| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. |
| Buffer overflow in Roaring Penguin MIMEDefang 2.59 and 2.60 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors. |
| Multiple cross-site scripting (XSS) vulnerabilities in Bartels Schoene ConPresso before 4.0.5a allow remote attackers to inject arbitrary web script or HTML via (1) the nr parameter in detail.php, (2) the msg parameter in db_mysql.inc.php, and (3) the pos parameter in index.php. |
| Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes. |
| SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter. |
| Directory traversal vulnerability in navigator/navigator_ok.php in Pagode 0.5.8 allows remote attackers to read and possibly delete arbitrary files via a .. (dot dot) in the asolute parameter. |
| Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim phpMyWebmin 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) target and (2) action parameters in window.php, and possibly the (3) target parameter in home.php. |
| Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php. |
| Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression. |
| SQL injection vulnerability in News/page.asp in NetVIOS Portal allows remote attackers to execute arbitrary SQL commands via the NewsID parameter. NOTE: this issue might be the same as CVE-2006-5954. |
| PHP remote file inclusion vulnerability in upgrade.php in Coalescent Systems freePBX 2.1.3 allows remote attackers to execute arbitrary PHP code via a URL in the amp_conf[AMPWEBROOT] parameter. |
| Format string vulnerability in the ActiveX control (ATXCONSOLE.OCX) in TrendMicro OfficeScan Corporate Edition (OSCE) before 7.3 Patch 1 allows remote attackers to execute arbitrary code via format string identifiers in the "Management Console's Remote Client Install name search". |
| cgi-bin/sysconf.cgi on the Axesstel MV 410R allows remote attackers to cause a denial of service (configuration reset) via a RESTORE=RESTORE query string. |
| The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server. |
| PHP remote file inclusion vulnerability in register.php for Andys Chat 4.5 allows remote attackers to execute arbitrary code via the action parameter. NOTE: this issue was announced by an unreliable researcher, but the vendor is no longer distributing the product, so the original claims can not be evaluated. |
| Multiple directory traversal vulnerabilities in EZOnlineGallery 1.3 and earlier, and possibly other versions before 1.3.2 Beta, allow remote attackers to (1) determine directory existence via a ".." in the album parameter in a show_album action to (a) ezgallery.php, which produces different responses depending on existence; and read arbitrary image files via a ".." in the album or (2) image parameter to (b) image.php. |
| Unspecified vulnerability in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (crash) via a TOP command to the POP3 service. |
| PHP remote file inclusion vulnerability in web/init_mysource.php in MySource CMS 2.16.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter. |
| Sun Java System Portal Server 7.0 does not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute an arbitrary Java method via a crafted stylesheet, a related issue to CVE-2007-3715. |
| Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF). |
