| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Multiple cross-site scripting (XSS) vulnerabilities in phplist before 2.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) admin.php, (2) custom_pages.php, (3) draft.php, (4) faq.php, (5) leagues.php, (6) livedraft.php, (7) login.php, (8) my_team.php, (9) profile.php, (10) signup.php, (11) statistics.php, (12) transactions.php, (13) program_files/admin/custom_pages.php, or (14) program_files/common.php. NOTE: the program_files/livedraft/admin.php and program_files/livedraft/livedraft.php vectors are covered by CVE-2007-4934. |
| SQL injection vulnerability in vnews.php in Universe CMS 1.0.6 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| Multiple cross-site scripting (XSS) vulnerabilities in OpenBiblio 0.5.2-pre4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) LAST and (2) FIRST parameters to admin/staff_del_confirm.php, (3) the name parameter to admin/theme_del_confirm.php, or (4) the themeName parameter to admin/theme_preview.php. |
| Directory traversal vulnerability in includes/block.php in Agares Media phpAutoVideo 2.21 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the selected_provider parameter. |
| SQL injection vulnerability in report.php in Meeting Room Booking System (MRBS) before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the typematch parameter. NOTE: some of these details are obtained from third party information. |
| Directory traversal vulnerability in index.php in LionWiki 3.0.3, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. |
| Directory traversal vulnerability in image.php in Clear Content 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. NOTE: the researcher also suggests an analogous PHP remote file inclusion vulnerability, but this may be incorrect. |
| Multiple stack-based buffer overflows in EpicDJSoftware EpicDJ 1.3.9.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a (1) .m3u or (2) .mpl playlist file. |
| PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealogy 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the DataDirectory parameter. |
| Directory traversal vulnerability in ls.php in LittleSite (aka LS or LittleSite.php) 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. |
| Argument injection vulnerability in the Linden Lab Second Life secondlife:// protocol handler, as used in Internet Explorer and possibly Firefox, allows remote attackers to obtain sensitive information via a '" ' (double-quote space) sequence followed by the -autologin and -loginuri arguments, which cause the handler to post login credentials and software installation details to an arbitrary URL. |
| SQL injection vulnerability in _phenotype/admin/login.php in Phenotype CMS before 2.9 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka the login name). |
| SQL injection vulnerability in item.php in CartKeeper CKGold Shopping Cart 2.5 and 2.7 allows remote attackers to execute arbitrary SQL commands via the category_id parameter, a different vector than CVE-2007-4736. |
| Xerver HTTP Server 4.32 allows remote attackers to obtain the source code for a web page via an HTTP request with the addition of ::$DATA after the HTML file name. |
| DataWizard Technologies FtpXQ FTP Server 3.0 allows remote authenticated users to cause a denial of service (crash) via a long ABOR command. |
| Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. |
| packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1.2.2, on SPARC and certain other platforms, allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. |
| The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. |
| Off-by-one error in the dissect_negprot_response function in packet-smb.c in the SMB dissector in Wireshark 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. |
