CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14651 CVE-2006-6386 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.
14652 CVE-2006-6382 2006-12-07 2017-07-28
6.8
Admin Local Low Single system Complete Complete Complete
The control panel for Positive Software H-Sphere before 2.5.0 RC3 creates log files in a user's directory with insecure permissions, which allows local users to append log data to arbitrary files via a symlink attack. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14653 CVE-2006-6380 XSS 2006-12-07 2017-10-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.asp in Ultimate HelpDesk allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.
14654 CVE-2006-6375 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in display.php in Simple Machines Forum (SMF) 1.1 Final and earlier allows remote attackers to inject arbitrary web script or HTML via the contents of a file that is uploaded with the image parameter set, which can be interpreted as script by Internet Explorer's automatic type detection.
14655 CVE-2006-6372 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in pbguestbook.php in JAB Guest Book 20061205 allow remote attackers to inject arbitrary web script or HTML via the (1) topic or (2) message parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14656 CVE-2006-6371 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in pbguestbook.php in JAB Guest Book allows remote attackers to inject arbitrary web script or HTML via the author parameter.
14657 CVE-2006-6366 XSS 2006-12-07 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in includes/elements/spellcheck/spellwin.php in Cerberus Helpdesk 0.97.3, 2.0 through 2.7, 3.2.1, and 3.3 allows remote attackers to inject arbitrary web script or HTML via the js parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14658 CVE-2006-6364 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in error.php in Inside Systems Mail (ISMail) 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter.
14659 CVE-2006-6363 XSS 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin.pl in BlueSocket Secure Controller (BSC) before 5.2, or without 5.1.1-BluePatch, allows remote attackers to inject arbitrary web script or HTML via the ad_name parameter.
14660 CVE-2006-6359 79 XSS 2006-12-07 2017-07-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Stefan Frech online-bookmarks 0.6.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14661 CVE-2006-6357 XSS 2006-12-06 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in templates/cat_temp.php in PHPNews 1.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14662 CVE-2006-6356 XSS 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in templates/link_temp.php in PHPNews 1.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) url, (2) id, (3) subject, (4) username, or (5) time parameter.
14663 CVE-2006-6348 XSS 2006-12-06 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in board.php in mowdBB RC-6 allows remote attackers to inject arbitrary web script or HTML via the forum_name[] parameter.
14664 CVE-2006-6347 2006-12-06 2018-10-17
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in TFT-Gallery allows remote authenticated administrators to upload arbitrary .php files, possibly using admin/index.php. NOTE: this can be leveraged with CVE-2006-1412 to create a remote unauthenticated vector.
14665 CVE-2006-6343 Exec Code Sql 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in polls.php in Neocrome Seditio 1.10 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
14666 CVE-2006-6339 Exec Code Sql 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in sites/index.php in deV!L`z Clanportal (DZCP) before 1.3.6.1 allows remote attackers to execute arbitrary SQL commands via the show element in a GET request.
14667 CVE-2006-6334 Exec Code Overflow 2006-12-07 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the SendChannelData function in wfica.ocx in Citrix Presentation Server Client before 9.230 for Windows allows remote malicious web sites to execute arbitrary code via a DataSize parameter that is less than the length of the Data buffer.
14668 CVE-2006-6331 Exec Code 2006-12-06 2008-09-05
6.0
User Remote Medium Single system Partial Partial Partial
metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to (1) details.php and (2) startpop.php.
14669 CVE-2006-6330 Exec Code 2006-12-06 2017-10-18
6.0
User Remote Medium Single system Partial Partial Partial
index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter.
14670 CVE-2006-6296 399 DoS 2006-12-05 2019-04-30
6.1
None Local Network Low Not required None None Complete
The RpcGetPrinterData function in the Print Spooler (spoolsv.exe) service in Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via an RPC request that specifies a large 'offered' value (output buffer size), a variant of CVE-2005-3644.
14671 CVE-2006-6295 Exec Code File Inclusion 2006-12-05 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/mx_common.php in the mx_tinies 1.3.0 Module for MxBB Portal 1.06 allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.
14672 CVE-2006-6291 119 DoS Overflow 2006-12-05 2018-10-17
6.8
None Remote Low Single system None None Complete
Stack overflow in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.83 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.40 and 2.0 through 2.33, allows remote authenticated users to cause a denial of service (crash) via a long argument containing * (asterisk) and ? (question mark) characters to the DELETE command, as addressed by the ME-10020 hotfix.
14673 CVE-2006-6290 DoS Exec Code Overflow 2006-12-05 2018-10-17
6.5
User Remote Low Single system Partial Partial Partial
Multiple stack-based buffer overflows in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.82 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.30 and 2.0 through 2.33 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a long argument to the (1) EXAMINE or (2) SELECT command.
14674 CVE-2006-6289 Exec Code 2006-12-05 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Woltlab Burning Board (wBB) Lite 1.0.2 does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the wbb_userid parameter to the top-level URI. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in wBB Lite.
14675 CVE-2006-6278 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in @lex Guestbook 4.0.1 allows remote attackers to inject arbitrary web script or HTML via the skin parameter.
14676 CVE-2006-6276 XSS Bypass 2006-12-04 2017-07-28
6.8
None Remote Medium Not required Partial Partial Partial
HTTP request smuggling vulnerability in Sun Java System Proxy Server before 20061130, when used with Sun Java System Application Server or Sun Java System Web Server, allows remote attackers to bypass HTTP request filtering, hijack web sessions, perform cross-site scripting (XSS), and poison web caches via unspecified attack vectors.
14677 CVE-2006-6274 Exec Code Sql XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in articles.asp in Expinion.net iNews (1) Publisher (iNP) 2.5 and earlier, and possibly (2) News Manager, allows remote attackers to execute arbitrary SQL commands via the ex parameter. NOTE: early reports of this issue reported it as XSS, but this was erroneous. The original report was for News Manager, but there is strong evidence that the correct product is Publisher.
14678 CVE-2006-6272 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in sp_index.php in Simple PHP Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.
14679 CVE-2006-6271 XSS 2006-12-04 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in PHPOLL 0.96 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) index.php, (2) info.php; and (3) index.php, (4) votanti.php, (5) risultati_config.php, (6) modifica_band.php, (7) band_editor.php, and (8) config_editor.php in admin/.
14680 CVE-2006-6266 2006-12-04 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Teredo clients, when following item 6 of RFC4380 section 5.2.3, start direct IPv6 connectivity tests (aka ping tests) in response to packets from non-Teredo source addresses, which might allow remote attackers to induce Teredo clients to send packets to third parties.
14681 CVE-2006-6263 Bypass 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Teredo clients, when source routing is enabled, recognize a Routing header in an encapsulated IPv6 packet and send the packet to the next hop, which might allow remote attackers to bypass policies of certain Internet gateways that drop all source-routed packets.
14682 CVE-2006-6262 Dir. Trav. 2006-12-04 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in mboard.php in PHPJunkYard (aka Klemen Stirn) MBoard 1.22 and earlier allows remote attackers to create arbitrary empty files via a .. (dot dot) in the orig_id parameter.
14683 CVE-2006-6257 +Info 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
The file manager in AlternC 0.9.5 and earlier, when warnings are enabled in PHP, allows remote attackers to obtain sensitive information via certain folder names such as ones composed of JavaScript code, which reveal the path in a warning message.
14684 CVE-2006-6256 XSS 2006-12-04 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the file manager in admin/bro_main.php in AlternC 0.9.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a folder name.
14685 CVE-2006-6249 XSS 2006-12-04 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Chama Cargo 4.36 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14686 CVE-2006-6242 22 Dir. Trav. 2006-12-03 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Serendipity 1.0.3 and earlier allow remote attackers to read or include arbitrary local files via a .. (dot dot) sequence in the serendipity[charset] parameter in (1) include/lang.inc.php; or to plugins/ scripts (2) serendipity_event_bbcode/serendipity_event_bbcode.php, (3) serendipity_event_browsercompatibility/serendipity_event_browsercompatibility.php, (4) serendipity_event_contentrewrite/serendipity_event_contentrewrite.php, (5) serendipity_event_creativecommons/serendipity_event_creativecommons.php, (6) serendipity_event_emoticate/serendipity_event_emoticate.php, (7) serendipity_event_entryproperties/serendipity_event_entryproperties.php, (8) serendipity_event_karma/serendipity_event_karma.php, (9) serendipity_event_livesearch/serendipity_event_livesearch.php, (10) serendipity_event_mailer/serendipity_event_mailer.php, (11) serendipity_event_nl2br/serendipity_event_nl2br.php, (12) serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php, (13) serendipity_event_searchhighlight/serendipity_event_searchhighlight.php, (14) serendipity_event_spamblock/serendipity_event_spamblock.php, (15) serendipity_event_spartacus/serendipity_event_spartacus.php, (16) serendipity_event_statistics/serendipity_plugin_statistics.php, (17) serendipity_event_templatechooser/serendipity_event_templatechooser.php, (18) serendipity_event_textile/serendipity_event_textile.php, (19) serendipity_event_textwiki/serendipity_event_textwiki.php, (20) serendipity_event_trackexits/serendipity_event_trackexits.php, (21) serendipity_event_weblogping/serendipity_event_weblogping.php, (22) serendipity_event_xhtmlcleanup/serendipity_event_xhtmlcleanup.php, (23) serendipity_plugin_comments/serendipity_plugin_comments.php, (24) serendipity_plugin_creativecommons/serendipity_plugin_creativecommons.php, (25) serendipity_plugin_entrylinks/serendipity_plugin_entrylinks.php, (26) serendipity_plugin_eventwrapper/serendipity_plugin_eventwrapper.php, (27) serendipity_plugin_history/serendipity_plugin_history.php, (28) serendipity_plugin_recententries/serendipity_plugin_recententries.php, (29) serendipity_plugin_remoterss/serendipity_plugin_remoterss.php, (30) serendipity_plugin_shoutbox/serendipity_plugin_shoutbox.php, and and (31) serendipity_plugin_templatedropdown/serendipity_plugin_templatedropdown.php.
14687 CVE-2006-6228 XSS 2006-12-01 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Codewalkers ltwCalendar (aka PHP Event Calendar) before 4.2.1 allows remote attackers to inject arbitrary HTML or web script via unknown vectors.
14688 CVE-2006-6220 Exec Code Sql 2006-11-30 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Recipes Website (Recipes Complete Website) 1.1.14 allow remote attackers to execute arbitrary SQL commands via the (1) recipeid parameter to recipe.php or the (2) categoryid parameter to list.php.
14689 CVE-2006-6219 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in dev4u CMS allow remote attackers to inject arbitrary web script or HTML via the (1) user_name, (2) passwort, and (3) go_target parameters.
14690 CVE-2006-6211 XSS 2006-11-30 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in BirdBlog 1.4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter to (a) admin/admincore.php, the (2) month parameter to (b) admin/comments.php or (c) admin/entries.php, or the (3) page parameter to (d) admin/logs.php, different vectors than CVE-2006-5064.
14691 CVE-2006-6205 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in result.asp in Enthrallweb eHomes allow remote attackers to inject arbitrary web script or HTML via the (1) city or (2) State parameter.
14692 CVE-2006-6198 XSS 2006-11-30 2018-10-17
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b) cgi/addon_configsupport.cgi, the (3) pkg parameter to (c) scripts/editpkg, the (4) domain parameter to (d) scripts2/domts2 and (e) scripts/editzone, the (5) feature parameter to (g) scripts2/dofeaturemanager, and the (6) ndomain parameter to (h) scripts/park.
14693 CVE-2006-6197 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8.2 through 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) app_name parameter in (a) _404_not_found.page.php, (b) _410_stats_gone.page.php, and (c) _referer_spam.page.php in inc/VIEW/errors/; the (2) baseurl parameter in (d) inc/VIEW/errors/_404_not_found.page.php; and the (3) ReqURI parameter in (e) inc/VIEW/errors/_referer_spam.page.php.
14694 CVE-2006-6196 XSS 2006-11-30 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the search functionality in Fixit iDMS Pro Image Gallery allows remote attackers to inject arbitrary web script or HTML via a search field (txtsearchtext parameter).
14695 CVE-2006-6180 XSS 2006-11-30 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in articles.asp in Expinion.net iNews Publisher (iNP) 2.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the hl parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14696 CVE-2006-6176 XSS 2006-11-30 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin.php in Blogn before 1.9.4 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
14697 CVE-2006-6169 Exec Code Overflow 2006-11-29 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
14698 CVE-2006-6166 XSS 2006-11-28 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in jce.php in the JCE Admin Component in Ryan Demmer Joomla Content Editor (JCE) 1.0.4 for Joomla! (com_jce), without the 20060821 jce_patch, allows remote attackers to inject arbitrary web script or HTML via the mosConfig_live_site parameter.
14699 CVE-2006-6159 79 XSS 2006-11-28 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in newticket.php in DeskPRO 2.0.0 and 2.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) message or (2) subject parameter.
14700 CVE-2006-6158 XSS 2006-11-28 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in (a) PMOS Help Desk 2.4, formerly (b) InverseFlow Help Desk 2.31 and also sold as (c) Ace Helpdesk 2.31, allow remote attackers to inject arbitrary web script or HTML via the (1) id or email parameter to ticketview.php, or (2) the email parameter to ticket.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.