Search Results (5477 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2008-6355 1 Thenetguys 1 Aspired2protect 2025-04-09 N/A
The Net Guys ASPired2Protect stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to ASPired2Protect.mdb.
CVE-2007-4174 1 Tor 1 Tor 2025-04-09 N/A
Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.
CVE-2008-1255 1 Zyxel 1 P-660hw 2025-04-09 N/A
The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user.
CVE-2008-0245 1 Uploadscript 2 Uploadimage, Uploadscript 2025-04-09 N/A
admin.php in UploadImage 1.0 does not check for the original password before making a change to a new password, which allows remote attackers to gain administrator privileges via the pass parameter in a nopass (Set Password) action.
CVE-2008-0246 1 Uploadscript 2 Uploadimage, Uploadscript 2025-04-09 N/A
admin.php in UploadScript 1.0 does not check for the original password before making a change to a new password, which allows remote attackers to gain administrator privileges via the pass parameter in a nopass (Set Password) action.
CVE-2008-0329 1 Julien Plesniak 1 Lulieblog 2025-04-09 N/A
LulieBlog 1.0.1 and 1.0.2 does not restrict access to (1) article_suppr.php, (2) comment_accepter.php, and (3) comment_refuser.php in Admin/, which allows remote attackers to accept comments, delete comments, and delete articles via the id parameter.
CVE-2009-1573 4 Branden Robinson, Debian, Redhat and 1 more 4 Xvfb-run, Debian Linux, Fedora and 1 more 2025-04-09 N/A
xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems place the magic cookie (MCOOKIE) on the command line, which allows local users to gain privileges by listing the process and its arguments.
CVE-2008-4698 1 Opera 1 Opera Browser 2025-04-09 N/A
Opera before 9.61 does not properly block scripts during preview of a news feed, which allows remote attackers to create arbitrary new feed subscriptions and read the contents of arbitrary feeds.
CVE-2007-6497 1 Hosting Controller 1 Hosting Controller 2025-04-09 N/A
Hosting Controller 6.1 Hot fix 3.3 and earlier (1) allows remote attackers to change arbitrary user profiles via a request to Hosting/Addreseller.asp with modified loginname and email parameters; and (2) allows remote authenticated users to change a credit amount and increase a discount via an UpdateUser action to Accounts/AccountActions.asp with modified UserName, FullName, CreditLimit, and DefaultDiscount parameters, a related issue to CVE-2005-2219.
CVE-2008-6357 1 Donnafontenot 1 Mycal Personal Events Calendar 2025-04-09 N/A
MyCal Personal Events Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to mycal.mdb.
CVE-2009-3122 2 Chris Shattuck, Drupal 2 Ajaxtable, Drupal 2025-04-09 N/A
The Ajax Table module 5.x for Drupal does not perform access control, which allows remote attackers to delete arbitrary users and nodes via unspecified vectors.
CVE-2007-2063 1 Ssh 1 Tectia Server 2025-04-09 N/A
SSH Tectia Server for IBM z/OS before 5.4.0 uses insecure world-writable permissions for (1) the server pid file, which allows local users to cause arbitrary processes to be stopped, or (2) when _BPX_BATCH_UMASK is missing from the environment, creates HFS files with insecure permissions, which allows local users to read or modify these files and have other unknown impact.
CVE-2009-4044 2 Bruno Massa, Drupal 2 Web Services, Drupal 2025-04-09 N/A
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
CVE-2009-4527 2 Drupal, Niif 2 Drupal, Shib Auth 2025-04-09 N/A
The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain privileges by using an unattended web browser.
CVE-2008-2682 1 Realm Project 1 Realm Cms 2025-04-09 N/A
_RealmAdmin/login.asp in Realm CMS 2.3 and earlier allows remote attackers to bypass authentication and access admin pages via certain modified cookies, probably including (1) cUserRole, (2) cUserName, and (3) cUserID.
CVE-2007-6334 2 Ingres, Microsoft 2 Ingres, Windows Nt 2025-04-09 N/A
Ingres 2.5 and 2.6 on Windows, as used in multiple CA products and possibly other products, assigns the privileges and identity of users to be the same as the first user, which allows remote attackers to gain privileges.
CVE-2008-6494 1 Robs-projects 1 Asp User Engine.net 2025-04-09 N/A
ASP User Engine.NET stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for users.mdb.
CVE-2008-0135 1 Snitz Communications 1 Snitz Forums 2000 2025-04-09 N/A
Snitz Forums 2000 3.4.06 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for forum/snitz_forums_2000.mdb.
CVE-2008-7066 1 2enetworx 1 Openforum 2025-04-09 N/A
OpenForum 0.66 Beta allows remote attackers to bypass authentication and reset passwords of other users via a direct request with the update parameter set to 1 and modified user and password parameters.
CVE-2008-3303 1 Tuxplanet 1 Bilboblog 2025-04-09 N/A
admin/login.php in BilboBlog 0.2.1, when register_globals is enabled, allows remote attackers to bypass authentication and obtain administrative access via a direct request that sets the login, admin_login, password, and admin_passwd parameters.