334 Exec Code Overflow 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the SendChannelData function in wfica.ocx in Citrix Presentation Server Client before 9.230 for Windows allows remote malicious web sites to execute arbitrary code via a DataSize parameter that is less than the length of the Data buffer.
14624 CVE-2006-6331 Exec Code 2006-12-06 2008-09-05
6.0
User Remote Medium Single system Partial Partial Partial
metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to (1) details.php and (2) startpop.php.
14625 CVE-2006-6330 Exec Code 2006-12-06 2017-10-18
6.0
User Remote Medium Single system Partial Partial Partial
index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter.
14626 CVE-2006-6296 399 DoS 2006-12-05 2019-04-30
6.1
None Local Network Low Not required None None Complete
The RpcGetPrinterData function in the Print Spooler (spoolsv.exe) service in Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via an RPC request that specifies a large 'offered' value (output buffer size), a variant of CVE-2005-3644.
14627 CVE-2006-6295 Exec Code File Inclusion 2006-12-05 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/mx_common.php in the mx_tinies 1.3.0 Module for MxBB Portal 1.06 allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.
14628 CVE-2006-6291 119 DoS Overflow 2006-12-05 2018-10-17
6.8
None Remote Low Single system None None Complete
Stack overflow in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.83 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.40 and 2.0 through 2.33, allows remote authenticated users to cause a denial of service (crash) via a long argument containing * (asterisk) and ? (question mark) characters to the DELETE command, as addressed by the ME-10020 hotfix.
14629 CVE-2006-6290 DoS Exec Code Overflow 2006-12-05 2018-10-17
6.5
User Remote Low Single system Partial Partial Partial
Multiple stack-based buffer overflows in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.82 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.30 and 2.0 through 2.33 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a long argument to the (1) EXAMINE or (2) SELECT command.
14630 CVE-2006-6289 Exec Code 2006-12-05 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Woltlab Burning Board (wBB) Lite 1.0.2 does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the wbb_userid parameter to the top-level URI. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in wBB Lite.
14631 CVE-2006-6278 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in @lex Guestbook 4.0.1 allows remote attackers to inject arbitrary web script or HTML via the skin parameter.
14632 CVE-2006-6276 XSS Bypass 2006-12-04 2017-07-28
6.8
None Remote Medium Not required Partial Partial Partial
HTTP request smuggling vulnerability in Sun Java System Proxy Server before 20061130, when used with Sun Java System Application Server or Sun Java System Web Server, allows remote attackers to bypass HTTP request filtering, hijack web sessions, perform cross-site scripting (XSS), and poison web caches via unspecified attack vectors.
14633 CVE-2006-6274 Exec Code Sql XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in articles.asp in Expinion.net iNews (1) Publisher (iNP) 2.5 and earlier, and possibly (2) News Manager, allows remote attackers to execute arbitrary SQL commands via the ex parameter. NOTE: early reports of this issue reported it as XSS, but this was erroneous. The original report was for News Manager, but there is strong evidence that the correct product is Publisher.
14634 CVE-2006-6272 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in sp_index.php in Simple PHP Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.
14635 CVE-2006-6271 XSS 2006-12-04 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in PHPOLL 0.96 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) index.php, (2) info.php; and (3) index.php, (4) votanti.php, (5) risultati_config.php, (6) modifica_band.php, (7) band_editor.php, and (8) config_editor.php in admin/.
14636 CVE-2006-6266 2006-12-04 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Teredo clients, when following item 6 of RFC4380 section 5.2.3, start direct IPv6 connectivity tests (aka ping tests) in response to packets from non-Teredo source addresses, which might allow remote attackers to induce Teredo clients to send packets to third parties.
14637 CVE-2006-6263 Bypass 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Teredo clients, when source routing is enabled, recognize a Routing header in an encapsulated IPv6 packet and send the packet to the next hop, which might allow remote attackers to bypass policies of certain Internet gateways that drop all source-routed packets.
14638 CVE-2006-6262 Dir. Trav. 2006-12-04 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in mboard.php in PHPJunkYard (aka Klemen Stirn) MBoard 1.22 and earlier allows remote attackers to create arbitrary empty files via a .. (dot dot) in the orig_id parameter.
14639 CVE-2006-6257 +Info 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
The file manager in AlternC 0.9.5 and earlier, when warnings are enabled in PHP, allows remote attackers to obtain sensitive information via certain folder names such as ones composed of JavaScript code, which reveal the path in a warning message.
14640 CVE-2006-6256 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the file manager in admin/bro_main.php in AlternC 0.9.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a folder name.
14641 CVE-2006-6249 XSS 2006-12-04 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Chama Cargo 4.36 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14642 CVE-2006-6242 22 Dir. Trav. 2006-12-03 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Serendipity 1.0.3 and earlier allow remote attackers to read or include arbitrary local files via a .. (dot dot) sequence in the serendipity[charset] parameter in (1) include/lang.inc.php; or to plugins/ scripts (2) serendipity_event_bbcode/serendipity_event_bbcode.php, (3) serendipity_event_browsercompatibility/serendipity_event_browsercompatibility.php, (4) serendipity_event_contentrewrite/serendipity_event_contentrewrite.php, (5) serendipity_event_creativecommons/serendipity_event_creativecommons.php, (6) serendipity_event_emoticate/serendipity_event_emoticate.php, (7) serendipity_event_entryproperties/serendipity_event_entryproperties.php, (8) serendipity_event_karma/serendipity_event_karma.php, (9) serendipity_event_livesearch/serendipity_event_livesearch.php, (10) serendipity_event_mailer/serendipity_event_mailer.php, (11) serendipity_event_nl2br/serendipity_event_nl2br.php, (12) serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php, (13) serendipity_event_searchhighlight/serendipity_event_searchhighlight.php, (14) serendipity_event_spamblock/serendipity_event_spamblock.php, (15) serendipity_event_spartacus/serendipity_event_spartacus.php, (16) serendipity_event_statistics/serendipity_plugin_statistics.php, (17) serendipity_event_templatechooser/serendipity_event_templatechooser.php, (18) serendipity_event_textile/serendipity_event_textile.php, (19) serendipity_event_textwiki/serendipity_event_textwiki.php, (20) serendipity_event_trackexits/serendipity_event_trackexits.php, (21) serendipity_event_weblogping/serendipity_event_weblogping.php, (22) serendipity_event_xhtmlcleanup/serendipity_event_xhtmlcleanup.php, (23) serendipity_plugin_comments/serendipity_plugin_comments.php, (24) serendipity_plugin_creativecommons/serendipity_plugin_creativecommons.php, (25) serendipity_plugin_entrylinks/serendipity_plugin_entrylinks.php, (26) serendipity_plugin_eventwrapper/serendipity_plugin_eventwrapper.php, (27) serendipity_plugin_history/serendipity_plugin_history.php, (28) serendipity_plugin_recententries/serendipity_plugin_recententries.php, (29) serendipity_plugin_remoterss/serendipity_plugin_remoterss.php, (30) serendipity_plugin_shoutbox/serendipity_plugin_shoutbox.php, and and (31) serendipity_plugin_templatedropdown/serendipity_plugin_templatedropdown.php.
14643 CVE-2006-6228 XSS 2006-12-01 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Codewalkers ltwCalendar (aka PHP Event Calendar) before 4.2.1 allows remote attackers to inject arbitrary HTML or web script via unknown vectors.
14644 CVE-2006-6220 Exec Code Sql 2006-11-30 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Recipes Website (Recipes Complete Website) 1.1.14 allow remote attackers to execute arbitrary SQL commands via the (1) recipeid parameter to recipe.php or the (2) categoryid parameter to list.php.
14645 CVE-2006-6219 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in dev4u CMS allow remote attackers to inject arbitrary web script or HTML via the (1) user_name, (2) passwort, and (3) go_target parameters.
14646 CVE-2006-6211 XSS 2006-11-30 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in BirdBlog 1.4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter to (a) admin/admincore.php, the (2) month parameter to (b) admin/comments.php or (c) admin/entries.php, or the (3) page parameter to (d) admin/logs.php, different vectors than CVE-2006-5064.
14647 CVE-2006-6205 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in result.asp in Enthrallweb eHomes allow remote attackers to inject arbitrary web script or HTML via the (1) city or (2) State parameter.
14648 CVE-2006-6198 XSS 2006-11-30 2018-10-17
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b) cgi/addon_configsupport.cgi, the (3) pkg parameter to (c) scripts/editpkg, the (4) domain parameter to (d) scripts2/domts2 and (e) scripts/editzone, the (5) feature parameter to (g) scripts2/dofeaturemanager, and the (6) ndomain parameter to (h) scripts/park.
14649 CVE-2006-6197 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8.2 through 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) app_name parameter in (a) _404_not_found.page.php, (b) _410_stats_gone.page.php, and (c) _referer_spam.page.php in inc/VIEW/errors/; the (2) baseurl parameter in (d) inc/VIEW/errors/_404_not_found.page.php; and the (3) ReqURI parameter in (e) inc/VIEW/errors/_referer_spam.page.php.
14650 CVE-2006-6196 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the search functionality in Fixit iDMS Pro Image Gallery allows remote attackers to inject arbitrary web script or HTML via a search field (txtsearchtext parameter).
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.