| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| Multiple race conditions in Smb4K before 0.8.0 allow local users to (1) modify arbitrary files via unspecified manipulations of Smb4K's lock file, which is not properly handled by the remove_lock_file function in core/smb4kfileio.cpp, and (2) add lines to the sudoers file via a symlink attack on temporary files, which isn't properly handled by the writeFile function in core/smb4kfileio.cpp. |
| Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. NOTE: the vendor has disputed this issue, stating that the relevant variables are used within function definitions |
| PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. NOTE: this issue has been disputed by third party researchers, stating that fpath variable is initialized before being used |
| The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command. |
| The Run function in SolidWorks sldimdownload ActiveX control in sldimdownload.dll before 16.0.0.6 allows remote attackers to execute arbitrary commands via the (1) installerpath and (2) applicationarguments arguments. |
| OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. |
| Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable. |
| Directory traversal vulnerability in frame.php in phpcrs 2.06 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the importFunction parameter. |
| SQL injection vulnerability in loudblog/ajax.php in LoudBlog 0.8.0a and earlier allows remote authenticated users to execute arbitrary SQL commands via the colpick parameter in a singleread action. |
| Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2.6.2b4 allows remote attackers to inject arbitrary web script or HTML via the name parameter. |
| PHP remote file inclusion vulnerability in includes/functions.visohotlink.php in VisoHotlink 1.01 and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| Multiple directory traversal vulnerabilities in AJA Portal 1.2 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the currentlang parameter to admin/case.php in the (1) Contact_Plus and (2) Reviews modules, and (3) the module_name parameter to admin/includes/FANCYNLOptions.php in the Fancy_NewsLetter module. |
| Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Password Protect: Enhanced 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field) or (2) the pwd parameter (aka Password field). NOTE: some of these details are obtained from third party information. |
| Multiple SQL injection vulnerabilities in customer_login_check.asp in ClickTech ClickCart 6.0 allow remote attackers to execute arbitrary SQL commands via (1) the txtEmail parameter (aka E-MAIL field) or (2) the txtPassword parameter (aka password field) to customer_login.asp. NOTE: some of these details are obtained from third party information. |
| index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action. |
| Distributed SLS daemon (SLSd) on HP-UX B.11.11 allows remote attackers to overwrite arbitrary files and gain privileges via a crafted RPC request. |
| PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpeach 3.0.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the my_ms[root] parameter, a different vector than CVE-2006-4630. NOTE: Some of these details are obtained from third party information. |
| The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. |
