CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14901 CVE-2006-6043 Exec Code File Inclusion 2006-11-21 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
PHP file inclusion vulnerability in loginform-inc.php in Oliver (formerly Webshare) 1.2.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the conf[motdfile] parameter, which is accessed by the file_exists function.
14902 CVE-2006-6042 Exec Code File Inclusion 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in core/editor.php in phpWebThings 1.5.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the editor_insert_bottom parameter.
14903 CVE-2006-6040 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.php in Jelsoft vBulletin 3.6.x allow remote attackers to inject arbitrary web script or HTML via (1) the prefs parameter in a buildnavprefs action or (2) the navprefs parameter in a savenavprefs action.
14904 CVE-2006-6037 79 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dan Jensen Travelsized CMS 0.4.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) page, (2) page_id, or (3) language parameter.
14905 CVE-2006-6035 79 XSS 2006-11-21 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in list.php in BLOG:CMS 4.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the FADDR parameter.
14906 CVE-2006-6032 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter in add_block.php or (2) the entry parameter in index.php, different vectors than CVE-2005-1135. NOTE: this has been reported to affect 0.8, but as of 20061121, the most recent version is only 0.4.9.
14907 CVE-2006-6022 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in login_form.asp in BestWebApp Dating Site allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
14908 CVE-2006-6020 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in announce.php in Blog Torrent Preview 0.92 allows remote attackers to inject arbitrary web script or HTML via the left parameter.
14909 CVE-2006-6019 XSS 2006-11-21 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
14910 CVE-2006-6008 +Priv 2006-11-21 2008-09-05
6.5
User Remote Low Single system Partial Partial Partial
ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, does not check the return status of certain seteuid, setgid, and setuid calls, which might allow remote authenticated users to gain privileges if these calls fail in cases such as PAM failures or resource limits, a different vulnerability than CVE-2006-5778.
14911 CVE-2006-5986 XSS 2006-11-20 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
admin/options.php in Extreme CMS 0.9, and possibly earlier, does not require authentication, which might allow remote attackers to conduct unauthorized activities. NOTE: this issue can be combined with another vulnerability to expand the scope of a cross-site scripting (XSS) attack without authentication. NOTE: the provenance of this information is unknown; details are obtained from third party sources.
14912 CVE-2006-5985 XSS 2006-11-20 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in admin/options.php in Extreme CMS 0.9, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) bg1, (2) bg2, (3) text, or (4) size parameters. NOTE: the provenance of this information is unknown; details are obtained from third party sources.
14913 CVE-2006-5984 XSS 2006-11-20 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable.
14914 CVE-2006-5983 XSS 2006-11-20 2018-10-17
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user parameter to (a) CMD_SHOW_RESELLER or (b) CMD_SHOW_USER in the Admin level; the (2) TYPE parameter to (c) CMD_TICKET_CREATE or (d) CMD_TICKET, the (3) user parameter to (e) CMD_EMAIL_FORWARDER_MODIFY, (f) CMD_EMAIL_VACATION_MODIFY, or (g) CMD_FTP_SHOW, and the (4) name parameter to (h) CMD_EMAIL_LIST in the User level; or the (5) user parameter to (i) CMD_SHOW_USER in the Reseller level.
14915 CVE-2006-5981 22 Dir. Trav. 2006-11-20 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in SeleniumServer FTP Server 1.0, and possibly earlier, allow remote attackers to list arbitrary directories, read arbitrary files, and upload arbitrary files via directory traversal sequences in the (1) DIR (LIST or NLST), (2) GET (RETR), and (3) PUT (STOR) commands.
14916 CVE-2006-5975 XSS 2006-11-20 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in comments.asp in BlogMe 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) URL, or (3) Comments field.
14917 CVE-2006-5966 399 2006-11-17 2018-10-17
6.4
None Remote Low Not required Partial None Partial
Panda ActiveScan 5.53.00, and other versions before 5.54.01, allows remote attackers to (1) reboot the system using the Reinicializar method in the ActiveScan.1 ActiveX control, or (2) determine arbitrary file existence and size via the ObtenerTamano method in the PAVPZ.SOS.1 ActiveX control.
14918 CVE-2006-5960 XSS 2006-11-16 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in account_login.asp in A+ Store E-Commerce allow remote attackers to inject arbitrary web script or HTML via the (1) username (txtUserName) and (2) password (txtPassword) parameters. NOTE: portions of these details are obtained from third party information.
14919 CVE-2006-5958 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in INFINICART allow remote attackers to inject arbitrary web script or HTML via the (1) username and (2) password fields in (a) login.asp, (3) search field in (b) search.asp, and (4) email field in (c) sendpassword.asp.
14920 CVE-2006-5944 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in csm/asp/listings.asp in MGinternet Car Site Manager (CSM) allows remote attackers to inject arbitrary web script or HTML via the s parameter.
14921 CVE-2006-5942 XSS 2006-11-16 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in inventory/display/display_results.asp in Website Designs For Less Inventory Manager allows remote attackers to inject arbitrary web script or HTML via the category parameter.
14922 CVE-2006-5915 XSS 2006-11-15 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in ls.php in SAMEDIA LandShop allow remote attackers to inject arbitrary web script or HTML via the (1) start, (2) CAT_ID, (3) keyword, (4) search_area, (5) search_type, (6) infield, or (7) search_order parameter.
14923 CVE-2006-5913 2006-11-15 2018-10-17
6.4
None Remote Low Not required None Partial Partial
Microsoft Internet Explorer 7 allows remote attackers to (1) cause a security certificate from a secure web site to appear invalid via a link to res://ieframe.dll/sslnavcancel.htm with the target site in the anchor identifier, which displays the site's URL in the address bar but causes Internet Explorer to report that the certificate is invalid, or (2) trigger a "The webpage no longer exists" report via a link to res://ieframe.dll/http_410.htm, a variant of CVE-2006-5805.
14924 CVE-2006-5905 2006-11-15 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Web Directory Pro allows remote attackers to (1) backup the database and obtain the backup via a direct request to admin/backup_db.php or (2) modify configuration via a direct request to admin/options.php.
14925 CVE-2006-5900 XSS 2006-11-15 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the incubator/tests/Zend/Http/_files/testRedirections.php sample code in Zend Framework Preview 0.2.0 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
14926 CVE-2006-5894 Dir. Trav. 2006-11-14 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in lang.php in Rama CMS 0.68 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by lang.php.
14927 CVE-2006-5875 Exec Code 2006-12-13 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
eoc.py in Enemies of Carlotta (EoC) before 1.2.4 allows remote attackers to execute arbitrary commands via shell metacharacters in an "SMTP level e-mail address".
14928 CVE-2006-5866 Dir. Trav. 2006-11-10 2018-10-17
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in Mdoc/view-sourcecode.php for phpManta 1.0.2 and earlier allows remote attackers to read and include arbitrary files via ".." sequences in the file parameter.
14929 CVE-2006-5856 Exec Code Overflow 2006-12-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the Adobe Download Manager before 2.2 allows remote attackers to execute arbitrary code via a long section name in the dm.ini file, which is populated via an AOM file.
14930 CVE-2006-5853 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in logon.aspx in Immediacy CMS (Immediacy .NET CMS) 5.2 allows remote attackers to inject arbitrary web script or HTML via the lang parameter, which is returned to the client in a lang cookie.
14931 CVE-2006-5846 22 Dir. Trav. 2006-11-09 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in index.php in FreeWebshop 2.2.2 and earlier allows remote attackers to read and include arbitrary files via a .. (dot dot) in the page parameter, a different vector than CVE-2006-5773.
14932 CVE-2006-5845 434 Exec Code 2006-11-09 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in index.php in Speedywiki 2.0 allows remote authenticated users to upload and execute arbitrary PHP code by setting the upload parameter to 1.
14933 CVE-2006-5843 79 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in Speedywiki 2.0 allows remote attackers to inject arbitrary web script or HTML via the showRevisions parameter.
14934 CVE-2006-5830 XSS 2006-11-09 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) topid, (2) forid, and (3) catid parameters to code/cp_forum_view.php; (4) choosed_language parameter to cp_dpage.php; (5) orderdir parameter to cp_links_search.php; (6) order_field parameter to (a) cp_show_ec_products.php and (b) cp_users_online.php; and the (7) signature and (8) fiscal code fields in the user profile.
14935 CVE-2006-5829 89 Exec Code Sql 2006-11-09 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) choosed_language parameter to (a) cp_dpage.php, (b) cp_news.php, (c) cp_forum_view.php, (d) cp_edit_user.php, (e) cp_newsletter.php, (f) cp_links.php, (g) cp_contact_us.php, (h) cp_login.php, and (i) cp_codice_fiscale.php in public/code/; (2) news_category parameter to public/code/cp_news.php; (3) nlmsg_nlcatid parameter to public/code/cp_newsletter.php; (4) links_category parameter to public/code/cp_links.php; (5) product_category_id parameter to public/code/cp_show_ec_products.php; (6) order_field parameter to public/code/cp_show_ec_products.php; (7) firstrow parameter to public/code/cp_users_online.php; and (8) orderdir parameter to public/code/cp_links_search.php.
14936 CVE-2006-5827 XSS 2006-11-09 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in phpComasy CMS 0.7.9pre and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) username or (2) password parameters.
14937 CVE-2006-5811 Exec Code File Inclusion 2006-11-08 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[srcdir] parameter.
14938 CVE-2006-5810 XSS 2006-11-08 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlist.php in XOOPS 1.0 allows remote attackers to inject arbitrary web script or HTML via the newdownloadshowdays parameter.
14939 CVE-2006-5799 XSS 2006-11-08 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in default.asp in xenis.creator CMS allow remote attackers to inject arbitrary web script or HTML via the (1) contid or (2) search parameters.
14940 CVE-2006-5775 XSS 2006-11-06 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in profile.php in FunkBoard 0.71 before 4 November 2006 at 18:16 GMT allows remote attackers to inject arbitrary web script or HTML, possibly via the name parameter.
14941 CVE-2006-5770 XSS 2006-11-06 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in ac4p Mobile allow remote attackers to inject arbitrary web script or HTML via (1) Bloks, (2) Newnews, (3) lBlok, and (4) foooot parameter in (a) index.php; Newnews, (5) newmsgs, and Bloks parameter in (b) MobileNews.php; Newnews parameter in (c) polls.php; (6) cats parameter in (d) send.php; (7) footer parameter in (e) up.php; and (8) pagenav parameter in (f) cp/index.php.
14942 CVE-2006-5767 94 Exec Code File Inclusion 2006-11-06 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/xhtml.php in Drake CMS 0.2.2 alpha rev.846 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the d_root parameter.
14943 CVE-2006-5746 2006-11-06 2018-10-17
6.4
None Remote Low Not required Partial Partial None
The console in AirMagnet Enterprise before 7.5 build 6307 does not properly validate the Enterprise Server certificate, which allows remote attackers to read network traffic via a man-in-the-middle (MITM) attack, possibly related to the use of self-signed certificates.
14944 CVE-2006-5731 Exec Code Dir. Trav. 2006-11-06 2017-10-18
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in classes/index.php in Lithium CMS 4.04c and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the siteconf[curl] parameter, as demonstrated by a POST to news/comment.php containing PHP code, which is stored under db/comments/news/ and included by classes/index.php.
14945 CVE-2006-5729 2006-11-06 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
Yazd Discussion Forum before 3.0 beta does not properly manage forum permissions, which allows remote authenticated users to (1) reply to a message in an arbitrary forum, if authorized to create a message in any forum; and (2) perform certain unauthorized forum actions, related to an "error in how the permissions were assembled" that assigns extra permissions to users.
14946 CVE-2006-5705 Dir. Trav. 2006-11-03 2008-09-05
6.0
None Remote Medium Single system Partial Partial Partial
Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request.
14947 CVE-2006-5704 2006-11-03 2017-07-19
6.2
Admin Local High Not required Complete Complete Complete
HP NonStop Server G06.29, when running Standard Security T6533G06 before T6533G06^ABK, does not properly evaluate access permissions to OSS directories when no optional ACL entry exists, which allows local users to read arbitrary files.
14948 CVE-2006-5676 Exec Code Sql 2006-11-02 2017-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in consult/classement.php in Uni-Vert PhpLeague 0.82 and earlier allows remote attackers to execute arbitrary SQL commands via the champ parameter.
14949 CVE-2006-5673 Exec Code File Inclusion 2006-11-02 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in bb_func_txt.php in miniBB 2.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pathToFiles parameter.
14950 CVE-2006-5661 XSS 2006-11-02 2018-10-17
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in nquser.php in VIRtech Netquery allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.