Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts.20060912 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing VulnerabilitySecurity Advisory : CT12-09-2006-2MS06-05419951ADV-2006-356521863TA06-255AVU#4062361016825publisher-pub-code-execution(28648)HPSBST02134oval:org.mitre.oval:def:5901548Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.MS06-003VU#25214616197ADV-2006-01191836820060110 Microsoft Outlook Critical Vulnerability20060110 Microsoft Exchange Critical VulnerabilityTA06-010A10154611015460oval:org.mitre.oval:def:1082oval:org.mitre.oval:def:1165oval:org.mitre.oval:def:1316oval:org.mitre.oval:def:1456oval:org.mitre.oval:def:1485oval:org.mitre.oval:def:624 win-tnef-overflow(22878)330331Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspxMS06-014TA06-101AVU#23481217462ADV-2006-1319195831015894ADV-2006-24522071924517oval:org.mitre.oval:def:1204oval:org.mitre.oval:def:1323oval:org.mitre.oval:def:1511oval:org.mitre.oval:def:1742oval:org.mitre.oval:def:1778 20797 mdac-rdsdataspace-execute-code(25006) ie-wscriptshell-command-execution(29915)20070729 Exploit In Internet Explorer20070730 RE: Exploit In Internet Explorer20070730 Re: Exploit In Internet Explorer20070731 Re: Exploit In Internet Explorer20522164Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF).MS06-010VU#96362816634ADV-2006-0579101563218865powerpoint-tiff-information-disclosure(24490)oval:org.mitre.oval:def:1555Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.MS06-00620060214 Microsoft Windows Media Player Plugin Buffer Overflow VulnerabilityVU#692060TA06-045A16644ADV-2006-0575101562818852win-mediaplayer-plugin-embed-bo(24493)oval:org.mitre.oval:def:1559Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.TA06-045AVU#291396MS06-00520060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow20060215 Windows Media Player BMP Heap Overflow (MS06-005)16633ADV-2006-0574101562718835win-media-player-bmp-bo(24488)oval:org.mitre.oval:def:1256oval:org.mitre.oval:def:1578oval:org.mitre.oval:def:1598oval:org.mitre.oval:def:1661423Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed.MS06-039VU#66856418915ADV-2006-275721013TA06-192A101647020060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerabilityoval:org.mitre.oval:def:21 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability 27146The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.MS06-00920060215 Security advisory: Windows IME Vulnerability (MS06-009)VU#73984416643ADV-2006-0578101563118859win-korean-ime-privilege-elevation(24492)oval:org.mitre.oval:def:1595oval:org.mitre.oval:def:1650oval:org.mitre.oval:def:1664oval:org.mitre.oval:def:1688oval:org.mitre.oval:def:727Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint.MS06-012VU#682820101576619138TA06-073A20060314 SYMSA-2006-001: Buffer overflow in Microsoft Office 2000, Office XP (2002), and Office 2003 Routing Slip Metadata17000ADV-2006-095023903office-routing-slip-bo(25009)1923820060819 New PowerPoint 0-day and Trojan - FAQ document ready20060822 Major updates in PowerPoint FAQ document - not a 0-day issue101672020060822 Major updates in PowerPoint FAQ document - not a 0-day issue20060919 New PowerPoint 0-day Trojan in the wild20059ADV-2006-3678powerpoint-presentation-code-execution(29009)20060919 Microsoft PowerPoint 0-day Vulnerability FAQ - September written20060919 New PowerPoint 0-day Trojan in the wild1016886oval:org.mitre.oval:def:1504oval:org.mitre.oval:def:1553oval:org.mitre.oval:def:1653oval:org.mitre.oval:def:79820060422 PowerPoint Phishing TrojanHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.MS06-002VU#91593016194ADV-2006-01181882918365TA06-010A1015459183911831120060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow VulnerabilityEEYEB20050801oval:org.mitre.oval:def:1126oval:org.mitre.oval:def:1185oval:org.mitre.oval:def:1462oval:org.mitre.oval:def:1491oval:org.mitre.oval:def:698oval:org.mitre.oval:def:714 win-embedded-fonts-bo(23922)Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."MS06-015TA06-101A17464ADV-2006-132019606VU#641460245161015897win-explorer-com-code-execution(25554)oval:org.mitre.oval:def:1191oval:org.mitre.oval:def:1448oval:org.mitre.oval:def:1679oval:org.mitre.oval:def:1743oval:org.mitre.oval:def:1764Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.MS06-008VU#3889001663618857ADV-2006-05771015630msrpc-webclient-message-bo(24491)oval:org.mitre.oval:def:1220oval:org.mitre.oval:def:1547oval:org.mitre.oval:def:1602oval:org.mitre.oval:def:683oval:org.mitre.oval:def:716Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing VulnerabilityMS06-01617459ADV-2006-1321196171015898oval:org.mitre.oval:def:1611oval:org.mitre.oval:def:1682oval:org.mitre.oval:def:1769oval:org.mitre.oval:def:1771oval:org.mitre.oval:def:1780oval:org.mitre.oval:def:1791oval:org.mitre.oval:def:812 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability outlook-express-wab-bo(25535)691Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters.MS06-017ADV-2006-13221962320060412 Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting1745210158951015896oval:org.mitre.oval:def:1748 fpse-html-xss(25537)704** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3899. Reason: This candidate is a duplicate of CVE-2005-3899. Notes: All CVE users should reference CVE-2005-3899 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI.20060119 [KDE Security Advisory] kjs encodeuri/decodeuri heap overflowADV-2006-026518500DSA-948MDKSA-2006:019RHSA-2006:0184SUSE-SA:2006:0031854018561GLSA-200601-11USN-245-118552185591857016325226591015512kde-kjs-bo(24242)18899FLSA:178606SSA:2006-045-0518583MDKSA-2006:019364An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."[funsec] 20060110 Another WMF flaw without a Microsoft patchVU#31295616516ADV-2006-046918729MS06-004TA06-045A1891222976oval:org.mitre.oval:def:1638Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability."MS06-007TA06-018AVU#83928416645ADV-2006-057618853TA06-045A1015629win-igmpv3-dos(24489)oval:org.mitre.oval:def:1310oval:org.mitre.oval:def:1425oval:org.mitre.oval:def:1647oval:org.mitre.oval:def:1662oval:org.mitre.oval:def:6781599Unspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.MS06-028VU#19008918382ADV-2006-232520633TA06-164A101628726435powerpoint-record-bo(26784)oval:org.mitre.oval:def:1069oval:org.mitre.oval:def:1836oval:org.mitre.oval:def:1984Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.20060131 Windows Access Control DemystifiedVU#953860ADV-2006-0417win-auth-users-insecure-permissions(24463)101559518756MS06-01110157651931319238oval:org.mitre.oval:def:1671oval:org.mitre.oval:def:1696Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.17106ADV-2006-095219218RHSA-2006:026823908macromedia-swf-code-execution(25005)TA06-075AVU#945060101577019259SUSE-SA:2006:015GLSA-200603-201919819328MS06-020TA06-129AADV-2006-1744APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-1779oval:org.mitre.oval:def:1894oval:org.mitre.oval:def:1922 ADV-2006-1262 20045APPLE-SA-2007-12-17TA07-352AADV-2007-423828136Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.20060613 Windows Media Player PNG Chunk Decoding Stack-Based Buffer OverflowMS06-02418385ADV-2006-232220626TA06-164AVU#608020101628426430win-media-player-png-bo(26788)oval:org.mitre.oval:def:1230oval:org.mitre.oval:def:1729oval:org.mitre.oval:def:1805oval:org.mitre.oval:def:1807oval:org.mitre.oval:def:1820oval:org.mitre.oval:def:1974Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP).MS06-034VU#39558818858ADV-2006-2752101646621006iis-asp-bo(26796)TA06-192Aoval:org.mitre.oval:def:435 20060718 ASP.DLL Include File Buffer Overflow 27152Unspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.MS06-019TA06-129AVU#30345217908ADV-2006-174325338101604820029exchange-calendar-code-execution(25556)oval:org.mitre.oval:def:1818oval:org.mitre.oval:def:1996oval:org.mitre.oval:def:2035Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.20060314 ZDI-06-004: Microsoft Excel File Format Parsing VulnerabilityMS06-012VU#339878101576619138TA06-073Aexcel-parsing-format-file-bo(25225)ADV-2006-09502389919238oval:org.mitre.oval:def:1158oval:org.mitre.oval:def:1411oval:org.mitre.oval:def:1509oval:org.mitre.oval:def:1635583Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.MS06-012VU#235774101576619138TA06-073Aexcel-description-bo(25227)ADV-2006-09501923823900oval:org.mitre.oval:def:1522oval:org.mitre.oval:def:1570oval:org.mitre.oval:def:1579oval:org.mitre.oval:def:1633585586Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.MS06-012VU#123222101576619138TA06-073A2390116181ADV-2006-0950excel-graphic-bo(25229)19238oval:org.mitre.oval:def:1401oval:org.mitre.oval:def:1510oval:org.mitre.oval:def:1630oval:org.mitre.oval:def:1666Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.MS06-012VU#104302101576619138TA06-073A17101excel-record-bo(25228)20060315 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability20060314 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow VulnerabilityADV-2006-09502390219238oval:org.mitre.oval:def:1327oval:org.mitre.oval:def:1525oval:org.mitre.oval:def:1750oval:org.mitre.oval:def:763589Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.Successful exploitation requires that the Indexing service is accessible through IIS.MS06-05319927ADV-2006-356421861TA06-255AVU#1088841016826ms-indexing-service-xss(28651)20061001 Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]20061002 IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])HPSBST02134oval:org.mitre.oval:def:535Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed.MS06-03918913VU#459388ADV-2006-275721013TA06-192A1016470oval:org.mitre.oval:def:163 27147Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, which triggers a bug in the NdrAllocate function, aka the MSDTC Invalid Memory Access Vulnerability.20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap OverflowMS06-01817906ADV-2006-17422000020060511 Microsoft MSDTC NdrAllocate Validation Vulnerability101604720060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow20060510 Microsoft MSDTC NdrAllocate Validation Vulnerability25335oval:org.mitre.oval:def:1222oval:org.mitre.oval:def:1477oval:org.mitre.oval:def:1908msdtc-network-message-dos(25559)863The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0.2006-00041641418482 ADV-2006-0220 kernel-afnetlink-dos(24202)388ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.2006-00041641418482 ADV-2006-0220 kernel-pptpincallrequest-dos(24203)388ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.2006-00041641418482 ADV-2006-0220 kernel-pptpnathelper-dos(24204)388Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.Linux kernel version 2.6.16 has been released to address this issue.1717819330ADV-2006-1046linux-netfilter-doreplace-overflow(25400)DSA-109720671USN-302-120716DSA-1103ADV-2006-255420914RHSA-2006:05752146522417Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.ADV-2006-18932018518113linux-doaddcounters-race-condition(26583)DSA-109720671DSA-1103ADV-2006-255420914USN-311-12099125697RHSA-2006:06892229222945 21476GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml.20060301 Evolution Emailer DoS16889ADV-2006-0801190491909416899 evolution-email-dos(25050)Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity.1884616710ADV-2006-0645DSA-100019139GLSA-200604-0819658 libapreq2-parsing-dos(24917)737Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks.SuSE-SA:2006:00516388ADV-2006-03481861418638nfs-rpcmountd-realpath-bo(24347)DSA-97518889Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the "handling of submitted form fields".DSA-94216252ADV-2006-0196184571849622451 albatross-context-command-execution(24130)crawl before 4.0.0 does not securely call programs when saving and loading games, which allows local users to gain privileges.DSA-94916337ADV-2006-0303185452269018573crawl-insecure-command-execution(24262)squid_redirect script in adzapper before 2006-01-29 allows remote attackers to cause a denial of service (CPU consumption) via a URL with a large number of trailing / (forward slashes), which might produce inefficient regular expressions.DSA-966ADV-2006-049118771187771655822900 adzapper-squid-redirect-dos(24640)packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause a denial of service (server crash) via crafted packets with negative compressed size values.ADV-2006-08381912020060306 Out of memory crash in Freeciv 2.0.7MDKSA-2006:05316975GLSA-200603-119253DSA-99419227freeciv-packets-dos(25166)MDKSA-2006:053Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a denial of service (segmentation fault) via certain fragmented packets, possibly involving invalid headers and an attacker-controlled payload length. NOTE: this issue might be a buffer overflow or overread.17665ADV-2006-1466 tcpick-writec-dos(26090)gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.20060313 GnuPG does not detect injection of unsigned data[gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned dataDSA-993GLSA-200603-08USN-264-117058ADV-2006-091523790101574919173FEDORA-2006-1471920319244RHSA-2006:02662006-0014192311924919287MDKSA-2006:055SUSE-SA:2006:014191971923219234SSA:2006-072-0220060401-01-U19532FLSA-2006:185355 gnupg-nondetached-sig-verification(25184)MDKSA-2006:055450568snmptrapfmt in Debian 3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary log file.DSA-10131718219318snmptrapfmt-log-temprary-file(25442)Buffer overflow in playlistimport.cpp in Kaffeine Player 0.4.2 through 0.7.1 allows user-assisted attackers to execute arbitrary code via long HTTP request headers when Kaffeine is "fetching remote playlists", which triggers the overflow in the http_peek function.17372ADV-2006-122919525DSA-102320060405 [Kaffeine Security Advisory] Heap based buffer overflow in http_peek()GLSA-200604-04MDKSA-2006:065SUSE-SR:2006:008USN-268-110158631954019542195491955719571kaffeine-http-peek-bo(25631)MDKSA-2006:065The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers to cause a denial of service (mailing list delivery failure) via a multipart MIME message with a single part that has two blank lines between the first boundary and the end boundary.MDKSA-2006:061173111015851DSA-102719545SUSE-SR:2006:008USN-267-1195221957124367RHSA-2006:04862062420060602-01-U20782MDKSA-2006:061Imager (libimager-perl) before 0.50 allows user-assisted attackers to cause a denial of service (segmentation fault) by writing a 2- or 4-channel JPEG image (or a 2-channel TGA image) to a scalar, which triggers a NULL pointer dereference.DSA-1028195771741519575ADV-2006-1294imager-jpeg-tga-dos(25717)The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer.FreeBSD-SA-06:041620918378223191015477ipfw-icmp-fragment-dos(24073)The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell.FreeBSD-SA-06:021620718404223201015469ee-ispell-op-symlink(24074)Double free vulnerability in the authentication and authentication token alteration code in PAM-MySQL 0.6.x before 0.6.2 and 0.7.x before 0.7pre3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted passwords, which lead to a double free of a pointer that was created by the pam_get_item function. NOTE: this issue only occurs in certain configurations in which there are multiple PAM modules, PAM-MySQL is not evaluated first, and there are no requisite modules before PAM-MySQL.VU#69390916564ADV-2006-04901015603185982299422995GLSA-200606-1820690Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to bypass the Kill bit settings for dangerous ActiveX controls via unknown vectors involving crafted HTML, which can expose the browser to attacks that would otherwise be prevented by the Kill bit setting. NOTE: CERT/CC claims that MS05-054 fixes this issue, but it is not described in MS05-054.VU#99829716409ie-activex-killbit-bypass(24379)23657Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.20060322 Sendmail Remote Signal Handling VulnerabilityRHSA-2006:0264RHSA-2006:0265ADV-2006-1049ADV-2006-105120060322 sendmail vuln advisories (CVE-2006-0058)DSA-1015GLSA-200603-21MDKSA-2006:058OpenPKG-SA-2006.007TA06-081AVU#834865193421936319367FLSA:186277FreeBSD-SA-06:13SUSE-SA:2006:017HPSBUX02108[3.8] 006: SECURITY FIX: March 25, 200610226217192ADV-2006-1068ADV-2006-1072240371015801193681940419407193491936019361smtp-timeout-bo(24584)NetBSD-SA2006-010ADV-2006-1139ADV-2006-1157193941945019466IY82992IY82993IY82994SSA:2006-081-0120060302-01-P20060401-01-U1953319532FEDORA-2006-193FEDORA-2006-194Q-15119345193461935619676102324ADV-2006-152919774SCOSA-2006.2420243HPSBTU02116ADV-2006-2189ADV-2006-249020723HPSBUX02108oval:org.mitre.oval:def:1689MDKSA-2006:058612743Heap-based buffer overflow in the ISO Transport Service over TCP (RFC 1006) implementation of LiveData ICCP Server before 5.00.035 allows remote attackers to cause a denial of service or execute arbitrary code via malformed packets.This vulnerability is addressed in the following product release: LiveData, ICCP Server, 5.00.035VU#190617VU#190617ADV-2006-183018010101611320146livedata-iccp-rfc1006-bo(26490)Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357.ADV-2006-005122672PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.ADV-2006-0016 1398SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php.20060101 [eVuln] VEGO Web Forum SQL Injection VulnerabilityADV-2006-0003182731610722140315SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter.20060101 [eVuln] PHPjournaler SQL Injection VulnerabilityADV-2006-0006182651611122149SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.ADV-2006-0004182722213916108SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php.ADV-2006-000818264161252214622147Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter.20060101 [eVuln] Chipmunk Guestbook XSS Vulnerability161121827019087** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE.20060102 Drupal all versiyon xss cehennem.org20060103 Re: Drupal all versiyon xss cehennem.orgThe ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0.GLSA-200601-01161201828422211Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector.20060102 SCO Openserver 5.0.x exploit16122Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.161192215318283SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter.20060101 [eVuln] PHPenpals SQL Injection Vulnerabilit16109ADV-2006-00052215018269Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file.20060101 [eVuln] phpBook PHP Code Execution (phpbook)16106ADV-2006-000218268PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.20060101 [eVuln] oaBoard PHP Code Execution (oaboard)1610520060530 OaBoard 1.0 Remote File inclusion20060531 Re: OaBoard 1.0 Remote File inclusion1016211Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors.16118ADV-2006-00131825322160Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php.20060102 [eVuln] B-net Software Multiple XSS Vulnerabilities1611418271ADV-2006-0018221902219120060825 Re: [eVuln] B-net Software Multiple XSS Vulnerabilities316SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable).20060102 [eVuln] ScozBook 'adminname' Authentication Bypass 16115ADV-2006-0027222213188476Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php.20060101 [KAPDA::#19] - Html Injection in vBulletin 3.5.216116ADV-2006-00331829920060108 Html_Injection in vBulletin 3.5.22221022220ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title.161271828620060102 Buffer Overflow vulnerability in Windows Display Manager [Suspected]20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected]ADV-2006-001722196Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.USN-246-118607MDKSA-2006:0241271718261GLSA-200602-06RHSA-2006:017818851188711015623GLSA-200602-13.xml1903020060301-01-U19183SUSE-SR:2006:00619408SSA:2006-045-03DSA-12132299820061127 rPSA-2006-0218-1 ImageMagick23090MDKSA-2006:024500231321ADV-2008-041228800Format string vulnerability in the logging code of SMS Server Tools (smstools) 1.14.8 and earlier allows local users to execute arbitrary code via unspecified attack vectors.DSA-93016188183431835722287smstools-logging-format-string(24034)Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header).16138ADV-2006-003022198182921015432[VIM] 20060116 vendor ack/fix: 22198: raSMP index.php User-Agent Field XSS (fwd)SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters.ADV-2006-00401830222206Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter.ADV-2006-00371830922202SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter.20060104 [eVuln] Lizard Cart CMS SQL Injection Vulnerability16140ADV-2006-00291829722199222001015435314SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter.20060101 [eVuln] inTouch Authentication Bypass16110ADV-2006-002622382intouch-intouch-sql-injection(23954)Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute.16136ADV-2006-00321829422208Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a .. (dot dot) in the dir parameter.ADV-2006-00311829816137Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline.20060103 Open Xchange XSSADV-2006-0034182851015431** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0992, CVE-2006-0158. Reason: this candidate was intended for one issue, but a typo caused it to be associated with a Novell/Groupwise issue. In addition, this issue was a duplicate of a SiteSuite issue that was also assigned CVE-2006-0158. Notes: All CVE users should consult CVE-2006-0992 and CVE-2006-0158 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.709Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter.ADV-2006-00391830622203PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-002817373dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.[linux-kernel] 20060104 [Patch 2.6] dm-crypt: zero key before freeing it[linux-kernel] 20060104 [Patch 2.6] dm-crypt: Zero key material before free to avoid information leakADV-2006-023518487USN-244-12006-000416301MDKSA-2006:040RHSA-2006:013222418101574019160kernel-dmcrypt-information-disclosure(24189)FLSA:157459-4DSA-101719374FEDORA-2006-1021852718774SUSE-SA:2006:02820398MDKSA-2006:040388wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels.USN-244-116304MDKSA-2006:04418977DSA-10171937418527Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function.20060105 Windows PHP 4.x '0-day' buffer overflow16145ADV-2006-0046182752223220060105 Windows PHP 4.x 20060108 RE: Windows PHP 4.x The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/.[3.7] 20060105 008: SECURITY FIX: January 5, 20061614418296222311015437PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter.16126 1401Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to create or modify FTP accounts in this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.20060102 NicoFTP Stack Overflow317Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php.ADV-2006-00412237322374sblog-multiple-scripts-xss(23979)Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-005418293222561015436320TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-00541829322257101543620060417 Tiny PHP forum - vulns tinyphpforum-users-information-disclosure(24016)320Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a .. (dot dot) in the uname parameter to profile.php.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-00541829316163222581015436320PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests.[pgsql-announce] 20060109 CRITICAL RELEASE: Minor Releases to Fix DoS Vulnerability20060111 PostgreSQL security releases 8.0.6 and 8.1.216201ADV-2006-0114101548218419 postgresql-connection-request-dos(24049)327gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.[Dailydave] 20060105 WMF goes away :<ADV-2006-009818323GLSA-200601-091845120060117 ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerabilityMDKSA-2006:014SUSE-SR:2006:00218549DSA-95418578 win-wmf-execute-code(23846)MDKSA-2006:014SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0108.161591832422252 timecancms-sql-injection(24014)SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0107.ADV-2006-00782225322252 timecancms-sql-injection(24014)Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter.16160ADV-2006-00761832022243[VIM] 20060214 vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd)Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter.20060106 [eVuln] Proyecto Domus 'email' XSS Vulnerability16154ADV-2006-00731832722263 domus-escribir-xss(24020)Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter.ADV-2006-008022360boxcar-index-xss(24019)Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.ADV-2006-00362220118310Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message.1831022417The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php.16185ADV-2006-009718361 joomla-vcard-information-disclosure(24042)Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp.16155ADV-2006-007918325222482224922250Cross-site scripting vulnerability search.inetstore in iNETstore Ebusiness Software 2.0 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter.16156ADV-2006-0075183222225120060126 Re: [OSVDB Mods] iNETstore E Commerce Solution - Cross Site Scripting[VIM] 20060127 vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd)Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allows attackers to cause a denial of service (router crash or hang) via unspecified vectors involving "CD to MIME Conversion".1615818328ADV-2006-0081 lotus-cdtomime-dos(24205)Unspecified vulnerability in IBM Lotus Notes and Domino Server before 6.5.5, when running on AIX, allows attackers to cause a denial of service (deep recursion leading to stack overflow and crash) via long formulas.1615818328ADV-2006-0081 lotus-long-formula-bo(24206)Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 have unknown impact and attack vectors, due to "potential security issues" as identified by SPR numbers (1) GPKS6C9J67 in Agents, (2) JGAN6B6TZ3 and (3) KSPR699NBP in the Router, (4) GPKS5YQGPT in Security, or (5) HSAO6BNL6Y in the Web Server. NOTE: vector 3 is related to an issue in NROUTER in IBM Lotus Notes and Domino Server before 6.5.4 FP1, 6.5.5, and 7.0, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted vCal meeting request sent via SMTP (aka SPR# KSPR699NBP).1615818328ADV-2006-008120060626 SYMSA-2006-006: Lotus Domino SMTP Based Denial of Service18020ADV-2006-2564101639020855domino-smtp-nrouter-dos(27413) lotus-multiple-unspecified(24207) lotus-web-unspecified-xss(24211)Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (application crash) via multiple vectors, involving (1) a malformed message sent to an "Out Of Office" agent (SPR LPEE6DMQWJ), (2) the compact command (RTIN5U2SAJ), (3) malformed bitmap images (MYAA6FH5HW), (4) the "Delete Attachment" action (YPHG6844LD), (5) parsing certificates from a remote Certificate Table (AELE6DZFJW), and (6) creating a SSL key ring with the Domino Administration client (NSUA4FQPTN).1615818328ADV-2006-0081 lotus-bmp-dos(24214) lotus-certificate-parsing-dos(24216) lotus-compact-dos(24213) lotus-delete-attachment-dos(24215) lotus-outofoffice-dos(24212) lotus-ssl-keyring-dos(24217)Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (memory consumption and crash) via unknown vectors related to (1) unspecified vectors during the SSL handshake (SPR# MKIN67MQVW), (2) the stash file during the SSL handshake (SPR# MKIN693QUT), and possibly other vectors. NOTE: due to insufficient information in the original vendor advisory, it is not clear whether there is an attacker role in other memory leaks that are specified in the advisory.1615818328ADV-2006-0081 lotus-ssl-handshake-dos(24223)Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquifer CMS allows remote attackers to inject arbitrary web script or HTML via the Keyword parameter.Vendor provided solution: "Liquid Development has identified this vulnerability in all shipping versions of AquiferCMS and coded a software fix. The fix will be included in all releases of AquiferCMS built on or after January 24, 2006. Customers should contact Liquid Development to obtain the fix for this vulnerability. For more information visit www.aquifercms.com." 16162ADV-2006-00741832622247[VIM] 20060124 vendor ack/fix: Aquifer CMS Index.asp Keyword Variable XSS (fwd)Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors.20060105 [eVuln] ADNForum Multiple Vulnerabilities16157ADV-2006-00771015445183002224022241Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0b allows remote attackers to inject arbirary web script or HTML via the titulo parameter, which is used by the "Topic name" field.20060105 [eVuln] ADNForum Multiple Vulnerabilities16157ADV-2006-007718300222421015445Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows remote attackers to include arbitrary files via the appserv_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. There is not enough detail from these third party sources to know whether this is directory traversal, remote file include, or another issue.ADV-2006-0053222281816316166rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices.ADV-2006-00522222318301Directory traversal vulnerability in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote authenticated users to rename the folders of other users via a .. (dot dot) in the RENAME command.20060104 Rockliffe Directory Transversal Vulnerability20060105 Re: Rockliffe Directory Transversal Vulnerability2222918318ADV-2006-0055Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote attackers to have an unknown impact via unknown attack vectors.20060104 Rockliffe Directory Transversal Vulnerabilityrockliffe-imap-unspecified-bo(39991)Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.20060104 Rockliffe Mailsite User Enumeration Flaw18318ADV-2006-005522230Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier allows remote attackers to attempt authentication with an unlimited number of user account names and passwords without denying connections, limiting the rate of connections, or locking out an account.20060104 Rockliffe Mailsite User Enumeration FlawboastMachine 3.1 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php and (2) side_menu.php, which reveals the path in an error message.20060105 [ECHO_ADV_25$2006] Full path disclosure on boastMachine v3.1Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 and possibly earlier allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp_language parameter.20060104 SysCP WebFTP local file inclusion vulnerability16175ADV-2006-009018355 webftp-language-file-include(24018)Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow local users to determine the existence of files and read partial contents of certain files via a .. (dot dot) in the argument to (1) getCommand.new (aka getCommand) and (2) getShell, a different vulnerability than CVE-2005-4273.20060101 [xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities10154291610216103Cross-site scripting (XSS) vulnerability in register.php in TheWebForum (twf) 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the www parameter.20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass16161ADV-2006-009310154501839222295 thewebforum-register-xss(24007)SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the username parameter (aka the u variable).20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass16161ADV-2006-009310154501839222294thewebforum-login-sql-injection(24027)321Multiple cross-site scripting (XSS) vulnerabilities in the guestbook module in modules.php in Phanatic Softwares Chimera Web Portal System 0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) comment_poster, (2) comment_poster_email, (3) comment_poster_homepage, and (4) comment_text parameters.20060101 [eVuln] Chimera Web Portal System Multiple VulnerabilitiesADV-2006-002516113SQL injection vulnerability in linkcategory.php in Phanatic Softwares Chimera Web Portal System 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.20060101 [eVuln] Chimera Web Portal System Multiple VulnerabilitiesADV-2006-00251611322420chimera-linkcategory-sql-injection(23963)aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891).22186The send-private-message functionality (send-private-message.asp) in PD9 Software MegaBBS 2.1 allows remote attackers to read private messages of other users via a modified replyid parameter.16168ADV-2006-0095183421015452 megabbs-sendprivatemessage-disclosure(24050)Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 Stable(2.6.0) and V17beta2 allows remote attackers to inject arbitrary web script or HTML via the (1) b, (2) textlarge, and (3) url bbcode tags.20060107 [eVuln] NavBoard BBcode XSS Vulnerability16165ADV-2006-00921834522277 navboard-post-xss(24021)Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote attackers to cause a denial of service (crash) via (1) malformed NTLM authentication requests, or a malformed (2) Incoming Mail X or (3) Temporary Mail file.ADV-2006-00991835616179 eims-corrupted-mail-dos(24033) eims-ntlm-auth-dos(24032)Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda 1.9.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-00961835916183 andromeda-script-xss(24031)Microsoft Windows Graphics Rendering Engine (GRE) allows remote attackers to corrupt memory and cause a denial of service (crash) via a WMF file containing (1) ExtCreateRegion or (2) ExtEscape function calls with arguments with inconsistent lengths.20060107 Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities20060109 [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities16167ADV-2006-01151015453 win-gre-wmf-dos(24044)The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.1617420060109 New PEAR / Apache2Triad Exploit18390ADV-2006-0148gopear-proxy-redirection(24076)The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and OpenBSD 3.8, does not properly validate file offsets against negative 32-bit values that occur as a result of truncation, which allows local users to read arbitrary kernel memory and gain privileges via the lseek system call.NetBSD-SA2006-00116173183882229320060202 [SLAB] NetBSD / OpenBSD kernfs_xread patch evasion18712 netbsd-kernfs-memory-disclosure(24035)405The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.16187ADV-2006-0101ADV-2006-0102ADV-2006-0103ADV-2006-0104ADV-2006-01051741818254182671826018276182332229020060202 Bug for libs in php link directory 2.0ADV-2006-044718720ADV-2006-0370DSA-1029DSA-1030DSA-103119555195901959120060409 PhpOpenChat 3.0.x ADODB Server.php ADV-2006-1304ADV-2006-13051956319600GLSA-200604-07ADV-2006-14191969919691adodb-server-command-execution(24051)20070418 MediaBeez Sql query Execution .. Wear isn't ?? :)24954713Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.ADV-2006-0101ADV-2006-0102ADV-2006-0103ADV-2006-0104174181825418267182601827618233DSA-1029DSA-1030DSA-103119555195901959120060409 PhpOpenChat 3.0.x ADODB Server.php 20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-1305ADV-2006-13321960019628GLSA-200604-0722291 19691 adodb-tmssql-command-execution(24052)NetSarang Xlpd 2.1 allows remote attackers to cause a denial of service (crash) via a large number of connections from the same IP address.161641015444 xlpd-connection-dos(24041)Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field.20060106 SimpBook 'message' Remote Cross-Site Scripting Vulnerability1015451Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username.20060109 Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap module Multiple Format Strings Vulnerability16177RHSA-2006:0179ADV-2006-011718382184051015456DSA-952MDKSA-2006:0171841218568 apache-authldap-format-string(24030)sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158.USN-235-2161841835818363DSA-946SUSE-SR:2006:00218549189062006-001018558SSA:2006-045-0819016MDKSA-2006:15921692MDKSA-2006:159Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the needle parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16180ADV-2006-00941836022282phpchamber-searchresult-xss(24029)427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)16178ADV-2006-00911835422274427bb-scripts-security-bypass(24038)SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)16169ADV-2006-00911835422275427bb-showthread-sql-injection(24039)Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)ADV-2006-00911835422276427bb-posts-xss(24040)Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remote attackers to inject arbitrary Javascript via the javascript URI in bbcode url tags in (1) addpost1.php and (2) addtopic1.php.20060109 [eVuln] Foxrum BBCode XSS Vulnerabilty16172ADV-2006-012118386 foxrum-bbcode-xss(24043)325settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remote attackers to change the administrator password via a change action that specifies identical values for the passwd and admin_password parameters, then declares the new password string in the new_passwd and confirm_passwd parameters.1618218601SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS allows remote attackers to execute arbitrary SQL commands via the page parameter.ADV-2006-00382220518305SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information.ADV-2006-00732226418327 domus-escribir-sql-injection(24017)SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3.20060109 [eVuln] Venom Board SQL Injection Vulnerability1617620060109 [eVuln] Venom Board SQL Injection VulnerabilityADV-2006-01221838322297venomboard-addpost-sql-injection(24046)326Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.101933ADV-2006-011318371101545519087oval:org.mitre.oval:def:1534Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files.16191ADV-2006-0116183791015457GLSA-200601-0718453VU#38590820060112 ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution VulnerabilityDSA-947MDKSA-2006:0162006-000222318184781854818463 clamav-libclamav-upx-bo(24047)MDKSA-2006:016342SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792.16186ADV-2006-01202231618394phgstats.inc.php in phgstats before 0.5.1, if register_globals is enabled, allows remote attackers to include arbitrary files and execute arbitrary PHP code by modifying the PHGDIR variable.ADV-2006-012318346phgstats-php-file-include(24062)2230217469Cross-site scripting (XSS) vulnerability in the DataForm Entries functionality in Plain Black WebGUI before 6.8.4 (gamma) allows remote attackers to inject arbitrary Javascript via the (1) url and (2) name field of the default email form.ADV-2006-012618372webgui-forms-xss(24053)Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products.ADV-2006-0143101546218402systemworks-nprotect-hidden(24061)SQL injection vulnerability in MyPhPim 01.05 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter in calendar.php3 and the (2) password field on the login page.ADV-2006-01471839916210myphpim-calendar-sql-injection(24066)myphpim-login-sql-injection(24075)20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities2232422325Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remote attackers to inject arbitrary web script or HTML via the description field on the "Create New todo" page.ADV-2006-01471839916210myphpim-todo-xss(24071)20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities22326addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, which allows remote attackers to execute arbitrary PHP code via the pdbfile variable, then directly accessing those files from the uploads directory.16208ADV-2006-01471839920060111 [eVuln] MyPhPim Arbitrary File Uploadmyphpim-addresses-file-upload(24070)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0035. Reason: This candidate is a duplicate of CVE-2006-0035. Notes: All CVE users should reference CVE-2006-0035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.PHP remote file include vulnerability in index.php in OrjinWeb E-commerce allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: it is not clear, but OrjinWeb might be an application service, in which case it should not be included in CVE.20060106 Orjinweb E-commerce1619922387orjinweb-url-file-include(24097)Cross-site scripting (XSS) vulnerability in the file manager utility in Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML in an uploaded page, which is published without a check for hostile scripting.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-xss(24067)Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to misrepresent the type and name of a file via modified doc_ext and id parameters, which might trick a user into downloading dangerous or unexpected content.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-file-download(24068)Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to obtain sensitive information (intranet IP addresses and enumerations of valid parameter values) via a direct request to hc, which reveals the information in an error message or a cookie.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-information-disclosure(24069)328Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz Forums 6.34 allows remote attackers to inject arbitrary web script or HTML via the search parameter.20060109 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp)1619620060111 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp)22398webwizforums-searchform-xss(24048)Buffer overflow in certain functions in src/fileio.c and src/unix/fileio.c in xmame before 11 January 2006 may allow local users to gain privileges via a long (1) -lang, (2) -ctrlr, (3) -pb, or (4) -rec argument on many operating systems, and via a long (5) -jdev argument on Ubuntu Linux.20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation.1620320060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation xmame-multiple-parameters-bo(24102)Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local users to gain privileges by (1) invoking /usr/bin/script with a long command line argument or (2) setting the -c option of /etc/nu to the name of a file containing a long line.20060110 SUID root overflows in UNICOS and partial shellcode16205 unicos-command-line-bo(24276)Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local users to have an unknown impact via format string specifiers in the quote command. NOTE: because the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.20060110 SUID root overflows in UNICOS and partial shellcode16205 unicos-ftp-format-string(24277)The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80.1620020060113 Response to Cisco IP Phone 7940 DoS Exploit posted on milw0rm.comADV-2006-020210154881847922469cisco-ipphone-synflood-dos(24117)Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the Title field on the "Adding New Event" page, and possibly other vectors, involving iframe tags.22322calogic-newevent-xss(24077)20060116 [eVuln] CaLogic Calendars Multiple XSS Vulnerabilities16206ADV-2006-014918417Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command.20060111 Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS)16211ADV-2006-0154101547118424cisco-csmars-default-password(24065)22346335login.php in ACal Calendar Project 2.2.5 allows remote attackers to bypass authentication by setting the ACalAuthenticate cookie variable to "inside".ADV-2006-01522234418432acal-login-auth-bypass(24104)20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion343Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182.ADV-2006-01522234518432acal-header-footer-code-execute(24107)20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion343Multiple SQL injection vulnerabilities in AspTopSites allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to goto.asp or (2) password parameter to includeloginuser.asp.ADV-2006-014618408asptopsites-goto-sql-injection(24072)2233020060110 AspTopSites SQL injectionMultiple cross-site scripting vulnerabilities in the (1) Pool or (2) News Modules in Php-Nuke allow remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag.20060107 Php-Nuke Pool and News Module IMG Tag Cross Site16192ADV-2006-012518374** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4500. Reason: This candidate is a duplicate of CVE-2005-4500. Notes: All CVE users should reference CVE-2005-4500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.By design, Microsoft Visual Studio 2005 automatically executes code in the Load event of a user-defined control (UserControl1_Load function), which allows user-assisted attackers to execute arbitrary code by tricking the user into opening a malicious Visual Studio project file.ADV-2006-0151184091622520060113 Visual Studio Remote Code Execution visualstudio-usercontrol-code-execution(24116)webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS.16756ADV-2006-0689101566218985squirrelmail-webmail-xss(24847)DSA-988FEDORA-2006-133MDKSA-2006:049SUSE-SR:2006:005191311913019176GLSA-200603-0919205RHSA-2006:028319960 20060501-01-U 20210MDKSA-2006:049Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060.This is the vendor provided solution: "eStara has released Softphone version 3.0.1.47 to resolve the buffer overflow demonstrated in parsing SDP with long "a=" lines. Licensed customers can download a new version via the email sent to them with purchase, customers testing may go back to http://www.estara.com/softphone/ to obtain a new free trial. Version information can be gathered by going to Help->About. eStara highly recommends all customers upgrade to avoid this issue. If there's further questions please email us: softphone@estara.com. eStara would like to thank ZwelL for bringing the issue to our attention."20060111 eStara Softphone SIP stack Buffer Overflow Vulnerability16213ADV-2006-0167101548118410estara-sip-sdp-bo(24090)22348Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver.102066ADV-2006-016518421162241015478solaris-unspecified-root-access(24084)19087oval:org.mitre.oval:def:702Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250.102108ADV-2006-01661842016222223471015479solaris-find-proc-dos(24085)19087oval:org.mitre.oval:def:1608SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp.ADV-2006-01641842222342aspsurvey-loginvalidate-sql-injection(24087)20060204 sql injection in ASP Survey16496414Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action.20060112 H-Sphere Security VulnerabilityADV-2006-017218447hsphere-login-xss(24096)22372Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.029, and other versions before 4.0.33, allows remote attackers to inject arbitrary web script or HTML via the dest parameter in the pgLogon page.20060112 FogBugz Cross Site Scripting Vulnerability16216ADV-2006-01741844322370fogbugz-login-xss(24103)Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.16756ADV-2006-0689101566218985squirrelmail-magichtml-xss(24848)DSA-988FEDORA-2006-133MDKSA-2006:049SUSE-SR:2006:005191311913019176GLSA-200603-0919205RHSA-2006:028319960 20060501-01-U 20210MDKSA-2006:049Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 allows local users to gain privileges via a long value of the HOME environment variable, possibly because of a buffer overflow.20060111 Serial Line Sniffer 0.4.4 Buffer Overflowslsnif-home-bo(24082)ADV-2006-021218497The XClientMessageEvent struct used in certain components of X.Org 6.8.2 and earlier, possibly including (1) the X server and (2) Xlib, uses a "long" specifier for elements of the l array, which results in inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and might allow attackers to cause a denial of service (application crash) and possibly conduct other attacks.20060108 xorg server 6.8.2 and below on 64bit archCross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment.20060107 Xoops Pool Module IMG Tag Cross Site Scripting16189 xoops-pool-imagetag-xss(24091)SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter.ADV-2006-01731843922384mininuke-news-sql-injection(24098)20060113 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability340Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.20060112 Advisory 02/2006: PHP ext/mysqli Format String Vulnerability16219ADV-2006-017718431php-extmysqli-format-string(24095)1015485ADV-2006-0369337Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.20060112 Multiple PHP Toolkit for PayPal Vulnerabilities16218ADV-2006-01831844422378Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data.20060112 Multiple PHP Toolkit for PayPal Vulnerabilities16218ADV-2006-01831844422379membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not verify the old password when changing a password, which allows remote attackers to change the passwords of other members via a lostpassnew action with a modified x parameter.ADV-2006-01731843922385mininuke-membership-change-password(24101)20060113 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remoteuser password change exploit20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability20060129 [xpl#2] MiniNuke 1.8.2 - change member's passwrod < Perl >20060112 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password change exploit344Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 allow remote attackers to inject arbitrary web script or HTML via (1) the "Course name" field in index.php when the frm parameter has the value "mine" and (2) possibly certain other fields in unspecified scripts.20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS VulnerabilitiesADV-2006-0185184401622722359wordcircle-index-xss(24106)345Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts.20060112 [eVuln] Wordcircle Authentication Bypass16227ADV-2006-01852235818440wordcircle-login-security-bypass(24108)wordcircle-sql-injection(24105)20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities345346Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php.162291845022376lwc-cal-execute-code(24110)[VIM] 20060318 Source VERIFY - Light Weight Calendar issue is eval injectionMultiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.ADV-2006-01771622018431php-session-response-splitting(24094)1015484MDKSA-2006:02818697ADV-2006-0369USN-261-119179GLSA-200603-2219355SUSE-SR:2006:00419012DSA-1331MDKSA-2006:02825945Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.ADV-2006-017718431MDKSA-2006:02818697ADV-2006-036916803USN-261-119179GLSA-200603-2219355SUSE-SR:2006:00419012RHSA-2006:027619832RHSA-2006:050120222ADV-2006-2685209512125221564RHSA-2006:0549 20060501-01-U 20210MDKSA-2006:028SQL injection vulnerability in general_functions.php in TankLogger 2.4 allows remote attackers to execute arbitrary SQL commands via the (1) livestock_id parameter to showInfo.php and (2) tank_id parameter, possibly to livestock.php.ADV-2006-015320060112 [eVuln] TankLogger SQL Injection Vulnerability1622818441tanklogger-generalfunctions-sql-injection(24080)2236822369[VIM] 20060113 Verified TankLogger SQl inject by source inspection341Cross-site scripting (XSS) vulnerability in index.php in Interspire TrackPoint NX before 0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter when using the Login page.1621420060112 Interspire TrackPoint NX XSS VulnerabilityADV-2006-01751844522377trackpointnx-login-xss(24112)Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm Hosting Control Panel 3.2.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the txtEmailAddress parameter.20060112 Helm XSS Vulnerability16234ADV-2006-02031849222454helm-forgotpassword-xss(24139)Directory traversal vulnerability in OBEX Push services in Toshiba Bluetooth Stack 4.00.23(T) and earlier allows remote attackers to upload arbitrary files to arbitrary remote locations specified by .. (dot dot) sequences, as demonstrated by ..\\ sequences in the RFILE argument of ussp-push.20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'ADV-2006-01841843720060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'1623620060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'223801015486Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 and earlier, when authenticating users via secure SMTP, stores authentication credentials in plaintext in the postfix.log file, which allows local users to gain privileges.ADV-2006-01861843822381 kolab-smtp-logging(24123)Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls.1804316237 ezdatabase-visitorupload-file-include(24136)351Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. NOTE: this issue might be resultant from CVE-2006-0216.22352admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to obtain sensitive information, possibly the installation path of the application, via unspecified "meta characters" to the cpage parameter.22353Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auction 3.67 allow remote attackers to inject arbitrary web script or HTML via the (1) item parameter in item.pl and (2) category parameter in itemlist.pl, which reflects the XSS in an error message. NOTE: the affected version might be wrong since the current version as of 20060116 is 3.6.1.16239ADV-2006-018722443224441847720060115 Ultimate Auction <=3.6716254 ultimate-auction-item-xss(24138)Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by inc/functions_upload.php (CVE-2005-4602), and possibly (2) other attacks related to threadmode in usercp.php.16230 mybb-usercp-script-sql-injection(24115)Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 through 6.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the day parameter in calendar.php and (2) the input form in search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this issue is resultant from an SQL injection problem in CVE-2005-4227.3 and CVE-2005-4227.13.1623220060113 DCP Portal Cross-Site Scripting Vulnerability dcpportal-calendar-search-xss(24153)SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 content manager (CM3CMS) allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password.1623120060113 DDSN CMS Admin Panel SQL Injection Vulnerability22696cm3-login-sql-injection(24266)Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft Template Seller Pro allows remote attackers to inject arbitrary web script or HTML via the tempid parameter.1623320060113 AlstraSoft Template Seller Pro Cross-Site Scripting Vulnerability22746template-seller-fullview-xss(24235)Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field.16235ADV-2006-01982244018455 123flashchat-user-directory-traversal(24137)Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X command line argument (alternative configuration file name).16350ADV-2006-031420060123 [ Rosiello Security ] Eterm-LibAST Advisory20060123 LibAST 0.7 Release Fixes Security Vulnerability20060125 Rosiello Security - Eterm-LibAST AdvisoryGLSA-200601-141858618632MDKSA-2006:029DSA-9762273518916eterm-libast-filename-bo(24303)MDKSA-2006:029373scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.16369ADV-2006-030618579185952006-00041015540openssh-scp-command-execution(24305)MDKSA-2006:034186501873620060212 [3.8] 005: SECURITY FIX: February 12, 2006SuSE-SA:2006:0081879818850FLSA-2006:168935OpenPKG-SA-2006.003SSA:2006-045-0618910GLSA-200602-11USN-255-122692189641896918970RHSA-2006:004419159ADV-2006-249020723RHSA-2006:02982112920060703-01-P212622149221724RHSA-2006:069822196HPSBUX02178ADV-2006-4869232412334023680 ADV-2007-0930 24479APPLE-SA-2007-03-13MDKSA-2006:034102961TA07-072AADV-2007-2120oval:org.mitre.oval:def:11382560725936462Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) in FreeBSD before 6.0-STABLE, while scanning for wireless networks, allows remote attackers to execute arbitrary code by broadcasting crafted (1) beacon or (2) probe response frames.FreeBSD-SA-06:051629618353225371015518 bsd-ieee80211-bo(24192)Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.102033ADV-2006-020010154921849822441224421624519087oval:org.mitre.oval:def:662 solaris-lpsched-dos(24127)The RBAC functionality in grsecurity before 2.1.8 does not properly handle when the admin role creates a service and then exits the shell without unauthenticating, which causes the service to be restarted with the admin role still active.16261ADV-2006-019918458 grsecurity-rbac-admin-privileges(24156)Unquoted Windows search path vulnerability in Wehntrust might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when Wehntrust creates the autostart key.20060116 WehnTrust - When you have to trust Wehntrust20060116 Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust16268 wehntrust-service-start-file-execution(24315)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses a client-side check to verify a password, which allows remote attackers to gain administrator privileges via a modified client that sends certain XML requests.20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-146419734VU#11838820060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error sse-unauth-admin-access(25972)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-1464101597419734 sse-insecure-private-key(25973)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, stores sensitive log and virus definition files under the web root with insufficient access control, which allows remote attackers to obtain the information via direct requests.20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-1464101597419734 sse-unauth-file-access(25974)758759Cross-site scripting (XSS) vulnerability in functions.php in microBlog 2.0 RC-10 allows remote attackers to inject arbitrary web script and HTML via a javascript: URI in a [url] BBcode tag.20060117 [eVuln] microBlog BBCode XSS Vulnerability162721015496microblog-functions-xss(24140)SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters.20060117 [eVuln] microBlog SQL Injection Vulnerability16270ADV-2006-023922512101549618442 microblog-index-sql-injection(24132)SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers to execute arbitrary SQL commands via the dir parameter to pictures.php.20060116 White Album Sql &#304;njection biyosecurity.be1624718460ADV-2006-024122520 whitealbum-pictures-sql-injection(24271)GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment.20060117 Secunia Research: Mozilla Thunderbird Attachment SpoofingVulnerability16271ADV-2006-023015907MDKSA-2006:021 thunderbird-attachment-ext-spoofing(24164)MDKSA-2006:021Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce allows remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) subcat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16255ADV-2006-021418470 gtpicommerce-index-xss(24150)SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 allows remote attackers to execute arbitrary SQL commands via the author parameter.16241ADV-2006-01921847122450 wpstats-script-sql-injection(24163)Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 allow remote attackers to inject arbitrary web script or HTML via (1) a comment to comments.asp and (2) possibly certain other fields in unspecified scripts.20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.116243ADV-2006-01941848822448 simpleblog-comment-xss(24154)Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts.20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.116243ADV-2006-01941848822447simpleblog-month-sql-injection(24155)Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field.20060117 XSS in WBNews < = v1.1.016277ADV-2006-023718499Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter.20060117 IndonesiaHack Advisory HTML injection in PHP Fusebox16274355Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the text parameter, which is used by the "Search Site" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16281ADV-2006-02291845422494 smbcms-sitesearch-xss(24187)** DISPUTED ** Directory traversal vulnerability in workspaces.php in phpXplorer 0.9.33 allows remote attackers to include arbitrary files via a .. (dot dot) and trailing null byte (%00) in the sShare parameter. NOTE: a followup post claims that this is not a vulnerability since the functionality of phpXplorer supports the upload of PHP files, which would not cross privilege boundaries since the PHP functionality would support read access outside the web root.20060116 Directory traversal in phpXplorer20060116 Re: Directory traversal in phpXplorer16263ADV-2006-023218518353phpxplorer-sshare-directory-traversal(39982)Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in index.php. NOTE: the cart.php/redir and index.php/searchStr vectors are already covered by CVE-2005-3152.16259ADV-2006-02271851922471 cubecart-index-script-xss(24177)Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download Tracker 1.06 allows remote attackers to inject arbitrary web script or HTML via the ID parameter.16265ADV-2006-02131847222462 downloadtracker-down-xss(24161)Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula Anyboard 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the tK parameter in a find command.16264ADV-2006-01881846922461 netbula-anyboard-script-xss(24167)Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 and 520 and (2) Allied Data Technologies CopperJet 811 RouterPlus, allows remote attackers to access privileged information, such as user lists and configuration settings, via direct HTTP requests.ADV-2006-021818483 virata-emweb-unauth-access(24304)SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable).16249ADV-2006-019118504224631015493 geoBlog-viewcat-sql-injection(24146)Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.20060116 Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability16267ADV-2006-02341852522493 cmusnmp-snmpinput-format-string(24178)Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.711 allows remote attackers to inject arbitrary web script or HTML via the (1) _duration, (2) file, and (3) cmd parameters.16251ADV-2006-01891846822439 faqomatic-fom-xss(24165)SQL injection vulnerability in Benders Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via multiple parameters, as demonstrated by the (1) year, (2) month, and (3) day parameters.20060115 [eVuln] Benders Calendar SQL Injection16242ADV-2006-019010154911846222449 benderscalendar-sql-injection(24120)Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Neighbors.EXE" in AmbiCom Blue Neighbors 2.50 Build 2500 and earlier allows remote attackers to execute arbitrary code via a long file name, as demonstrated via a long RFILE argument to ussp-push.ADV-2006-02191846620060120 DMA[2006-0115a] - %27AmbiCom Bluetooth Object Push Overflow%27 16258 ambicom-bluetooth-objectpush-bo(24179)366Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities16260ADV-2006-021718485 geronimo-webaccesslog-viewer-xss(24159)geronimo-jspexamples-xss(24158)RHSA-2008:0261RHSA-2008:063031493Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program.16290ADV-2006-025820060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess()Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922540oracle-january2006-update(24321)Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922544oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_FILTER_TEXT functions in the DBMS_METADATA_INT package; and (h) GET_PREPOST_TABLE_ACT function in the DBMS_METADATA package.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499225432264322637oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartextoracle-masterkey-plaintext(24168)Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component.16287VU#545804ADV-2006-024318493ADV-2006-032318608TA06-018AVU#8701721015499225472255022551oracle-january2006-update(24321)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0259. Reason: This candidate is subsumed by CVE-2006-0259. An error during initial CVE analysis used the wrong set of affected versions for "DB10". Notes: All CVE users should reference CVE-2006-0259 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.1015499 oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS.16287VU#545804ADV-2006-024318493ADV-2006-03231860810154992255522639226402264122642oracle-january2006-update(24321)Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922563oracle-january2006-update(24321)Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGAoracle-sga-masterkey-plaintext(24186)Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922566oracle-january2006-update(24321)Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS.16287VU#545804ADV-2006-024318493ADV-2006-032318608TA06-018AVU#8916441015499oracle-january2006-update(24321)20060126 [Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT}oracle-xdbdbmx-xmlschema-bo(24376)Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Reports - Read parts of files via customize(fixed after 875 days)Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.2 and 10.1.2.0.2, and E-Business Suite and Applications 11.5.10, have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) FORM01 and (2) FORM02 in the Oracle Forms component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Java Net component of Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.4, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# JN01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 10.1.0.5 and Application Server 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS02.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in the Oracle Reports Developer component of Oracle Application Server 9.0.4.1 and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP01 and (2) REP02.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Application Server 6.0.8.26(PS17) and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP05 and (2) REP06 in the Oracle Reports Developer component. NOTE: Oracle has not disputed reliable researcher claims that REP05 is the same as CVE-2005-2378 and REP06 is the same as CVE-2005-2371, both of which involve directory traversal.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days)20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days)Unspecified vulnerability in Oracle Database Server 9.2.0.7, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 has unspecified impact and attack vectors, as identified by Oracle Vuln# WF01 in the Oracle Workflow Cartridge component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0.1, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection.RHSA-2006:0199RHSA-2006:020016476ADV-2006-0413187001870318704FEDORA-2006-075FEDORA-2006-076101557018708187091870518706mozilla-javascript-memory-corruption(24430)MDKSA-2006:036FLSA-2006:180036-2FLSA:180036-120060201-01-U19230DSA-1044GLSA-200604-12MDKSA-2006:0781975919821DSA-1046GLSA-200604-18USN-275-1SUSE-SA:2006:0221982319852198621986319902DSA-1051USN-276-11995019941USN-271-119746GLSA-200605-09RHSA-2006:0330MDKSA-2006:037HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622HPSBUX02156oval:org.mitre.oval:def:670 19780 20051MDKSA-2006:036MDKSA-2006:078MDKSA-2006:037ADV-2006-374922065The function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects.16476ADV-2006-041318700187041015570mozilla-javascript-memory-corruption(24430)DSA-1044DSA-1046GLSA-200604-18198621986319902DSA-105119941HPSBUX02122102550ADV-2006-339121622HPSBUX02156oval:org.mitre.oval:def:1494ADV-2006-374922065firefox-function-allocation-code-execution(42654)Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory.16476ADV-2006-041318700187041015570HPSBUX02156oval:org.mitre.oval:def:1514 mozilla-element-change-memory-corruption(24431)ADV-2006-374922065Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.16476ADV-2006-04131870018704VU#7592731015570mozilla-queryinterface-memory-corruption(24433)HPSBUX02156oval:org.mitre.oval:def:1562TA06-038AADV-2006-374922065The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file.RHSA-2006:0199RHSA-2006:020016476ADV-2006-0413187001870318704FEDORA-2006-07521033102550ADV-2006-339121622HPSBUX02156oval:org.mitre.oval:def:1493 19780 20051MDKSA-2006:036MDKSA-2006:078MDKSA-2006:037TA06-038AADV-2006-374922065FEDORA-2006-076VU#592425101557018708187091870518706mozilla-xuldocument-command-execution(24434)MDKSA-2006:036FLSA-2006:180036-2FLSA:180036-120060201-01-U19230DSA-1044GLSA-200604-12MDKSA-2006:0781975919821DSA-1046GLSA-200604-18USN-275-1SUSE-SA:2006:0221982319852198621986319902DSA-1051USN-276-11995019941USN-271-119746GLSA-200605-09RHSA-2006:0330MDKSA-2006:037HPSBUX02122SCOSA-2006.26Multiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas.16476ADV-2006-041318700187041015570mozilla-component-integer-overflow(24435)HPSBUX02156oval:org.mitre.oval:def:1339ADV-2006-374922065The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read.16476ADV-2006-041318700187041015570mozilla-xml-parser-dos(24436)HPSBUX02156oval:org.mitre.oval:def:677ADV-2006-374922065The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions.16476ADV-2006-041318700187041015570mozilla-e4x-security-bypass(24437)HPSBUX02156oval:org.mitre.oval:def:1625ADV-2006-374922065Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.[Bug-tar] 20060220 tar 1.15.90 releasedMDKSA-2006:046USN-257-116764ADV-2006-06842337118976189732006-001018999gnu-tar-pax-headers-bo(24855)DSA-987OpenPKG-SA-2006.006RHSA-2006:0232SUSE-SR:2006:0051015705190931913019152GLSA-200603-0619236FLSA:183571-219016 ADV-2007-0930 20042 24479 APPLE-SA-2007-04-19 ADV-2007-1470 24966APPLE-SA-2007-03-13TA07-072ATA07-109A480543Heap-based buffer overflow in Splash.cc in xpdf, as used in other products such as (1) poppler, (2) kdegraphics, (3) gpdf, (4) pdfkit.framework, and others, allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap.18838188601886218864188821890818913GLSA-200602-1218983FLSA:175404SCOSA-2006.1519377SSA:2006-045-04SSA:2006-045-09FEDORA-2006-10318839MDKSA-2006:030MDKSA-2006:031MDKSA-2006:032470ADV-2006-0389MDKSA-2006:030MDKSA-2006:031MDKSA-2006:0321867720060202 [KDE Security Advisory] kpdf/xpdf heap based buffer overflowADV-2006-0422101557618707xpdf-splash-bo(24391)DSA-971DSA-974DSA-972GLSA-200602-04GLSA-200602-05RHSA-2006:0201RHSA-2006:0206USN-249-1188341887518274188251882618837ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090.20060116 ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/90901628518511 zyxel-p2000w-default-port(24145)22516Multiple unspecified vulnerabilities in the (1) publishing component, (2) Contact Component, (3) TinyMCE Compressor, and (4) other components in Joomla! 1.0.5 and earlier have unknown impact and attack vectors.18513Buffer overflow in Dual DHCP DNS Server 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the DHCP options field.18486ADV-2006-0245101549516298 dualdhcpdns-options-field-bo(24191)Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware 1.1.12 (051129) and CP-100E VoIP 802.11b Wireless Phone running firmware 1.1.60 allows remote attackers to gain unauthorized access via the debug service on TCP port 60023.20060116 Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/6002320060116 Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/600231628918505 clipcomm-cp100e-default-port(24144)The DM Primer (dmprimer.exe) in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption or application hang) via a large network packet, which causes a WSAEMESGSIZE error code that is not handled, leading to a thread exit.16276ADV-2006-02361853120060118 CAID 33756 - DM Deployment Common Component Vulnerabilities225291015504The DM Primer in the DM Deployment Common Component in Computer Associates (CA) BrightStor Mobile Backup r4.0, BrightStor ARCserve Backup for Laptops & Desktops r11.0, r11.1, r11.1 SP1, Unicenter Remote Control 6.0, 6.0 SP1, CA Desktop Protection Suite r2, CA Server Protection Suite r2, and CA Business Protection Suite r2 allows remote attackers to cause a denial of service (CPU consumption and log file consumption) via unspecified "unrecognized network messages" that are not properly handled.16276ADV-2006-02361853120060118 CAID 33756 - DM Deployment Common Component Vulnerabilities225291015504PHP remote file inclusion vulnerability in htmltonuke.php in the htmltonuke 2.0 alpha, and possibly other versions, module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the filnavn parameter.162823524htmltonuke-htmltonuke-file-include(33092)Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote attackers on the local network, to cause a denial of service via IP packets with a null IP option length.20060113 Linksys VPN Router (BEFVP41) DoS Vulnerability20060116 Re: Linksys VPN Router (BEFVP41) DoSADV-2006-023810154901846120060117 Re: Linksys VPN Router (BEFVP41) DoS Vulnerability16307 linksys-null-length-dos(24125)Cross-site scripting (XSS) vulnerability in aoblogger 2.3 allows remote attackers to inject arbitrary Javascript via a javascript URI in the BBcode url tag.16286ADV-2006-02401688920060117 [eVuln] aoblogger Multiple Vulnerabilities22526 aoblogger-url-xss(24141)SQL injection vulnerability in login.php in aoblogger 2.3 allows remote attackers to execute arbitrary SQL commands via the username parameter.16286ADV-2006-02401688920060117 [eVuln] aoblogger Multiple Vulnerabilities22527 aoblogger-login-sql-injection(24142)create.php in aoblogger 2.3 allows remote attackers to bypass authentication and create new blog entries by setting the uza parameter to 1.16286ADV-2006-02401688920060117 [eVuln] aoblogger Multiple Vulnerabilities aoblogger-create-security-bypass(24143)Multiple SQL injection vulnerabilities in PDFdirectory before 1.0 allow remote attackers to execute arbitrary SQL commands via multiple unspecified vectors involving (1) util.php, (2) userpref.php, (3) user.php, (4) uploadfrm.php, (5) title.php, (6) team.php, (7) stats.php, (8) page.php, (9) org.php, (10) member.php, (11) index.php, (12) group.php, or (13) anniv.php.16273ADV-2006-02312240322404224052240622407224082240922410224112241222413224142241518459PDFdirectory before 1.0 stores sensitive data in plaintext, which allows remote attackers to obtain arbitrary users' passwords by direct queries to the database, possibly via one of the SQL injection vulnerabilities.22402index.php in EZDatabase before 2.1.2 does not properly cleanse the p parameter before constructing and including a .php filename, which allows remote attackers to conduct directory traversal attacks, and produces resultant cross-site scripting (XSS) and path disclosure.20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability20060115 EZDatabase Directory Transversal, XSS and Path Disclosure Vulnerability162571804322684 ezdatabase-index-p-path-disclosure(24135) ezdatabase-index-p-xss(24134)Buffer overflow in YGPPicFinder.DLL in AOL You've Got Pictures (YGP) Picture Finder Tool ActiveX Control, as used in AOL 8.0, 8.0 Plus, and 9.0 Classic, allows remote attackers to execute arbitrary code via unspecified vectors.VU#71573016262ADV-2006-022122486185211015494aol-youvegotpictures-activex-bo(24160)Cross-site scripting (XSS) vulnerability in rkrt_stats.php in RedKernel Referrer Tracker 1.1.0-3 allows remote attackers to inject arbitrary web script or HTML via a query string value as a GET, which is stored in the $QUERY_STRING variable. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information.16266ADV-2006-019718473 referertracker-rkrtstats-xss(24151)SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disbled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.20060117 [eVuln] BlogPHP Authentication Bypass16269ADV-2006-02042249518467 blogphp-index-bypass-security(24131)Directory traversal vulnerability in the FTP server (port 22003/tcp) in Farmers WIFE 4.4 SP1 allows remote attackers to create arbitrary files via ".." (dot dot) sequences in a (1) PUT, (2) SIZE, and possibly other commands.20060113 Farmers wife 4.4 sp1 remote SYSTEM access224961850820060113 Farmers wife 4.4 sp1 remote SYSTEM access16321 farmerswife-ftp-directory-traversal(24190)SQL injection vulnerability in admin/processlogin.php in Bit 5 Blog 8.01 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameter.20060115 [eVuln] Bit 5 Blog SQL Injection & Authentication Bypass Vulnerability16244ADV-2006-01951846422445 bit5blog-processlogin-sql-injection(24124)fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster.ADV-2006-03001857120060122 fetchmail security announcement fetchmail-SA-2006-01 (CVE-2006-0321)16365226911015527fetchmail-message-bounce-dos(24265)18895SSA:2006-045-01APPLE-SA-2006-08-0121253ADV-2006-310119289 TA06-214AUnspecified vulnerability the edit comment formatting functionality in MediaWiki 1.5.x before 1.5.6 and 1.4.x before 1.4.14 allows attackers to cause a denial of service (infinite loop) via "certain malformed links."ADV-2006-039218711mediawiki-comment-format-dos(24478)SUSE-SR:2006:00318717Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a a size value that is less than the actual size, or (2) other unspecified manipulations.1015806SUSE-SA:2006:01817202ADV-2006-105719358GLSA-200603-24VU#2310281936519390realnetworks-swf-bo(25408)20060411 Realplayer .SWF Multiple Remote Memory Corruption VulnerabilitiesRHSA-2006:025719362690SQL injection vulnerability in WebspotBlogging 3.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter to login.php.20060119 [eVuln] WebspotBlogging Authentication Bypass Vulnerability16319ADV-2006-026818560226701015522webspotblogging-login-sql-injection(24222)356Etomite Content Management System 0.6, and possibly earlier versions, when downloaded from the web site in January 2006 after January 10, contains a back door in manager/includes/todo.inc.php, which allows remote attackers to execute arbitrary commands via the "cij" parameter.ADV-2006-02831855620060130 Etomite followup information1633622693etomite-default-backdoor(24254)20060127 Etomite CMS TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails.20060119 IRM 015: File system path disclosure on TYPO3 Web Content Manager20060119 Re: IRM 015: File system path disclosure on TYPO3 Web Content Manage18546ADV-2006-0269226652266622667typo3-multiple-path-disclosure(24244)361Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.20060119 Critical security advisory #006 tftpd32 Format stringADV-2006-0263185391633322661 tftpd32-request-format-string(24250)362SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS-M, BS-L, and EX allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.1855316326ADV-2006-0266226691015519hitachi-hitsenser-sql-injection(24240)Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving the user name (fullname).18557GLSA-200601-1316334ADV-2006-02822266018627gallery-unknown-xss(24247)DSA-114821502Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments.20060119 Change passwd 3.1 (SquirrelMail plugin ) changepassword-changepasswd-bo(24258)363Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files.[listar-dev] 20060115 [EDev] Re: Potential vulnerability -- who to contact?[listar-dev] 20060119 [EDev] Re: Potential vulnerability -- who to contact?16317ADV-2006-026018524 ecartis-pantomime-bypass-security(24220)Cross-site scripting (XSS) vulnerability in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the (1) month or (2) year parameter to index.php.20060118 -2- [XSS] in ar-blog v 5.220060527 Multiple Xss exploits in ar-blog v 5.2 arblog-index-xss(24246)Cross-site scripting (XSS) vulnerability in search.php in My Amazon Store Manager 1.0 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some sources claim that the affected parameter is "q", but the only public archive of the original researcher notification shows an XSS manipulation in "Keywords".16312ADV-2006-02521853522626masm-search-xss(24230)Multiple unspecified vulnerabilities in Kerio WinRoute Firewall before 6.1.4 Patch 1 allow remote attackers to cause a denial of service via multiple unspecified vectors involving (1) long strings received from Active Directory and (2) the filtering of HTML.16314ADV-2006-02472263118542kerio-winroute-html-dos(24232)kerio-winroute-activedirectory-dos(24233)Kerio WinRoute Firewall before 6.1.4 Patch 2 allows attackers to cause a denial of service (CPU consumption and hang) via unknown vectors involving "browsing the web".16385ADV-2006-03241858922631 kerio-winroute-browsing-dos(24317)Buffer overflow in multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allows remote attackers to execute arbitrary code via crafted ZIP archives.16309ADV-2006-025718529226321015507101550810155091015510Q-103 fsecure-zip-bo(24198)Multiple F-Secure Anti-Virus products and versions for Windows and Linux, including Anti-Virus for Windows Servers 5.52 and earlier, Internet Security 2004, 2005 and 2006, and Anti-Virus for Linux Servers 4.64 and earlier, allow remote attackers to hide arbitrary files and data via malformed (1) RAR and (2) ZIP archives, which are not properly scanned.16309ADV-2006-025718529226331015507101550810155091015510Q-103 fsecure-rar-zip-scan-bypass(24199)Buffer overflow in BitComet Client 0.60 allows remote attackers to execute arbitrary code, when the publisher's name link is clicked, via a long publisher URI in a torrent file.20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability16311ADV-2006-02511852222625bitcomet-torrent-publisher-bo(24229)20060122 BitComet URI Proof of Concept20060118 Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability357Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) support in Cisco IOS 12.0 through 12.4 running on various Cisco products, when SGBP is enabled, allows remote attackers on the local network to cause a denial of service (device hang and network traffic loss) via a crafted UDP packet to port 9900.20060118 IOS Stack Group Bidding Protocol Crafted Packet DoS16303ADV-2006-024810155011849022624cisco-ios-sgbp-dos(24182)358Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe MailSite 5.x and 6.1.22 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string.20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection VulnerabilityADV-2006-0284185511633022677mailsite-wconsole-xss(24256)RockLiffe MailSite HTTP Mail management agent (httpma) 7.0.3.1 allows remote attackers to cause a denial of service (CPU consumption and crash) via a malformed query string containing special characters such as "|".20060120 RockLiffe MailSite wconsole.dll Denial of Service/Script Injection VulnerabilityADV-2006-0284185511633122678mailsite-wconsole-dos(24255)Unspecified vulnerability in the Port Discovery Standard and Advanced features in Hitachi JP1/NetInsight II allows attackers to stop the Port Discovery service via unknown vectors involving "invalid format data".ADV-2006-02671853816327226761015520hitachi-jp1netinsight-port-dos(24243)Directory traversal vulnerability in Intervations FileCOPA FTP Server 1.01 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the (1) STOR and (2) RETR commands.ADV-2006-0285185501633522694filecopa-ftp-directory-traversal(24257)Multiple SQL injection vulnerabilities in SaralBlog 1.0 allow remote attackers to execute arbitrary SQL commands via the search parameter to search.php. NOTE: the id/viewprofile.php issue is already covered by CVE-2005-4058.1630622740101551720060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities saralblog-search-sql-injection(24218)Cross-site scripting (XSS) vulnerability in SaralBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via a website field in a new comment to view.php, which is not properly handled in the comment function in functions.php.16306101551720060118 [eVuln] SaralBlog XSS & Multiple SQL Injection Vulnerabilities 27907 saralblog-view-xss(24219)Directory traversal vulnerability in ELOG before 2.6.1 allows remote attackers to access arbitrary files outside of the elog directory via "../" (dot dot) sequences in the URL.16315ADV-2006-026218533elog-dotdot-directory-traversal(24224)22647DSA-96718783Format string vulnerability in the write_logfile function in ELOG before 2.6.1 allows remote attackers to cause a denial of service (server crash) via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16315ADV-2006-02621853322646elog-elogd-format-string(24221)DSA-96718783SQL injection vulnerability in eggblog 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to blog.php.1630510155051821222751eggblog-blog-sql-injection(24210)20060118 [eVuln] eggblog Multiple SQL Injection & XSS VulnerabilitiesCross-site scripting (XSS) vulnerability in eggblog 2.0 allow remote attackers to inject arbitrary web script or HTML via the message field to topic.php.163051015505182122275220060118 [eVuln] eggblog Multiple SQL Injection & XSS Vulnerabilities eggblog-topic-xss(24209)Unspecified "critical denial-of-service vulnerability" in MyDNS before 1.1.0 has unknown impact and attack vectors.ADV-2006-02562263618532GLSA-200601-1616431101552118653mydns-query-dos(24228)DSA-96318641The default configuration of Fluffington FLog 1.01 installs users.0.dat under the web document root with insufficient access control, which might allow remote attackers to obtain sensitive information (login credentials) via a direct request. NOTE: It was later reported that 1.1.2 is also affected.20060117 [eVuln] Flog Information Disclosure Vulnerability20070105 Flog 1.1.2 Remote Admin Password Disclosureflog-admin-info-disclosure(31307) flog-data-directory-insecure(24193)unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related to the randomness generator, which allows local users to cause a denial of service by truncating the seed file, which prevents the server from starting, or obtain sensitive seed information that could be used to crack keys.[lsh-bugs] SECURITY: lshd leaks fd:s to user shellsADV-2006-03012269518564lsh-file-descriptor-leak(24263)DSA-9561635718623Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) allows remote authenticated users to cause a denial of service (termination of packet passing or termination of client connections) by sending the management interface a large number of spoofed ARP packets, which creates a large ARP table that exhausts memory, aka Bug ID CSCsc16644.20060112 Access Point Memory Exhaustion from ARP Attacks16217ADV-2006-0176101548318430cisco-aironet-arp-dos(24086)22375339Helmsman Research (aka CoolUtils) HomeFtp 1.1 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command and an NLST command.20060114 [KAPDA::#21] - HomeFtp v1.1 Denial of Service16238 homeftp-long-command-dos(24152)350Ari Pikivirta Home Ftp Server 1.0.7 allows remote attackers to cause an unspecified denial of service via a long USER command combined with a long PASS command.20060115 Homeftp r1.0.7 Denial of Service homeftpserver-long-command-dos(24227)Grant Averett Cerberus FTP Server 2.32, and possibly earlier versions, allows remote attackers to cause an unspecified denial of service via a long string that does not contain a valid FTP command.20060115 Cerberus FTP Server 2.32 Denial of Service cerberus-long-command-dos(24226)Multiple SQL injection vulnerabilities in PowerPortal, possibly 1.1 beta through 1.3, allow remote attackers to execute arbitrary SQL commands via the search parameter in (1) index.php and (2) search.php. NOTE: This issue might overlap CVE-2004-0663.2.20060117 PowerPortal Cross-Site Scripting Vulnerability16279279582795710172powerportal-search-index-xss(24196)Buffer overflow in CounterPath eyeBeam SIP Softphone allows remote attackers to (1) cause a denial of service (device crash) via SIP INVITE commands with a long header field name sent during startup and (2) cause a denial of service (device hang or crash) via SIP INVITE commands with a long header field name sent during a call.20060116 CounterPath eyeBeam Handing SIP header VulnerabilitiesADV-2006-0259185161625320060921 Re: CounterPath eyeBeam Handing SIP header Vulnerabilitieseyebeam-sip-header-bo(24181)354MPM SIP HP-180W Wireless IP Phone WE.00.17 allows remote attackers to obtain sensitive information and possibly cause a denial of service via a direct connection to UDP port 9090, which is undocumented and does not require authentication.20060116 MPM HP-180W VoIP wireless desktop phone undocumented port UDP/90901628518512 mpn-hp180w-default-port(24147)Cross-site scripting (XSS) vulnerability in addcomment.php in Bit 5 Blog 8.01 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in an <a> tag in the comment parameter, which strips most tags but not <a>.20060115 [eVuln] Bit 5 Blog JavaScript Insertion VulnerabilityADV-2006-0195224461846416246 bit5blog-addcomment-xss(24129)TippingPoint Intrusion Prevention System (IPS) TOS before 2.1.4.6324, and TOS 2.2.x before 2.2.1.6506, allow remote attackers to cause a denial of service (CPU consumption) via an unknown vector, probably involving an HTTP request with a negative number in the Content-Length header.2250410155111851516299 tippingpoint-ips-http-traffic-dos(24200)The "Remember my Password" feature in MSN Messenger 7.5 stores passwords in an encrypted format under the HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds registry key, which might allow local users to obtain the original passwords via a program that calls CryptUnprotectData, as demonstrated by the "MSN Password Recovery.exe" program. NOTE: it could be argued that local-only password recovery is inherently insecure because the decryption methods and keys must be stored somewhere on the local system, and are thus inherently accessible with varying degrees of effort. Perhaps this issue should not be included in CVE.20060113 Re: MSN Messenger Password Decrypter for WinXP/200320060117 Re: MSN Messenger Password Decrypter for WinXP/2003Cross-site scripting (XSS) vulnerability in MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via a signature containing a JavaScript URI in the SRC attribute of an IMG element, in which the URI uses SGML numeric character references without trailing semicolons, as demonstrated by "javascript".20060118 MyBB Signature HTML Code Injection16308ADV-2006-025518544mybb-html-signature-xss(24225)22628Cross-site scripting (XSS) vulnerability in XMB (aka extreme message board) allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element.20060118 XMB Forum HTML Code Injection 27920 xmbforum-imgsrc-xss(24208)Cross-site scripting (XSS) vulnerability in Phpclanwebsite (aka PCW) allows remote attackers to inject arbitrary web script or HTML via a javascript URI in a BBCode img tag.A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1 </a>Please download and install imediately. 20060117 Phpclanwebsite BBCode IMG Tag XSS Vulnerability16300ADV-2006-025418541Unspecified vulnerability in Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allows remote authenticated users with read-only administrative privileges to obtain full administrative privileges via a "crafted URL on the CCMAdmin web page."20060118 Cisco Call Manager Privilege Escalation16293ADV-2006-025018501226211015502 cisco-callmanager-ccmadmin-gain-priv(24172)Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4.0(2a)SR2c, and 4.1 before 4.1(3)SR2 allow remote attackers to (1) cause a denial of service (CPU and memory consumption) via a large number of open TCP connections to port 2000 and (2) cause a denial of service (fill the Windows Service Manager communication queue) via a large number of TCP connections to port 2001, 2002, or 7727.20060118 Cisco Call Manager Denial of Service16295ADV-2006-02491849422622226231015503cisco-callmanager-port-connection-dos(24180)359** DISPUTED ** MySQL 5.0.18 allows local users with access to a VIEW to obtain sensitive information via the "SELECT * FROM information_schema.views;" query, which returns the query that created the VIEW. NOTE: this issue has been disputed by third parties, saying that the availability of the schema is a normal and sometimes desired aspect of database access.20060120 MySQL 5.0 information leak?20060121 RE: MySQL 5.0 information leak?20060121 Re: MySQL 5.0 information leak?20060123 RE: MySQL 5.0 information leak?20060124 Re: MySQL 5.0 information leak?20060128 Re: MySQL 5.0 information leak?20060122 Re: MySQL 5.0 information leak?Noah Medling RCBlog 1.03 stores the data and config directories under the web root with insufficient access control, which allows remote attackers to view account names and MD5 password hashes.20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure18547226791015523rcblog-data-config-insecure-directories(24249)Directory traversal vulnerability in index.php in Noah Medling RCBlog 1.03 allows remote attackers to read arbitrary .txt files, possibly including one that stores the administrator's account name and password, via a .. (dot dot) in the post parameter.20060120 [eVuln] RCBlog Directory Traversal & Sensitive Information Disclosure1634218547226801015523rcblog-index-directory-traversal(24248)20060218 RCblog exploit [fun] 20060611 RCblog 1.03 Directory Traversal [index.php] rcblog-index-file-include(27042)Multiple SQL injection vulnerabilities in config.php in Insane Visions BlogPHP, possibly 1.0, allow remote attackers to execute arbitrary SQL commands via the (1) blogphp_username or (2) blogphp_password parameter in a cookie.BlogPHP version 2.0 was released to fix the config.php exploit and is available for download at <a href="http://sourceforge.net/project/showfiles.php?group_id=156043">http://sourceforge.net/project/showfiles.php?group_id=156043</a>.20060120 BlogPHP config.php SQL injection login bypass20060120 BlogPHP config.php SQL injection login bypass1634020060121 BlogPHP config.php SQL injection login bypassed22738 blogphp-index-bypass-security(24131)365Cross-site scripting (XSS) vulnerability in register.aspx in Douran FollowWeb allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16302 27918Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 has multiple undocumented ports available, which (1) might allow remote attackers to obtain sensitive information, such as memory contents and internal operating-system data, by directly accessing the VxWorks WDB remote debugging ONCRPC (aka wdbrpc) on UDP 17185, (2) reflect network data using echo (TCP 7), or (3) gain access without authentication using rlogin (TCP 513).20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services1851416288act-p202s-default-port(24149)Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 on VxWorks uses a hardcoded Network Time Protocol (NTP) server in Taiwan, which could allow remote attackers to provide false time information, block access to time information, or conduct other attacks.20060116 ACT P202S VoIP wireless phone multiple undocumented ports/services1851416288 act-p202s-default-port(24149)The 802.11 wireless client in certain operating systems including Windows 2000, Windows XP, and Windows Server 2003 does not warn the user when (1) it establishes an association with a station in ad hoc (aka peer-to-peer) mode or (2) a station in ad hoc mode establishes an association with it, which allows remote attackers to put unexpected wireless communication into place.20060114 [NMRC Advisory] Microsoft Windows Wireless Exposure on Laptops1015489 windows-wireless-adhoc-unauth-access(24157)349CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection."16756ADV-2006-0689101566218985squirrelmail-mailbox-imap-injection(24849)DSA-988FEDORA-2006-133MDKSA-2006:049SUSE-SR:2006:005191311913019176GLSA-200603-0919205RHSA-2006:028319960 20060501-01-U 20210MDKSA-2006:049Cross-site scripting (XSS) vulnerability in Netrix X-Site Manager allows remote attackers to inject arbitrary web script or HTML via the product_id parameter, as originally demonstrated for a custom mp3players_details.php program. NOTE: the name of the affected program might be installation-dependent, but it has been identified as "product_details.php" by some sources.16313ADV-2006-02532263418537xsitemanager-productdetails-xss(24234)FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buffer before making it available to userland, which could allow local users to read portions of kernel memory.FreeBSD-SA-06:061637318599227301015541bsd-buffer-initialization-disclosure(24338)A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel to calculate an incorrect buffer length, which causes more data to be copied to userland than intended, which could allow local users to read portions of kernel memory.FreeBSD-SA-06:061637318599227311015541bsd-buffer-length-disclosure(24340)A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a packet fragment to be inserted twice.FreeBSD-SA-06:071637518609227321015542bsd-pf-fragment-dos(24337)NetBSD-SA2006-004Apple Mac OS X 10.4.5 and allows local users to cause a denial of service (crash) via an undocumented system call.APPLE-SA-2006-02-1416654ADV-2006-059723190101563418907macosx-system-call-dos(24682)IPSec when used with VPN networks in Mac OS X 10.4 through 10.4.5 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving the "incorrect handling of error conditions".APPLE-SA-2006-03-0116907ADV-2006-079119064 23643 macosx-vpn-dos(25025)TA06-062Aautomount in Mac OS X 10.4.5 and earlier allows remote file servers to cause a denial of service (unresponsiveness) or execute arbitrary code via unspecified vectors that cause automount to "mount file systems with reserved names".APPLE-SA-2006-03-0116907ADV-2006-0791190641015709macosx-automount-execute-code(25021)23640TA06-062AFileVault in Mac OS X 10.4.5 and earlier does not properly mount user directories when creating a FileVault image, which allows local users to access protected files when FileVault is enabled.APPLE-SA-2006-03-0116907ADV-2006-07911906423642macosx-filevault-file-access(25024)TA06-062AStack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504.APPLE-SA-2006-03-0116907ADV-2006-079119064VU#1767321015713 macosx-safari-bo(25032)TA06-062ASafari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows remote attackers to redirect users to local files and execute arbitrary JavaScript via unspecified vectors involving HTTP redirection to local resources.APPLE-SA-2006-03-0116907ADV-2006-0791190641015713 macosx-safari-http-redirect(25038)TA06-062ACross-site scripting (XSS) vulnerability in Syndication (Safari RSS) in Mac OS X 10.4 through 10.4.5 allows remote attackers to execute arbitrary JavaScript via unspecified vectors involving RSS feeds.APPLE-SA-2006-03-0116907ADV-2006-07911906423649 macosx-syndication-xss(25040)TA06-062A** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4504. Reason: This candidate is a duplicate of CVE-2005-4504. Notes: All CVE users should reference CVE-2005-4504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Directory traversal vulnerability in the BOM framework in Mac OS X 10.x before 10.3.9 and 10.4 before 10.4.5 allows user-assisted attackers to overwrite or create arbitrary files via an archive that is handled by BOMArchiveHelper.20060302 Apple MacOS X BOMArchiveHelper Directory Traversal VulnerabilityAPPLE-SA-2006-03-0116907ADV-2006-07911906423641 macosx-bom-directory-traversal(25023)TA06-062ABuffer overflow in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Canon RAW image.APPLE-SA-2006-08-0121253VU#527236ADV-2006-3101macosx-raw-image-bo(28142)2773919289 TA06-214AOpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang.APPLE-SA-2006-08-0121253ADV-2006-3101macosx-openssh-nonexistent-user-dos(28147)27745101667219289 TA06-214A** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0848. Reason: This candidate is a duplicate of CVE-2006-0848. Notes: All CVE users should reference CVE-2006-0848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.APPLE-SA-2006-03-0116907ADV-2006-07912364519064macosx-mail-bypass-security(25027)TA06-062ABuffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.APPLE-SA-2006-03-1317081ADV-2006-09491912920060314 DMA[2006-0313a] - 'Apple OSX Mail.app RFC1740 Real Name Buffer Overflow'1015762VU#980084macosx-mail-attachment-bo(25209)23872Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different.APPLE-SA-2006-03-13ADV-2006-094919129238691015760macosx-safefiletype-command-execution(25269)Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different.APPLE-SA-2006-03-13ADV-2006-094919129238701015760macosx-safefiletype-command-execution(25269)Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different.APPLE-SA-2006-03-13ADV-2006-094919129238711015760macosx-safefiletype-command-execution(25269)CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to bypass the same-origin policy and execute Javascript in other domains via unknown vectors involving "crafted archives."APPLE-SA-2006-03-1317082ADV-2006-0949191291015763macosx-sameorigin-policy-bypass(25208)23873Unspecified vulnerability in Mac OS X before 10.4.6, when running on an Intel-based computer, allows attackers with physical access to bypass the firmware password and log on in Single User Mode via unspecified vectors.17364ADV-2006-1215194621015859macosx-firmware-password-bypass(25620)24399SQL injection vulnerability in Zoph before 0.5pre1 allows remote attackers to execute arbitrary SQL commands.16347ADV-2006-029718563zoph-sql-injection(24264)22743DSA-98919153Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but this is incorrect.16344ADV-2006-0296101552418567emoblog-index-sql-injection(24245)20060122 [eVuln] e-moBLOG SQL Injection Vulnerability2270022701[VIM] 20060125 The parameter in e-moBLOG is "monthy" [sic]370Note-A-Day Weblog 2.2 stores sensitive data under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to archive/.phpass-admin, which contains encrypted passwords.ADV-2006-029918566noteaday-archive-directory-insecure(24270)20060122 [eVuln] Note-A-Day Weblog Sensitive Information Disclosure226991015539371The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function.18587libtiff-tiffvsetfield-dos(24275)ADV-2006-0302GLSA-200605-171817220345search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive information via a certain search request that reveals the table prefix in a SQL error message, possibly due to invalid parameters.20060114 MyBB 1.0.2 Sniffing table perfix bug in search.php18577mybb-search-information-disclosure(24272)22736Cross-site scripting (XSS) vulnerability in post.php in AZ Bulletin Board (AZbb) 1.1.00 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) nickname parameter and (2) an iframe tag in the topic parameter. NOTE: the original disclosure specified the name parameter, but a correction was later provided. NOTE: followup posts have both disputed and confirmed the original claim.ADV-2006-02981856520060123 Azbb v1.1.00 Cross-Site Scripting20060128 [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting16351azbulletinboard-post-xss(24274)20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting 20060309 Re: Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scripting20060308 Re: [CORRECTIONS AND ADDITIONS ]Azbb v1.1.00 Cross-Site Scriptingrsh utility in Sun Grid Engine (SGE) before 6.0u7_1 allows local users to gain privileges and execute arbitrary code via unspecified vectors, possibly involving command line arguments.ADV-2006-0308185801015531sge-rsh-gain-privileges(24281)16366Cross-site scripting (XSS) vulnerability in index.php in Pixelpost Photoblog 1.4.3 allows remote attackers to inject arbitrary web script or HTML via the "Add Comment" field in a comment popup.16362ADV-2006-030918572pixelpost-index-xss(24261)20060123 [eVuln] Pixelpost Photoblog XSS Vulnerability1015529SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQL, allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors involving binary strings.1636418575ADV-2006-031522705adodb-postgresql-sql-injection(24314)GLSA-200602-02ADV-2006-04481873218745DSA-1029DSA-1030DSA-1031195551959019591GLSA-200604-07 19691claro_init_local.inc.php in Claroline 1.7.2 uses guessable session cookies (MD5 hash of connection time), which allows remote attackers to hijack sessions and possibly gain administrative privileges.20060120 Claroline 1.7.2, sso identification vulnerability16341ADV-2006-032018588claroline-cookie-bypass-security(24326)SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.20060105 CyberShop User Login Sql Injection22365cybershop-login-sql-injection(24005)Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter.1633920060122 Newsphp Multiple SQL Injection VulnerabilitiesADV-2006-03411862422717newsphp-index-sql-injection(24320)Tor before 0.1.1.20 allows remote attackers to identify hidden services via a malicious Tor server that attempts a large number of accesses of the hidden service, which eventually causes a circuit to be built through the malicious server.1857622689tor-service-information-disclosure(24285)GLSA-200606-04183232051419795Cross-site scripting (XSS) vulnerability in index.php in SleeperChat 0.3f and earlier allows remote attackers to inject arbitrary web script or HTML via the pseudo parameter.16363101552522784sleeperchat-index-xss(24300)SleeperChat 0.3f and earlier allows remote attackers to bypass authentication and create new entries via the txt parameter to (1) chat_no.php and (2) chat_if.php.1015525sleeperchat-txt-security-bypass(24357)SQL injection vulnerability in login.php in miniBloggie 1.0 and earlier, when gpc_magic_quotes is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username and (2) password parameters.ADV-2006-031018604minibloggie-login-sql-injection(24280)20060124 [eVuln] miniBloggie Authentication Bypass16367227291015534Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allows attackers to execute arbitrary code via a crafted username.1636020060124 [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchatBEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections.1015528BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow errors."1015528By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended.16358ADV-2006-0313101552818581weblogic-cross-domain-management(24286)Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors.16358ADV-2006-0313101552818592weblogic-java-mbean-access(24294)BEA WebLogic Portal 8.1 through SP3 stores the password for the RDBMS Authentication provider in cleartext in the config.xml file, which allows attackers to gain privileges.16358ADV-2006-03121015528weblogicportal-config-info-disclosure(24284)18593BEA08-110.01ADV-2008-0613BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.16358ADV-2006-0313101552818592weblogic-server-log-disclosure(24295)22776BEA WebLogic Portal 8.1 through SP4 allows remote attackers to obtain the source for a deployment descriptor file via unknown vectors.16358ADV-2006-03121015528weblogic-deployment-descriptor-disclosure(24297)18593BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges.16358ADV-2006-0313101552818592weblogic-password-information-disclosure(24290)22775Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0 and 8.1 through SP5 allows malicious EJBs or servlet applications to decrypt system passwords, possibly by accessing functionality that should have been restricted.16358ADV-2006-0313101552818592weblogic-servlets-obtain-information(24291)22774Unspecified vulnerability in BEA WebLogic Portal 8.1 SP3 through SP5, when using Web Services Remote Portlets (WSRP), allows remote attackers to access restricted web resources via crafted URLs.16358ADV-2006-03121015528weblogic-wsrp-gain-access(24293)2276718593BEA WebLogic Server and WebLogic Express 9.0 causes new security providers to appear active even if they have not been activated by a server reboot, which could cause an administrator to perform inappropriate, security-relevant actions.16358ADV-2006-0313101552818592weblogic-security-provider-weakness(24298)22773Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown).16358ADV-2006-0313101552818592 weblogic-connection-filter-dos(24301)Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors.16358ADV-2006-0313101552818592 weblogic-ssl-identity-exposure(24302)Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources.16358ADV-2006-0313101552818592weblogic-jdni-security-weakness(24299)Selective Acknowledgement (SACK) in FreeBSD 5.3 and 5.4 does not properly handle an incoming selective acknowledgement when there is insufficient memory, which might allow remote attackers to cause a denial of service (infinite loop).FreeBSD-SA-06:081646622861186961015566 ADV-2006-0409 bsd-sack-handling-dos(24453)399Directory traversal vulnerability in action.php in phpXplorer allows remote attackers to read arbitrary files via ".." (dot dot) sequences and null bytes in the sAction parameter, a different vulnerability than CVE-2006-0244. NOTE: if the functionality of phpXplorer supports the upload of PHP files, then this issue would not cross privilege boundaries and would not be a vulnerability.20060118 phpXplorer file inclusion biyosecurity.be16292phpxplorer-sshare-directory-traversal(39982)Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Database Server DS 9.2.0.7 and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, and 10.1.3.0.0, E-Business Suite and Applications 11.5.10, and Collaboration Suite 10.1.1, 10.1.2.0, 10.1.2.1, and 9.0.4.2, allows attackers to bypass the PLSQLExclusion list and access excluded packages and procedures, aka Vuln# PLSQL01.20060125 Workaround for unpatched Oracle PLSQL Gateway flaw16384ADV-2006-033820060131 Re: Workaround for unpatched Oracle PLSQL Gateway flaw20060125 Workaround for unpatched Oracle PLSQL Gateway flawVU#1691642271910155441862120060202 The History of the Oracle PLSQL Gateway Flaw20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw20060208 Re: Workaround for unpatched Oracle PLSQL Gateway flawADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 20060202 More on the workaround for the unpatched Oracle PLSQL Gateway flaw 20060202 The History of the Oracle PLSQL Gateway Flaw oracle-plsql-command-execution(24363)402403Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.HPSBUX020911015530ADV-2006-032218600hpux-unspecified-privilege-escalation(24318)18596oval:org.mitre.oval:def:1453oval:org.mitre.oval:def:1577oval:org.mitre.oval:def:1586Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) smile_url or (2) smile_emotion parameters, which bypasses a check for "<" and ">" characters.ADV-2006-04451869320060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin22928phpbb-referer-header-http-xss(24497)406Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php.ADV-2006-04451869320060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin22929phpbb-referer-header-http-xss(24497)406Text Rider 2.4 stores sensitive data in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing data/userlist.txt.ADV-2006-032118605textrider-data-directory-insecure(24279)20060124 [eVuln] Text Rider Sensitive Information Disclosure1015533Text Rider 2.4 allows attackers to bypass authentication and upload files without providing a valid password by obtaining the MD5 hash of the password (possibly via another vulnerability that reads it from a data file), then including the hash in a cookie.20060124 [eVuln] Text Rider Sensitive Information Disclosure1015533Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.16370ADV-2006-03171857420060124 SamiFTPd buffer overflowsamiftpserver-user-bo(24325)Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in a editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219.ADV-2006-03161860320060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting163611015535Cross-site scripting (XSS) vulnerability in archive.php in CheesyBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) realname and (2) comment parameters, or (3) via a javascript URI in the url parameter, when adding a comment.20060125 [eVuln] CheesyBlog XSS Vulnerability16376ADV-2006-03262271618610cheesyblog-archive-xss(24292)369SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page. NOTE: the poll_id vector can also allow resultant cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax.A simple fix has been released on the Main PCW site available directly at <a href="http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1">http://www.phpclanwebsite.com/index.php?page=downloads&func=browselist&par=1</a> Please download and install imediately. Tech note: Filters id number (par) to contain numbers only. 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple VulnerabilitiesADV-2006-034218597163912272022722phpclanwebsite-index-sql-injection(24355)index.php in Phpclanwebsite 1.23.1 allows remote authenticated users to obtain the installation path by specifying an invalid file name to the uploader page, as demonstrated by "\", which will display the full path of uploader.php. NOTE: this might be the result of a file inclusion vulnerability.Please add the following to the config.php file to avoid all such exploits. ini_set('display_errors', false); 20060125 HYSA-2006-002 Phpclanwebsite 1.23.1 Multiple Vulnerabilities1639122721Unspecified vulnerability in WeBWorK 2.1.3 and 2.2-pre1 allows remote privilged attackers to execute arbitrary commands as the web server via unknown attack vectors.ADV-2006-03191859416371webwork-unknown-command-execution(24322)Multiple buffer overflows in E-Post Mail Server 4.10 and SPA-PRO Mail @Solomon 4.00 allow remote attackers to execute arbitrary code via a long username to the (1) AUTH PLAIN or (2) AUTH LOGIN SMTP commands, which is not properly handled by (a) EPSTRS.EXE or (b) SPA-RS.EXE; (3) a long username in the APOP POP3 command, which is not properly handled by (c) EPSTPOP4S.EXE or (d) SPA-POP3S.EXE; (4) a long IMAP DELETE command, which is not properly handled by (e) EPSTIMAP4S.EXE or (f) SPA-IMAP4S.EXE.ADV-2006-03181848016379227612276222763epost-imap-mailbox-dos(24334)epost-pop3-username-bo(24333)epost-smtp-username-bo(24331)Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and (2) SPA-IMAP4S.EXE in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allow remote attackers to (a) list arbitrary directories or cause a denial of service via the LIST command; or create arbitrary files via the (b) APPEND, (c) COPY, or (d) RENAME commands.ADV-2006-031818480163792276422765epost--append-copy-rename-file-creation(24336)epost-imap-list-directory-traversal(24335)Early termination vulnerability in the IMAP service in E-Post Mail 4.05 and SPA-PRO Mail 4.05 allows remote attackers to cause a denial of service (infinite loop) by sending an APPEND command and disconnecting before the expected amount of data is sent.ADV-2006-0318184801637922766epost-imap-append-dos(24341)phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.20060125 HYSA-2006-001 phpBB 2.0.19 search.php and profile.php DOS Vulnerabilityphpbb-search-profile-dos(24327)368Multiple memory leaks in the LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (memory consumption) via invalid BER packets that trigger an error, which might prevent memory from being freed if it was allocated during the ber_scanf call, as demonstrated using the ProtoVer LDAP test suite.1667718960 fedora-ber-memory-leak-dos(24794)dn2ancestor in the LDAP component in Fedora Directory Server 1.0 allows remote attackers to cause a denial of service (CPU and memory consumption) via a ModDN operation with a DN that contains a large number of "," (comma) characters, which results in a large amount of recursion, as demonstrated using the ProtoVer LDAP test suite.1667718960 fedora-dn2ancestor-dos(24796)The LDAP component in Fedora Directory Server 1.0 allow remote attackers to cause a denial of service (crash) via a certain "bad BER sequence" that results in a free of uninitialized memory, as demonstrated using the ProtoVer LDAP test suite.1667718960 fedora-ber-bad-sequence-dos(24795)Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value.[linux-kernel] 20060207 Linux 2.6.15.3[linux-kernel] 20060207 Re: Linux 2.6.15.3ADV-2006-0464SuSE-SA:2006:00618788USN-250-118861MDKSA-2006:0401653218766FLSA:157459-4[dailydave] 20060207 Fun with Linux (2.6.12 -> 2.6.15.2)FEDORA-2006-1022006-00061877418784 kernel-icmp-ipoptionsecho-dos(24575)MDKSA-2006:040gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify".[gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG[gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG[gnupg-announce] 20060215 False positive signature verification in GnuPGADV-2006-06101884520060215 False positive signature verification in GnuPG[gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPGDSA-978FEDORA-2006-11618956MDKSA-2006:043OpenPKG-SA-2006.001USN-252-12322118934189331894218955gnupg-gpgv-improper-verification(24744)GLSA-200602-10SuSE-SA:2006:00918956189682006-000816663[gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPGSUSE-SR:2006:00519130SSA:2006-072-02RHSA-2006:02661924920060401-01-U19532FLSA-2006:185355SUSE-SA:2006:013MDKSA-2006:043The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.DSA-1103ADV-2006-25541868720914RHSA-2006:05752146522417Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.USN-263-1170841922023894MDKSA-2006:059SUSE-SA:2006:028RHSA-2006:0575214652039822417 kernel-addkey-dos(25354)MDKSA-2006:059The DCC ACCEPT command handler in irssi before 0.8.9+0.8.10rc5-0ubuntu4.1 in Ubuntu Linux, and possibly other distributions, allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command.USN-259-11691319090 irssi-dcc-accept-dos(25147)flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.[flex-announce] 20060222 flex 2.5.33 releasedDSA-102016896ADV-2006-0770234401907119424flex-bypass-security(24995)GLSA-200603-07USN-260-11912619228[flex-announce] 20060222 flex 2.5.33 released570Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.GLSA-200602-09166971891418915ADV-2006-064323263bomberclone-error-message-bo(24764)DSA-99719210Cross-site scripting (XSS) vulnerability in core.input.php in ExpressionEngine 1.4.1 allows remote attackers to inject arbitrary web script or HTML via HTTP_REFERER (referer).ADV-2006-032520060125 [eVuln] ExpressionEngine %27Referer%27 XSS Vulnerability1637718602expressionengine-coreinput-xss(24296)372SQL injection vulnerability in comentarios.php in AndoNET Blog 2004.09.02 allows remote attackers to execute arbitrary SQL commands via the entrada parameter.ADV-2006-032720060126 [eVuln] AndoNET Blog SQL Injection Vulnerability163932275518633andonetblog-index-sql-injection(24309)377Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows remote attackers to inject arbitrary web script or HTML via the (1) goto_id parameter to index.php or (2) page parameter to news_full.php.2271222713Multiple SQL injection vulnerabilities in index.php in IdeoContent Manager allow remote attackers to execute arbitrary SQL commands via the (1) goto_id or (2) mid parameter.22714Cross-site scripting (XSS) vulnerability in risultati_ricerca.php in active121 Site Manager allows remote attackers to inject arbitrary web script or HTML via the cerca parameter.22715Cross-site scripting (XSS) vulnerability in search.asp in Goldstag Content Management System allows remote attackers to inject arbitrary web script or HTML via the text parameter.22711goldstag-search-xss(25198)Unspecified vulnerability in Pioneers (formerly gnocatan) before 0.9.49 allows remote attackers to cause a denial of service (application crash) via long chat messages.ADV-2006-03761864716429DSA-96418692pioneers-chat-message-dos(24383)CommuniGate Pro Core Server before 5.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via LDAP messages with negative BER lengths, and possibly other vectors, as demonstrated by the ProtoVer LDAP test suite.20060128 Multiple vulnerabilities in CommuniGate Pro Server16407ADV-2006-036418640communigate-ldap-bo(24409)Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG tag.20060129 UebiMiau Webmail System Security Vulnerability18655uebimiau-html-xss(24375)16413ADV-2006-0388387Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBoard (MyBB) 1.02 allows remote attackers to inject arbitrary web script or HTML via the (1) sortby and (2) sortordr parameters, which are not properly handled in a redirection.20060125 MyBB 1.0.2 XSS attack in search.php redirectionADV-2006-0350186172275016387 mybb-search-xss(24466)374Cross-site scripting (XSS) vulnerability in the bbcode function in functions.php in my little homepage my little forum, as last modified in June 2005, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags.20060126 [eVuln] 'my little homepage' products [link] BBCode XSS Vulnerability16395ADV-2006-034918628mylittlehomepage-link-tag-xss(24310)22856[VIM] 20060130 My Little Homepage - source verify of different productsCross-site scripting (XSS) vulnerability in guestbook.php in my little homepage my little guestbook, as last modified in March 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags.20060126 [eVuln] 'my little homepage' products [link] BBCode XSS Vulnerability16395ADV-2006-034918628mylittlehomepage-link-tag-xss(24310)22855[VIM] 20060130 My Little Homepage - source verify of different productsCross-site scripting (XSS) vulnerability in the bbcode function in weblog.php in my little homepage my little weblog, as last modified in April 2004, allows remote attackers to inject arbitrary Javascript via a javascript URI in BBcode link tags.20060126 [eVuln] 'my little homepage' products [link] BBCode XSS Vulnerability16395ADV-2006-034918628mylittlehomepage-link-tag-xss(24310)22753[VIM] 20060130 My Little Homepage - source verify of different products378Multiple integer overflows in Shareaza 2.2.1.0 allow remote attackers to execute arbitrary code via (1) a large packet length field, which causes an overflow in the ReadBuffer function in (a) BTPacket.cpp and (b) EDPacket.cpp, or (2) a large packet, which causes a heap-based overflow in the Write function in (c) Packet.h.20060127 Shareaza P2P Remote Vulnerability1639920060126 Shareaza Remote Vulnerabilityshareaza-btpacket-bo(24342)shareaza-cedpacket-bo(24343)shareaza-cpacket-bo(24344)382PHP-Ping 1.3 does not properly validate ping counts, which allows remote attackers to cause a denial of service (ping flood) via a negative count parameter.ADV-2006-036818645phpping-negative-count-dos(24382)Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).20060130 Winamp 5.12 - 0day exploit - code execution through playlistADV-2006-03611864920060131 Re: Re: Winamp 5.12 - 0day exploit - code execution through playlistVU#6047451641022789winamp-playlist-computername-bo(24361)TA06-032A1015552oval:org.mitre.oval:def:1402 3422 1458386398Buffer overflow in git-checkout-index in GIT before 1.1.5 allows remote attackers to execute arbitrary code via an index file with a long symbolic link.ADV-2006-03671864316417git-gitcheckoutindex-bo(24360)CRE Loaded 6.15 allows remote attackers to perform privileged actions, including uploading and creating arbitrary files, via a direct request to files.php. NOTE: the vendor states "The initial announcement of this risk was made on our website... and it included a patch which will close the vulnerability on all known 6.0x and 6.1x releases. We strongly encourage users of CRE Loaded 6.x, osCMax, and other users of osCommerce who have installed HTMLArea based WYSIWYG editors and Admin Access with Levels to modify thier installations at the earliest possible moment."ADV-2006-0373186481641522793creloaded-files-auth-bypass(24377)[VIM] 20060203 vendor ack/fix: 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd)pmwiki.php in PmWiki 2.1 beta 20, with register_globals enabled, allows remote attackers to bypass protection mechanisms that deregister global variables by setting both a GPC variable and a GLOBALS[] variable with the same name, which causes PmWiki to unset the GLOBALS[] variable but not the GPC variable, which creates resultant vulnerabilities such as remote file inclusion and cross-site scripting (XSS).ADV-2006-03751863420060128 PmWiki Multiple Vulnerabilities16421pmwiki-multiple-xss(24368)pmwiki-path-disclosure(24366)1015550pmwiki-file-include(24367)Cross-site scripting (XSS) vulnerability in the Articles module in sPaiz-Nuke allows remote attackers to inject arbitrary web script or HTML via the query parameter in the search file.20060129 sPaiz-Nuke Cross-Site Scripting Vulnerability16412ADV-2006-038618672spaiznuke-modules-xss(24389)384Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.ADV-2006-039318654libpng-pngsetstripalpha-bo(24396)RHSA-2006:0205166261015615101561718863Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a "date -s" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call.[debian-sparc] 20060128 `date -s' on sparc64[linux-sparc] 20060130 Attempts to set date with 'date -s' hang the machine[linux-sparc] 20060130 Re: Attempts to set date with 'date -s' hang the machineADV-2006-0418kernel-date-s-dos(24475)DSA-10171721619374Cisco VPN 3000 series concentrators running software 4.7.0 through 4.7.2.A allow remote attackers to cause a denial of service (device reload or user disconnect) via a crafted HTTP packet.20060126 Cisco VPN 3000 Concentrator Vulnerable to Crafted HTTP Attack16394ADV-2006-034618629227541015546cisco-vpn-http-dos(24330)375Directory traversal vulnerability in Vis.pl, as part of the FACE CONTROL product, allows remote attackers to read arbitrary files via a .. (dot dot) in any parameter that opens a file, such as (1) s or (2) p.20060126 [HSC] Multiple transversal bug in vis101554716401facecontrol-vis-directory-traversal(24374)376The TCL shell in Cisco IOS 12.2(14)S before 12.2(14)S16, 12.2(18)S before 12.2(18)S11, and certain other releases before 25 January 2006 does not perform Authentication, Authorization, and Accounting (AAA) command authorization checks, which may allow local users to execute IOS EXEC commands that were prohibited via the AAA configuration, aka Bug ID CSCeh73049.20060125 Response to AAA Command Authorization by-pass16383ADV-2006-0337101554318613 cisco-aaa-tcl-auth-bypass(24308)34892Certain Cisco IOS releases in 12.2S based trains with maintenance release number 25 and later, 12.3T based trains, and 12.4 based trains reuse a Tcl Shell process across login sessions of different local users on the same terminal if the first user does not use tclquit before exiting, which may cause subsequent local users to execute unintended commands or bypass AAA command authorization checks, aka Bug ID CSCef77770.20060125 Response to AAA Command Authorization by-pass22723101554318613 cisco-aaa-tcl-auth-bypass(24308)Multiple unspecified vulnerabilities in Tumbleweed MailGate Email Firewall (EMF) 6.x allow remote attackers to (1) trigger temporarily incorrect processing of an e-mail message under "extremely heavy loads" and (2) cause an "increased number of missed spam" during "spam outbreaks."20060121 Tumbleweed EMF 6.x Processing IssuesThe VDM (Virtual DOS Machine) emulation environment for MS-DOS applications in Windows 2000, Windows XP SP2, and Windows Server 2003 allows local users to read the first megabyte of memory and possibly obtain sensitive information, as demonstrated by dumper.asm.20060124 Windows mem leakage windows-vdm-obtain-information(24471)** DISPUTED ** Buffer overflow in the font command of mIRC, probably 6.16, allows local users to execute arbitrary code via a long string. NOTE: the original researcher claims that issue has been disputed by the vendor, and that the vendor stated "as far as I can tell, this is neither an exploit nor a vulnerability. The above report describes a local bug in mIRC." It could be that this is only exploitable by the user of the application, and thus would not cross privilege boundaries unless under an otherwise restrictive environment such as a kiosk.20060124 Buffer Overflow /Font on mIRC20060201 Re: Buffer Overflow /Font on mIRC22942383SQL injection vulnerability in login.asp in ASPThai.Net ASPThai Forums 8.0 and earlier allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the password field.20060127 helloaspthai-login-sql-injection(24359)ADV-2006-03721015548186362279020060107 hello16404381SQL injection vulnerability in SZUserMgnt.class.php in SZUserMgnt 1.4 allows remote attackers to execute arbitrary SQL commands via the username parameter.szusermgnt-username-sql-injection(24339)20060201 [eVuln] SZUserMgnt Authentication Bypass16454ADV-2006-036618666228091015569396Multiple SQL injection vulnerabilities in Calendarix allow remote attackers to execute arbitrary SQL commands via (1) the catview parameter in cal_functions.inc.php and (2) the login parameter in cal_login.php. NOTE: the catview vector might overlap CVE-2005-1865.ADV-2006-0365calendarix-multiple-sql-injection(24332)16456228102281118667101556020060201 [eVuln] Calendarix SQL Injection & Authorization Bypass Vulnerabilities394Cross-site scripting (XSS) vulnerability in MG2 (formerly known as Minigal) 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field in a comment associated with a picture.20060130 XSS flaw in MG2 Image Gallery (v.0.5.1)1642817374mg2-name-xss(24378)389Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.02 allows local users with MyBB administrative privileges to include and possibly execute arbitrary local files via directory traversal sequences and a nul (%00) character in the plugin parameter.20060130 MyBB 1.2 Local File Incusion mybb-plugins-file-include(24461)Cross-site scripting (XSS) vulnerability in the Add Thread to Favorites feature in usercp2.php in MyBB (aka MyBulletinBoard) 1.02 allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer header ($url variable).20060129 MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS )mybb-usercp2-xss(24392)16419Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier, Mozilla Firefox 1.0.7 and possibly earlier, and Netscape 8.1 and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the -moz-binding CSS (Cascading Style Sheets) property, which does not require that the style sheet have the same origin as the web page, as demonstrated by the compromise of a large number of LiveJournal accounts.16427ADV-2006-04032292410155531015563mozilla-mozbinding-xss(24427)20060128 -moz-binding CSS property: more XSS funMultiple SQL injection vulnerabilities in PHP GEN before 1.4 allow remote attackers to inject arbitrary SQL commands via unknown attack vectors.ADV-2006-0408187151545822885phpgen-multiple-sql-injection(24441)Multiple cross-site scripting (XSS) vulnerabilities in PHP GEN before 1.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.ADV-2006-04082288418715phpgen-parameters-xss(24443)Cross-site scripting (XSS) vulnerability in rlink.php in Rlink 1.0.0 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the url parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16448ADV-2006-03901862022818phpbb-rlink-xss(24410)MyCO Guestbook 1.0 stores the admin directory under the web document root with insufficient access control, which allows remote attackers to perform unspecified privileged actions by directly accessing files via a URL.20060131 MyCO multiple vulnerabilitiesmyco-admin-information-disclosure(24438)Cross-site scripting (XSS) vulnerability in MyCO Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via the Name field, when registering a user.20060131 MyCO multiple vulnerabilities20060201 Re: MyCO multiple vulnerabilitiesmyco-name-xss(24439)16444PHP remote file inclusion vulnerability in loginout.php in FarsiNews 2.1 Beta 2 and earlier, with register_globals enabled, allows remote attackers to include arbitrary files via a URL in the cutepath parameter.20060131 FarsiNews 2.1 PHP Remote File Inclusion16440ADV-2006-0411101555418637farsinews-loginout-file-include(24419)22878390IMAP service in MailEnable Professional Edition before 1.72 allows remote attackers to cause a denial of service (service crash) via unspecified vectors involving the EXAMINE command.ADV-2006-039718668164571015558mailenable-imap-examine-dos(24424)Unspecified vulnerability in MailEnable Enterprise Edition before 1.2 allows remote attackers to cause a denial of service (CPU utilization) by viewing "formatted quoted-printable emails" via webmail.18716mailenable-webmail-dos(24517)zbattle.net Zbattle client 1.09 SR-1 beta allows remote attackers to cause an unspecified denial of service by rapidly creating and closing a game.20060128 zbattle.netzbattle-command-dos(24369)Cross-site scripting (XSS) vulnerability in index.php in Nuked-klaN 1.7 allows remote attackers to inject arbitrary web script or HTML via the letter parameter.20060130 Nuked-klaN Cross-Site Scripting VulnerabilityADV-2006-03872280518670nukedklan-index-xss(24387)16424385Multiple cross-site scripting (XSS) vulnerabilities in Easy CMS allow remote attackers to inject arbitrary web script or HTML via (1) unknown attack vectors in the administrative interface and (2) input fields of the contact form.20060129 EasyCMS vulnerable to XSS injection.20060131 Re: EasyCMS vulnerable to XSS injection.16430ADV-2006-038518673easycms-xss(24371)20060208 Re: Re: EasyCMS vulnerable to XSS injection.Easy CMS stores the images directory under the web document root with insufficient access control and browsing enabled, which allows remote attackers to list and possibly read images that are stored in that directory.20060129 EasyCMS vulnerable to XSS injection.18673easycms-insecure-directories(24373)20060208 Re: Re: EasyCMS vulnerable to XSS injection.Multiple cross-site scripting (XSS) vulnerabilities in clients.php in Cerberus Helpdesk, possibly 2.7, allow remote attackers to inject arbitrary web script or HTML via (1) the contact_search parameter and (2) unspecified url fields.20060130 Cerberus Helpdesk vulnerable to XSS16439ADV-2006-03951865722843cerberus-clients-xss(24388)391SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified parameters in a login action.1643320060130 Daffodil CRM - vulnerable to SQL-injection.ADV-2006-041218685daffodilcrm-userlogin-sql-injection(24450)22879** DISPUTED ** Blackboard Academic Suite 6.0 and earlier does not properly clear session information when de-authenticating a user who is idle, which allows subsequent users to log in as the previous user and gain privileges. NOTE: the vendor has disputed this issue, saying that "This is a customer specific issue related to their Kerberos authentication single sign-on application and not a vulnerability in the Blackboard product."20060201 Blackboard Authentication Error20060201 Re: Blackboard Authentication Error1643820060202 Re: Blackboard Authentication Error28023PADL MigrationTools 46 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the temporary files, which are not properly created by (1) migrate_all_online.sh, (2) migrate_all_offline.sh, (3) migrate_all_netinfo_online.sh, (4) migrate_all_netinfo_offline.sh, (5) migrate_all_nis_online.sh, (6) migrate_all_nis_offline.sh, (7) migrate_all_nisplus_online.sh, and (8) migrate_all_nisplus_offline.sh.ADV-2005-2427DSA-118722243Directory traversal vulnerability in pkmslogout in Tivoli Web Server Plug-in 5.1.0.10 in Tivoli Access Manager (TAM) 5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.20060203 VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval VulnerabilityIY79724101558218725ADV-2006-044216494 20060203 VSR Advisory: IBM Tivoli Access Manager - Web Server Plug-in File Retrieval Vulnerability tivoli-pkmslogout-directory-traversal(24485)412Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x before 6.3.5(112), and FWSM 2.3.x before 2.3(4) and 3.x before 3.1(7), when used with Websense/N2H2, allows remote attackers to bypass HTTP access restrictions by splitting the GET method of an HTTP request into multiple packets, which prevents the request from being sent to Websense for inspection, aka bugs CSCsc67612, CSCsc68472, and CSCsd81734.20060508 VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices17883ADV-2006-1738101603910160402004420060508 Cisco Security Response to: PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass 20060508 VSR Advisory: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices 25453 cisco-websense-content-filtering-bypass(26308)Unspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors.102149ADV-2006-039418671164601015557solaris-x64-kernel-dos(24395)oval:org.mitre.oval:def:1163oval:org.mitre.oval:def:219Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3; (4) unspecified vectors related to "session handling"; and (5) when posting "petitions".ADV-2006-03981867620060131 ZRCSA-200601: SPIP - Multiple Vulnerabilities24397164582284422845228481015556spip-forum-sql-injection(24397)20060131 ZRCSA-200601: SPIP - Multiple Vulnerabilities395Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter.ADV-2006-0398186761646122849spip-index-xss(24401)SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message.ADV-2006-039818676spip-incmessforum-path-disclosure(24399)SQL injection vulnerability index.php in Dragoran Portal module 1.3 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the site parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-039618664portal-index-sql-injection(24404)1644722851Cross-site scripting (XSS) vulnerability in results.php in BrowserCRM allows remote attackers to inject arbitrary web script or HTML via certain manipulations of the query parameter, as demonstrated using an IMG SRC tag.20060131 BrowserCRM vulnerable for XSSADV-2006-0391186581643522841browsercrm-results-xss(24390)393SQL injection vulnerability in the Authentication Servlet in Symantec Sygate Management Server (SMS) version 4.1 build 1417 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via unknown attack vectors related to a URL.ADV-2006-0402101556118689symantec-sms-sql-injection(24413)1645222883SQL injection vulnerability in global.php in MyBB before 1.03 allows remote attackers to execute arbitrary SQL commands via the templatelist variable.ADV-2006-04001867822903mybb-global-sql-injection(24416)Cross-site scripting (XSS) vulnerability in ashnews.php in Derek Ashauer ashNews 0.83 allows remote attackers to inject arbitrary web script or HTML via the id parameter.20060130 ashnews Cross-Site Scripting Vulnerability20060130 Re: ashnews Cross-Site Scripting Vulnerability20060131 Re: ashnews Cross-Site Scripting Vulnerability16426ashnews-ashnews-xss(24365)229349331Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator CS2, and (3) Adobe Help Center, install a large number of .EXE and .DLL files with write-access permission for the Everyone group, which allows local users to gain privileges via Trojan horse programs.20060131 Windows Access Control Demystified16451VU#953860ADV-2006-04312290810155771015578101557918698adobe-insecure-default-permissions(24464)The default configuration of the America Online (AOL) client software allows all users to modify a certain registry value that specifies a DLL file name, which might allow local users to gain privileges via a Trojan horse program.20060131 Windows Access Control Demystified16453VU#953860 aol-insecure-default-permissions(24498)BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allows remote attackers to gain privileged access via a "Kashpureff-style DNS cache corruption" attack.HPSBTU02095101555116455ADV-2006-039918690tru64-dns-bind-unauth-access(24414)HPSBUX020971015606[VIM] 20060216 Recent HP advisories outline BIND problems22888438748The cairo library (libcairo), as used in GNOME Evolution and possibly other products, allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment.20060128 gnome evolution mail client inline text file DoS issue16408MDKSA-2006:057USN-265-1SUSE-SR:2006:00719504MDKSA-2006:057610Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via a crafted message to TCP port 4105.20060202 CAID 33581 - CA Message Queuing Denial of Service VulnerabilitiesADV-2006-04141868116475211461015571ca-cam-port4105-dos(24448)Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Build 220_16 and 1.11 Build 29_20, as used in multiple CA products, allows remote attackers to cause a denial of service via spoofed CAM control messages.20060202 CAID 33581 - CA Message Queuing Denial of Service VulnerabilitiesADV-2006-041418681164751015571ca-cam-spoofed-message-dos(24449)404Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.10214016474ADV-2006-043018699sun-jsam-admin-access(24423)1015567oval:org.mitre.oval:def:360oval:org.mitre.oval:def:755Cross-site scripting (XSS) vulnerability in resultat.asp in SoftMaker Shop allows remote attackers to inject arbitrary web script or HTML via a strSok parameter containing a javascript: URI in an IMG SRC attribute.20060201 SoftMaker Shop is vulnerable to XSS1647118683ADV-2006-043422911softmakershop-image-xss(24451)400Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via the numdays parameter.18691ADV-2006-043322906cpanel-scripts-xss(24468)20060203 Re: cPanel Multiple Cross Site ScriptingMultiple cross-site scripting (XSS) vulnerabilities in default.asp in CyberShop Ultimate E-commerce allow remote attackers to inject arbitrary web script or HTML via the (1) ortak or (2) kat parameter.20060202 CyberShop Ultimate E-commerce Script Cross Site Scripting1647318730cybershop-xss(24454)401Multiple cross-site scripting (XSS) vulnerabilities in Community Server allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: this candidate does not contain any actionable or distinguishing information. Perhaps it should not be included in CVE. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16478Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.27 allows remote attackers to inject arbitrary web script or HTML via the sort parameter. NOTE: some sources say that the affected parameter is "date," but the demonstration URL shows that it is "sort".20060203 Neomail Cross Site Scripting VulnerabilityADV-2006-04491015581neomail-neomail-script-xss(24470)22978Buffer overflow in the POP3 server in Kinesphere Corporation eXchange before 5.0.060125 allows remote attackers to execute arbitrary code via a long RCPT TO argument.ADV-2006-043720060203 Exchangepop3 rcpt buffer overflow vulnerability22907101558018687exchangepop3-rcptto-bo(24477)20060203 Exchangepop3 rcpt buffer overflow vulnerability16485408CipherTrust IronMail 5.0.1, when "Denial of Service Protection" is enabled, allows remote attackers to cause a denial of service (possibly CPU consumption) via a SYN flood with malformed TCP packets from multiple connections.20060203 IronMail-5.0.1-Denial of-Service-Protection-Lets-Remote-Users-Deny-Service164651015555 ironmail-tcpsyn-flood-dos(24445)407The convert-fcrontab program in fcron 3.0.0 might allow local users to gain privileges via a long command-line argument, which causes Linux glibc to report heap memory corruption, possibly because a strcpy in the strdup2 function can "overwrite some data."20060201 Fcrontab - memory corruption on heap.16467ADV-2006-043518719 20060201 Fcrontab - memory corruption on heap. 2006-0036 fcron-syslog-bo(24444)Multiple SQL injection vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to execute arbitrary SQL commands via unspecified vectors.16464vanillaguestbook-messages-sql-injection(24412)20060201 [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection VulnerabilitiesMultiple cross-site scripting (XSS) vulnerabilities in Tachyon Vanilla Guestbook 1.0 beta allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "posting new messages."1646420060201 [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection Vulnerabilities20060227 Re: [eVuln] Vanilla Guestbook Multiple XSS & SQL Injection Vulnerabilities vanillaguestbook-name-xss(24411)Multiple SQL injection vulnerabilities in config.php in NukedWeb GuestBookHost 2005.04.25 allow remote attackers to execute arbitrary SQL commands via the (1) email and (2) password parameters.guestbookhost-login-sql-injection(24406)ADV-2006-04651876120060209 [eVuln] GuestBookHost Authentication Bypass16545Cerulean Trillian 3.1.0.120 allows remote attackers to cause a denial of service (client crash) via an AIM message containing the Mac encoded Rich Text Format (RTF) escape sequences (1) \'d1, (2) \'d2, (3) \'d3, (4) \'d4, and (5) \'d5. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22877urlmon.dll in Microsoft Internet Explorer 7.0 beta 2 (aka 7.0.5296.0) allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a BGSOUND element with its SRC attribute set to "file://" followed by a large number of "-" (dash of hyphen) characters.16463SQL injection vulnerability in showflat.php in Groupee (formerly known as Infopop) UBB.threads 6.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Number parameter.1015549ubbthreads-showflat-sql-injection(24381)228081652020060325 UBBThreads<=5.5.1+6.0.2+6.0 br5+6.0.1 SQL injectionUnspecified vulnerability in index.php in a certain application available from /v1/tr/portfoy.php on www.egeinternet.com allows remote attackers to execute arbitrary code via "evilcode" in the key parameter, possibly a PHP remote file include vulnerability in which the attack vector is a URL in the key parameter. NOTE: it is not clear whether this vulnerability is associated with an online service or application service provider. If so, then it should not be included in CVE.20060128 Ege Internet Web Desing Remote Command ExucetionOracle Database 8i, 9i, and 10g allow remote authenticated users to execute arbitrary SQL statements in the context of the SYS user and bypass audit logging, including statements to create new privileged database accounts, via a modified AUTH_ALTER_SESSION attribute in the authentication phase of the Transparent Network Substrate (TNS) protocol. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB18 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0265.TA06-018AVU#871756 20060117 Oracle DBMS - Access Control Bypass in Login oracle-login-command-execute(24184)SQL injection vulnerability in the Oracle Text component of Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB15 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260.TA06-018AVU#150332 oracle-january2006-update(24321)SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259.TA06-018AVU#629316 oracle-january2006-update(24321)Buffer overflow in an unspecified Oracle Client utility might allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DBC02 from the January 2006 CPU, in which case this would be a duplicate of CVE-2006-0283. However, there are enough inconsistencies that the mapping can not be made authoritatively.TA06-018AVU#999268 oracle-january2006-update(24321)SQL injection vulnerability in the Data Pump Metadata API in Oracle Database 10g and possibly earlier might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB06 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0259 or, if it is DB05, subsumed by CVE-2006-0260.TA06-018AVU#983340 oracle-january2006-update(24321)Unspecified vulnerability in the Net Listener component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB11.VU#54580416287ADV-2006-0243ADV-2006-03231849318608101549922549 oracle-january2006-update(24321)PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678.[pgsql-announce] 20060214 Minor Releases 7.3 thru 8.1 Available to Fix Security IssueOpenPKG-SA-2006.004ADV-2006-06051889020060215 PostgreSQL security releases 8.1.3, 8.0.7, 7.4.12, 7.3.14VU#567452166491015636postgresql-setrole-privilege-elevation(24718)Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data.SGI bug 942658ADV-2006-08041692119083kernel-ftruncate-information-disclosure(24999)USN-263-119220MDKSA-2006:059SUSE-SA:2006:028DSA-1103ADV-2006-255420914MDKSA-2006:15020398MDKSA-2006:059MDKSA-2006:150The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O).ADV-2006-0804FEDORA-2006-1311908319108kernel-odirect-dos(25000)USN-263-11692219220MDKSA-2006:059RHSA-2006:049320237SUSE-SA:2006:028DSA-1103ADV-2006-2554209142174520398MDKSA-2006:059sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors.projects / linux/kernel/git/torvalds/linux-2.6.git / commit projects / linux/kernel/git/torvalds/linux-2.6.git / commitdiff [patch 18/39] [PATCH] sys_mbind sanity checking169241015752MDKSA-2006:05923895linux-get-nodes-dos(25204)USN-281-119955SUSE-SA:2006:028DSA-1103ADV-2006-25542091420398MDKSA-2006:059perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function.[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero17482ADV-2006-144419737DSA-1103ADV-2006-255420914RHSA-2007:077426709Format string vulnerability in the SMTP server for McAfee WebShield 4.5 MR2 and earlier allows remote attackers to execute arbitrary code via format strings in the domain name portion of a destination address, which are not properly handled when a bounce message is constructed.The vendor has released a patch (P0803), along with version 4.5 MR2 to address this issue.20060404 SYMSA-2006-002: McAfee WebShield SMTP Format String Vulnerability16742ADV-2006-1219194911015861webshield-smtp-format-string(25621)24366671Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS administrator passwords and the master key in the registry with insecure permissions, which allows local users and remote administrators to decrypt the passwords by using Microsoft's cryptographic API functions to obtain the plaintext version of the master key.This vulnerability is addressed in the following product release: Cisco, Secure Access Control Server, 4.0.120060508 SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password Disclosure20060508 Re: SYMSA-2006-003: Cisco Secure ACS for Windows - Administrator Password DisclosureSYMSA-2006-00320060508 Response to Symantec SYMSA-2006-003 Cisco Secure ACS for Windows - Administrator Password Disclosure16743ADV-2006-17411016042 25892 cisco-acs-admin-password-disclosure(26307)Cross-site scripting (XSS) vulnerability in problem.php in PluggedOut Blog 1.9.9c allows remote attackers to inject arbitrary web script or HTML via the data parameter.20060204 PluggedOut Blog SQL injection and XSSADV-2006-0440187261015586pluggedoutblog-problem-xss(24482)22927[VIM] 20060206 VERIFY Pluggedout Blog 1.9.9c problem.php XSSSQL injection vulnerability in exec.php in PluggedOut Blog 1.9.9c allows remote attackers to execute arbitrary SQL commands via the entryid parameter in a comment_add action.20060204 PluggedOut Blog SQL injection and XSSADV-2006-0440187261015586pluggedoutblog-exec-sql-injection(24480)22926[VIM] 20060206 VERIFY Pluggedout Blog 1.9.9c exec.php SQL injection415Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.ADV-2006-0446187401015585VU#12446022941 mshtmlhelp-workshop-hhp-bo(24481)PHP remote file include vulnerability in inc/backend_settings.php in Loudblog 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the $GLOBALS[path] parameter.20060204 LoudBlog <= 0.4 arbitrary remote inclusionADV-2006-044118722229211015583louadblog-backendsettings-file-include(24479)16495410556The LDAP component in CommuniGate Pro Core Server 5.0.7 allows remote attackers to cause a denial of service (application crash) via LDAP messages that contain Distinguished Names (DN) fields with a large number of elements.20060204 ProtoVer LDAP vs CommuniGate Pro 5.0.7ADV-2006-044418701101558722932communigate-ldap-bo(24409)416Directory traversal vulnerability in Files Xaraya module before 0.5.1, when the Archive Directory field on the Modify Config page is blank, allows remote attackers to access files outside of the web root via ".." (dot dot) sequences.ADV-2006-0371files-archive-directory-directory-traversal(24393)Cross-site scripting (XSS) vulnerability in throw.main in Outblaze allows remote attackers to inject arbitrary web script or HTML via the file parameter.20060203 Outblaze Cross Site Scripting Vulnerability20060202 Outblaze Cross Site Scripting VulnerabilityADV-2006-04392290918710outblaze-email-thrownmain-xss(24476)411Cross-site scripting (XSS) vulnerability in user_class.php in Papoo 2.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the username field during the registration of a new account. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-04381872122913papoo-username-xss(24500)Multiple SQL injection vulnerabilities in phpstatus 1.0, when gpc_magic_quotes is disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the username parameter in check.php and (2) unknown attack vectors in the administrative interface.ADV-2006-04501879120060212 [eVuln] phpstatus Authentication Bypass16587427Multiple cross-site scripting (XSS) vulnerabilities in phpstatus 1.0 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in the administrative interface.ADV-2006-04501879120060212 [eVuln] phpstatus Authentication Bypass16587427phpstatus 1.0 does not require passwords when using cookies to identify a user, which allows remote attackers to bypass authentication.20060212 [eVuln] phpstatus Authentication Bypass1658718791427Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to (a) editquota.html or (b) dodelpop.html; (2) showtree parameter to (c) diskusage.html; or the (3) mon, (4) year, (5) target, or (6) domain parameter to (d) stats/detailbw.html.20060202 cPanel Multiple Cross Site Scripting Vulnerability20060203 cPanel Multiple Cross Site Scripting VulnerabilityADV-2006-043318695cpanel-scripts-xss(24468)20060203 cPanel Multiple Cross Site Scripting Vulnerability22936229372293822939Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel 10 allows remote attackers to inject arbitrary web script or HTML via the (1) file extension or (2) mime-type.20060204 cPanel 10 mime/handle.html XSS Vulnerability20060205 cPanel 10 handle.html XSS VulnerabilityADV-2006-043318695229401015589convert-fcrontab in Fcron 2.9.5 and 3.0.0 allows remote attackers to create or overwrite arbitrary files via ".." sequences and a symlink attack on the temporary file that is used during conversion.20060202 Re: Fcrontab - memory corruption on heap.ADV-2006-04351871920060202 Re: Fcrontab - memory corruption on heap.22905fcron-dotdot-directory-traversal(24504)2006-000625693Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability.20060207 Arbitrary code execution via OProfile16536Lexmark X1185 printer allows local users to gain SYSTEM privileges by navigating to the "Appearance" dialog and selecting the "Additional styles (skins) are available on the Lexmark web site" option, which launches a web browser that is running with SYSTEM privileges.20060207 Re: High Risk Vulnerability in Lexmark Printer Sharing Service18728ADV-2006-048216534 lexmark-x1185-privilege-elevation(24596)Blue Coat Proxy Security Gateway OS (SGOS) 4.1.2.1 does not enforce CONNECT rules when using Deep Content Inspection, which allows remote attackers to bypass connection filters.ADV-2006-040118622101564422853proxysg-connect-bypass-security(24446)Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information.ADV-2006-045718718mplayer-asf-integer-overflow(24531)GLSA-200603-0319114MDKSA-2006:048MDKSA-2006:048IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted packet to the LDAP port (389/TCP).[Dailydave] 20060203 ProtoVer vs Lotus Domino Server 7.0ADV-2006-0458187381015592lotus-domino-ldap-dos(24518)16523SQL injection vulnerability in Hosting Controller 6.1 Hotfix 2.8 allows remote authenticated users to execute arbitrary SQL commands via the (1) GatewayID parameter in an add action in AddGatewaySettings.asp and (2) IP parameter in IPManager.asp.ADV-2006-04601015584187312298222983hosting-controller-sql-injection(24537)Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2, when storing forwarded credentials, allows attackers to overwrite arbitrary files and change file ownership via unknown vectors.ADV-2006-0456187331015591[heimdal-discuss] 20060206 Heimdal 0.7.2 and 0.6.6DSA-977USN-253-12298618894heimdal-rshd-privilege-elevation(24532)SUSE-SA:2006:011USN-247-1165241880619005ADV-2006-0628GLSA-200603-1419302SQL injection vulnerability in mailarticle.php in Clever Copy 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.ADV-2006-046210155902298418749clevercopy-mailarticle-sql-injection(24545)The PSCipher function in PeopleSoft People Tools 8.4x uses PKCS #5 with a fixed DES key to store user passwords, which makes it easier for local users to guess passwords using a dictionary attack that compares output strings.20060204 PeopleSoft (Oracle) PSCipher Encryption Weakness2295216507jscript.dll in Microsoft Internet Explorer 6.0 SP1 and earlier allows remote attackers to cause a denial of service (application crash) via a Shockwave Flash object that contains ActionScript code that calls VBScript, which in turn calls the Javascript document.write function, which triggers a null dereference.20060131 Internet Explorer remotely exploitable vulnerability in JScript's document.write() method16441101555920060217 Re: Internet Explorer remotely exploitable vulnerability in JScript's document.write() methodMultiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT20060118 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT162942283922840oracle-syskupvftint-sql-injection(24197)20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT20060117 Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INTUnspecified vulnerability in util.php in Gallery before 1.5.2-pl2 allows remote authenticated users with trick an owner into modifying stored album data and possibly executing arbitrary code via unspecified vectors involving a crafted link to a crafted file.1873520060214 Digital Armaments Security Advisory 02.14.2006: Gallery web-based photo gallery remote file execution20060216 Re: Digital Armaments Security Advisory 02.14.2006: Gallery web-based photo gallery remote file execution232561015641gallery-util-file-include(24768)1653322944gallery-album-data-modification(24538)SQL injection vulnerability in search.php in MyTopix 1.2.3 allows remote attackers to execute arbitrary SQL commands via the (1) mid and (2) keywords parameters.20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure mytopix-search-sql-injection(24502)413MyTopix 1.2.3 allows remote attackers to obtain the installation path via a direct request to logon.mod.php, which leaks the path in an error message.20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure413MyTopix 1.2.3 allows remote attackers to obtain the installation path via an invalid hl parameter to index.php, which leads to path disclosure, possibly related to invalid SQL syntax.20060204 [KAPDA::#26] - MyTopix Sql Injection & Path Disclosure413The crypt_gensalt functions for BSDI-style extended DES-based and FreeBSD-sytle MD5-based password hashes in crypt_blowfish 0.4.7 and earlier do not evenly and randomly distribute salts, which makes it easier for attackers to guess passwords from a stolen password file due to the increased number of collisions.20060207 crypt_blowfish 1.018772ADV-2006-047723005cryptblowfish-salt-information-disclosure(24590)RHSA-2006:05262023220060602-01-U20782 20653Unspecified vulnerability in the Lexmark Printer Sharing LexBce Server Service (LexPPS), possibly 8.29 and 9.41, allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based on a vague initial disclosure; details will be updated after the grace period has ended.20060207 High Risk Vulnerability in Lexmark Printer Sharing Service18744ADV-2006-04811015593 lexmark-lexpps-code-execution(24581)Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php.ADV-2006-0463229802298118949phpfusion-multiple-xss(24548)16548Multiple stack-based buffer overflows in elogd.c in elog before 2.5.7 r1558-4 allow attackers to cause a denial of service (application crash) and possibly execute code via long "revision attributes".DSA-9671657918783 elog-elogd-bo(24704)Buffer overflow in elogd.c in elog before 2.5.7 r1558-4 allows attackers to execute code via unspecified variables, when writing to the log file.DSA-9671657918783 elog-elogd-log-bo(24705)The (1) elog.c and (2) elogd.c components in elog before 2.5.7 r1558-4 generate different responses depending on whether or not a username is valid, which allows remote attackers to determine valid usernames.DSA-9671657918783 elog-elog-elogd-user-enumeration(24706)elog before 2.5.7 r1558-4 allows remote attackers to cause a denial of service (infinite redirection) via a request with the fail parameter set to 1, which redirects to the same request.DSA-9671657918783 elog-fail-redirect-dos(24707)Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5) admin/add_lang.php, or (6) admin/edit_filter.php.1875820060211 [eVuln] phphg Guestbook Multiple Vulnerabilities16541ADV-2006-04801015620Multiple cross-site scripting vulnerabilities in signed.php in Hinton Design phphg Guestbook 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) location, (2) website, or (3) message parameter.1875820060211 [eVuln] phphg Guestbook Multiple Vulnerabilities16541ADV-2006-04801015620check.php in Hinton Design phphg Guestbook 1.2 does not check the user password when authenticating via cookies, which allows remote attackers to gain unauthorized access.1875820060211 [eVuln] phphg Guestbook Multiple Vulnerabilities16541ADV-2006-04801015620Multiple cross-site scripting (XSS) vulnerabilities in Unknown Domain Shoutbox 2005.07.21 allow remote attackers to inject arbitrary web script or HTML, possibly via the (1) Handle or (2) Message fields.ADV-2006-0476187591654320060209 [eVuln] Unknown Domain Shoutbox multiple XSS & SQL Injection Vulnerabilities shoutbox-multiple-xss(24440)SQL injection vulnerability in Unknown Domain Shoutbox 2005.07.21 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.ADV-2006-0476187591654320060209 [eVuln] Unknown Domain Shoutbox multiple XSS & SQL Injection Vulnerabilitiescheck.php in Hinton Design phphd 1.0 does not check passwords when certain cookies are provided, which allows remote attackers to bypass authentication.phphd-check-security-bypass(24510)1879320060212 [eVuln] phphd Multiple Vulnerabilities1658623026Multiple SQL injection vulnerabilities in Hinton Design phphd 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the username parameter to check.php or (2) unknown attack vectors to scripts that display information from the database.phphd-check-sql-injection(24508)phphd-multiple-sql-injection(24515)1879320060212 [eVuln] phphd Multiple Vulnerabilities165862302523028Cross-site scripting (XSS) vulnerability in add.php in Hinton Design phphd 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.phphd-add-xss(24513)1879320060212 [eVuln] phphd Multiple Vulnerabilities1658623027Multiple SQL injection vulnerabilities in 2200net Calendar system 1.2, with gpc_magic_quotes disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the fm_data[id] parameter to calendar.php and (2) the $ad['acc'] variable in adminlogin.php.2200net-adminlogin-sql-injection(24484)2200net-calendar-sql-injection(24483)20060215 [eVuln] 2200net Calendar system SQL Injection and Authentication Bypass Vulnerabilities16569ADV-2006-048618781230372303820060215 [eVuln] 2200net Calendar system SQL Injection and AuthenticationDirectory traversal vulnerability in compose.pl in @Mail 4.3 and earlier for Windows allows remote attackers to upload arbitrary files to arbitrary locations via a .. (dot dot) in the unique parameter.16470ADV-2006-04152288218646Powersave daemon before 0.10.15.2 allows local users to gain privileges (unauthorized access to an X session) via unspecified vectors. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information.ADV-2006-041618651powersave-daemon-gain-privileges(24458)16469Unspecified vulnerability in Java Web Start after 1.0.1_02, as used in J2SE 5.0 Update 5 and earlier, allows remote attackers to obtain privileges via unspecified vectors involving untrusted applications.102170ADV-2006-046818762VU#652636165401015597javawebstart-jnlp-privilege-elevation(24568)ADV-2006-1398Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 3 and earlier, SDK and JRE 1.3.x through 1.3.1_16 and 1.4.x through 1.4.2_08 allows remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "first issue."102171ADV-2006-046718760GLSA-200602-07VU#759996101559618884sun-jre-reflection-privilege-elevation(24561)ADV-2006-0828ADV-2006-1398Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Update 4 and earlier, SDK and JRE 1.4.x through 1.4.2_09 allow remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "second and third issues."102171ADV-2006-046718760GLSA-200602-07VU#759996101559618884sun-jre-reflection-privilege-elevation(24561)ADV-2006-0828ADV-2006-1398Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 4 and earlier allows remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "fourth issue."102171ADV-2006-046718760GLSA-200602-07VU#759996101559618884sun-jre-reflection-privilege-elevation(24561)ADV-2006-0828ADV-2006-1398Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Update 5 and earlier allow remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the "fifth, sixth, and seventh issues."102171ADV-2006-046718760GLSA-200602-07VU#759996101559618884sun-jre-reflection-privilege-elevation(24561)ADV-2006-0828ADV-2006-1398Format string vulnerability in fontsleuth in QNX Neutrino RTOS 6.3.0 allows local users to execute arbitrary code via format string specifiers in the zeroth argument (program name).20060207 QNX Neutrino RTOS fontsleuth Command Format String VulnerabilityADV-2006-0474187501015599qnx-fontsleuth-format-string(24559)2296616539Multiple stack-based buffer overflows in QNX Neutrino RTOS 6.3.0 allow local users to execute arbitrary code via long (1) ABLPATH or (2) ABLANG environment variables in the libAP library (libAp.so.2) or (3) a long PHOTON_PATH environment variable to the setitem function in the libph library.20060207 QNX Neutrino RTOS libAp ABLPATH Buffer Overflow Vulnerability20060207 QNX Neutrino RTOS libph PHOTON_PATH Buffer Overflow VulnerabilityADV-2006-0474187501015599qnx-libap-bo(24558)qnx-libph-bo(24557)229642296516539Race condition in phfont in QNX Neutrino RTOS 6.2.1 allows local users to execute arbitrary code via unspecified manipulations of the PHFONT and PHOTON2_PATH environment variables.20060207 QNX Neutrino RTOS phfont Race Condition VulnerabilityADV-2006-0474187501015599qnx-phfont-race-condition(24555)2296316539Multiple buffer overflows in QNX Neutrino RTOS 6.2.0 allow local users to execute arbitrary code via a long first argument to the (1) su or (2) passwd commands.20060207 QNX Neutrino RTOS passwd Command Buffer Overflow20060207 QNX Neutrino RTOS su Command Buffer OverflowADV-2006-0474187501015599qnx-passwd-bo(24551)qnx-su-bo(24554)229612295916539QNX Neutrino RTOS 6.3.0 allows local users to cause a denial of service (hang) by supplying a "break *0xb032d59f" command to gdb.20060207 QNX RTOS 6.3.0 Local Denial of Service VulnerabilityADV-2006-0474187501015598qnx-gdb-dos(24553)2296016539QNX Neutrino RTOS 6.3.0 ships /etc/rc.d/rc.local with world-writable permissions, which allows local users to modify the file and execute arbitrary code at system startup.20060207 QNX RTOS 6.3.0 rc.local Insecure File Permissions VulnerabilityADV-2006-0474187501015598qnx-rclocal-root-privileges(24552)2295816539SQL injection vulnerability in check.asp in Whomp Real Estate Manager XP 2005 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.20060208 Whomp Real Estate Manager XP 2005 Sql Injection16544ADV-2006-048918780whomp-login-sql-injection(24592)22969418Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary files via ".." sequences in the GLOBALS[type_urls] parameter, which could then be used to execute arbitrary code via resultant direct static code injection in the file parameter to spip_acces_doc.php3.16556ADV-2006-0483230871015602spip-rss-file-include(24600)2308618676SQL injection vulnerability in spip_acces_doc.php3 in SPIP 1.8.2g and earlier allows remote attackers to execute arbitrary SQL commands via the file parameter.1655123087ADV-2006-0483101560218676spip-access-doc-sql-injection(24599)Cross-site scripting (XSS) vulnerability in Clever Copy 2.0, 2.0a, and 3.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Referer or (2) X-Forwarded-For headers in an HTTP request, which are not properly handled when the administrator accesses Site Stats.clevercopy-script-xss(24524)ADV-2006-04951879020060212 [eVuln] Clever Copy %27Referer%27 & %27X-Forwarded-For%27 XSS Vulnerabilities16607myquiz.pl in Dale Ray MyQuiz 1.01 allows remote attackers to execute arbitrary commands via shell metacharacters in the URL, which are not properly handled as part of the PATH_INFO environment variable.20060203 [eVuln] MyQuiz Arbitrary Command Execution Vulnerability20060207 MyQuiz Arbitrary Command Execution Exploit (perl)ADV-2006-044318737[VIM] 20060209 Vendor ACK for MyQuiz22925 myquiz-pathinfo-command-execution(24501)409Unspecified vulnerability in AOL Instant Messenger (AIM) 5.9.3861 allows user-assisted remote attackers to cause a denial of service (client crash) and possibly execute arbitrary code by tricking the user into requesting Buddy Info about a long screen name, which might cause a buffer overflow.20060203 AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability20060203 Re: AOL Instant Messenger Version 5.9.3861 Local Buffer Overrun Vulnerability20060129 AOL Instant Messenger 5.9.3861 Local Buffer Overrun Vulnerabilityaim-buddy-info-bo(24362)RITLabs The Bat! before 3.0.0.15 displays certain important headers from encapsulated data in message/partial MIME messages, instead of the real headers, which is in violation of RFC2046 header merging rules and allows remote attackers to spoof the origin of e-mail by sending a fragmented message, as demonstrated using spoofed Received: and Message-ID: headers.20060206 SECURITY.NNOV: The Bat! 2.x message headers spoofing1871316515 20060206 SECURITY.NNOV: The Bat! 2.x message headers spoofing thebat-message-header-spoofing(24535)CRLF injection vulnerability in mailback.pl in Erik C. Thauvin mailback allows remote attackers to use mailback as a "spam proxy" by modifying mail headers, including recipient e-mail addresses, via newline characters in the Subject field.20060205 mailback script exploitADV-2006-0459229551874820060210 Re: mailback script exploitmailback-mail-relay(24540)The gen_rand_string function in phpBB 2.0.19 uses insufficiently random data (small value space) to create the activation key ("validation ID") that is sent by e-mail when establishing a password, which makes it easier for remote attackers to obtain the key and modify passwords for existing accounts or create new accounts.20060205 Easily exploitable Pseudo Random Number generator in phpbb version 2.0.19 and under.ADV-2006-04612294918727phpbb-weak-rnd(24573)The make_password function in ipsclass.php in Invision Power Board (IPB) 2.1.4 uses random data generated from partially predictable seeds to create the authentication code that is sent by e-mail to a user with a lost password, which might make it easier for remote attackers to guess the code and change the password for an IPB account, possibly involving millions of requests.Borland C++Builder 6 (BCB6) with Update Pack 4 Enterprise edition (ent_upd4) evaluates the "i>sizeof(int)" expression to false when i equals -1, which might introduce integer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.20060206 [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability1015588bcb-compiler-integer-overflow(24514)22953Tiny C Compiler (TCC) 0.9.23 (aka TinyCC) evaluates the "i>sizeof(int)" expression to false when i equals -1, which might introduce integer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.20060207 Re: [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability22956desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the _SESSION variable before calling the session_start function, which allows remote attackers to execute arbitrary PHP code and possibly conduct other attacks by modifying critical assumed-immutable variables, as demonstrated using PHP code in the _SESSION[apps][eyeOptions.eyeapp][wrapup] variable.20060207 eyeOS <= 0.8.9 Remote Code ExecutionADV-2006-0466101560918757eyeos-desktop-file-include(24569)16537419Buffer overflow in cram.dll in QUALCOMM Eudora WorldMail 3.0 allows remote attackers to execute arbitrary code via an IMAP APPEND command with a long message literal argument, as demonstrated by Worldmail.pl. NOTE: this is a different vector and a different manipulation than CVE-2005-4267, so it might be a different vulnerability than CVE-2005-4267.20060204 (OLD) Eudora WorldMail 3.0 Windows 2000 Remote System ExploitSQL injection vulnerability in moderation.php in MyBB (aka MyBulletinBoard) 1.0.3 allows remote authenticated users, with certain privileges for moderating and merging posts, to execute arbitrary SQL commands via the posts parameter.20060207 [myimei]MyBB1.0.3~moderation.php~SqlInject while merging postsADV-2006-0475229571875416538Cross-site scripting (XSS) vulnerability in search.php in MyBB (aka MyBulletinBoard) 1.0.2 allows remote attackers with knowledge of the table prefix to inject arbitrary web script or HTML via a URL encoded value of the keywords parameter, as demonstrated by %3Cscript%3E.20060207 [myimei]MyBB 1.0.2 XSS attack in search.php20060208 Re: [myimei]MyBB 1.0.2 XSS attack in search.php mybb-search-xss(24466)Orbicule Undercover allows attackers with physical or root access to disable the protection by using the chmod command to change the permissions of the /private/etc/uc.app/Contents/MacOS/uc file, which prevents the service from being started in LaunchDaemon.20060202 Issues with security software: orbicule.com 'Undercover'Orbicule Undercover uses a third-party web server to determine the IP address through which the computer is accessing the Internet, but does not document this third-party disclosure, which leads to a potential privacy leak that might allow transmission of sensitive information to an unintended remote destination.20060202 Issues with security software: orbicule.com 'Undercover'Trend Micro ServerProtect 5.58, and possibly InterScan Messaging Security Suite and InterScan Web Security Suite, have a default configuration setting of "Do not scan compressed files when Extracted file count exceeds 500 files," which may be too low in certain circumstances, which allows remote attackers to bypass anti-virus checks by sending compressed archives containing many small files. NOTE: since this is related to a configuration setting that has an operational impact that might vary depending on the environment, and the product is claimed to report a message when the compressed file exceeds specified limits, perhaps this should not be included in CVE.20060203 Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.20060203 Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.20060203 Re: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.20060205 RE: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.20060206 Fwd: Trend Micro ServerProtect version 5.58 can be easily circumvented via the mechanism that limits how many files to scan.16483 serverprotect-file-scanning-bypass(24658)Cross-site scripting (XSS) vulnerability in WiredRed e/pop Web Conferencing 4.1.0.755 allows remote authenticated users to inject arbitrary web script or HTML via the topic name of a conference.20060208 WiredRed EPOP XSS Vulnerability16542ADV-2006-050518753epop-topic-xss(24609)22997421Multiple directory traversal vulnerabilities in install.php in CPG-Nuke Dragonfly CMS (aka CPG Dragonfly CMS) 9.0.6.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in (1) the newlang parameter and (2) the installlang parameter in a cookie, as demonstrated by using error.php to insert malicious code into a log file, or uploading a malicious .png file, which is then included using install.php.20060208 CPGNuke Dragonfly 9.0.6.1 remote commands execution through arbitrary local inclusion16546230581015601 cpg-dragonfly-file-include(24660)Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.20060209 ProtoVer SSL: GnuTLS[gnutls-dev] 20060209 Libtasn1 0.2.18 - Tiny ASN.1 Library - Security release[gnutls-dev] 20060209 GnuTLS 1.2.10 - Security release[gnutls-dev] 20060209 GnuTLS 1.3.4 - Experimental - Security releaseFEDORA-2006-107MDKSA-2006:039RHSA-2006:0207ADV-2006-049623054101561218794188151883018832gnutls-libtasn1-der-dos(24606)GLSA-200602-08USN-251-11656818918188982006-0008DSA-986DSA-9851908019092MDKSA-2006:039446ld in SUSE Linux 9.1 through 10.0, and SLES 9, in certain circumstances when linking binaries, can leave an empty RPATH or RUNPATH, which allows local attackers to execute arbitrary code as other users via by running an ld-linked application from the current directory, which could contain an attacker-controlled library file.SUSE-SA:2006:0071658118811LDAP service in Sun Java System Directory Server 5.2, running on Linux and possibly other platforms, allows remote attackers to cause a denial of service (memory allocation error) via an LDAP packet with a crafted subtree search request, as demonstrated using the ProtoVer LDAP test suite.[Dailydave] 20060208 Sun Directory Server 5.2 fun[Dailydave] 20060210 ??? Sun Directory Server 5.2 fun ???ADV-2006-0492187691015604sun-java-ldap-dos(24605)16550102294Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2.1, and 2.2 allow remote attackers to include arbitrary files via the (1) getdate and possibly other parameters used in the replace_files function in search.php and (2) $file variable as used in the parse function in functions/template.php.20060208 [eVuln] PHP iCalendar File Inclusion Vulnerability16557ADV-2006-049318778phpicalendar-template-search-file-include(24591)420Cross-site scripting (XSS) vulnerability in DataparkSearch before 4.37 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.ADV-2006-04881875116572 dataparksearch-scripts-xss(24627)Cross-site scripting (XSS) vulnerability in cpaint2.inc.php in the CPAINT library before 2.0.3, as used in multiple scripts, allows remote attackers to inject arbitrary web script or HTML via the cpaint_response_type parameter, which is displayed in a resulting error message, as demonstrated using a hex-encoded IFRAME tag.20060210 CPAINT AJAX Library Cross Site ScriptingADV-2006-048718765cpaint-response-type-xss(24594)165591015608SQL injection vulnerability in index.php in vwdev allows remote attackers to execute arbitrary SQL commands via the UID parameter in the definition Page.16547101559422991 vwdev-uid-sql-injection(24583)WHMCompleteSolution (WHMCS) before 2.3 assigns incorrect permissions to "resellers", which allows remote authenticated users to perform privileged actions or obtain sensitive information. NOTE: this report is based on a vendor bug report that identified "incorrect permissions." However, the vendor did not label it a security issue, and there was no statement regarding whether or not the permissions were actually more permissive than intended. If in fact the permissions were more restrictive than intended, then this would be a functional problem but not a vulnerability.16560ADV-2006-0484whmcs-resellers-insecure-permissions(24597)Multiple SQL injection vulnerabilities in Hinton Design phpht Topsites 1.3 allow remote attackers to execute arbitrary SQL commands via multiple vectors including the username parameter.1878220060211 [eVuln] phpht Topsites Multiple Vulnerabilities16562check.php in Hinton Design phpht Topsites 1.3 does not validate passwords when using cookies, which allows remote attackers to bypass authentication via unspecified cookies.1878220060211 [eVuln] phpht Topsites Multiple Vulnerabilities16562Multiple cross-site scripting (XSS) vulnerabilities in (1) link_edited.php and (2) link_added.php in Hinton Design phpht Topsites 1.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.1878220060211 [eVuln] phpht Topsites Multiple Vulnerabilities16562Directory traversal vulnerability in HP Systems Insight Manager 4.2 through 5.0 SP3 for Windows allows remote attackers to access arbitrary files via unspecified vectors, a different vulnerability than CVE-2005-2006.HPSBMA0209616571ADV-2006-0497187891015605Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the (1) username and (2) password parameters, which are not sanitized before being written to users.php. NOTE: while this issue was originally reported as XSS, the primary issue might be direct static code injection with resultant XSS.1879216588ADV-2006-05072307123072phpeventcalendar-users-xss(24523)442Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.18767ADV-2006-050220060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package 3702Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and earlier, with register_globals and allow_url_fopen enabled, allow remote attackers to execute arbitrary code via the bbPath[path] parameter in (1) class.forumposts.php and (2) forumpollrenderer.php.Successful exploitation requires that both "register_globals" and "allow_url_fopen" are enabled.18800ADV-2006-050320060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package16578Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php.165801876820060210 FarsiNews 2.5 Multiple VulnerabilitiesADV-2006-0506230202302123022farsinews-index-directory-traversal(24602)farsinews-showarchives-file-include(24598)Cross-site scripting (XSS) vulnerability in Scriptme SmE GB Host 1.21 and SmE Blog Host allows remote attackers to inject arbitrary web script or HTML via the BBcode url tag.1878616585ADV-2006-0504 sme-bbcode-xss(24543)447Cross-site scripting (XSS) vulnerability in Lotus Domino iNotes Client 6.5.4 allows remote attackers to inject arbitrary web script or HTML via email with attached html files, which are directly rendered in the browser.16340domino-webaccess-subject-xss(24612)16577ADV-2006-0499230771015610Multiple cross-site scripting (XSS) vulnerabilities in Lotus Domino iNotes Client 6.5.4 and 7.0 allow remote attackers to inject arbitrary web script or HTML via (1) an email subject; (2) an encoded javascript URI, as demonstrated using "java script:"; or (3) when the Domino Web Access ActiveX control is not installed, via an email attachment filename.This vulnerability is addressed in the following product releases: IBM, Lotus Domino iNotes Client, 6.5.5 IBM, Lotus Domino iNotes Client, 7.0.1IBM Lotus Domino iNotes Client Script Insertion Vulnerabilities1634016577ADV-2006-04992307723078230791015610domino-webaccess-attachment-xss(24611)domino-webaccess-filename-xss(24614)domino-webaccess-javascript-xss(24613)Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in Mantis before 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. An original vendor bug report is referenced, but not accessible to the general public.16561ADV-2006-0485mantis-configdefaultsinc-xss(24585)DSA-113321400Unspecified vulnerability in (1) query_store.php and (2) manage_proj_create.php in Mantis before 1.0.0 has unknown impact and attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. An original vendor bug report is referenced, but not accessible to the general public.16561ADV-2006-0485DSA-113321400Unspecified vulnerability in the (1) unix_mp and (2) unix_64 kernels in IBM AIX 5.3 VRMF 5.3.0.30 through 5.3.0.33 allows local users to cause a denial of service (system crash) via unknown vectors related to EMULATE_VMX.IY7959516624ADV-2006-05732312718795 aix-kernel-dos(24711)lscfg in IBM AIX 5.2 and 5.3 allows local users to modify arbitrary files via a symlink attack.IY77624IY77638ADV-2005-20961015622SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in message.php in the espace_membre module. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.1656719023** DISPUTED ** Multiple SQL injection vulnerabilities in archive.asp in GA's Forum Light allow remote attackers to execute arbitrary SQL commands via the (1) Forum and (2) pages parameter. NOTE: SecurityTracker says that the vendor has disputed this issue, saying that GA Forum Light does not use an SQL database. SecurityTracker's research indicates that the original problem could be due to a vbscript parsing error based on invalid arguments.165631015600[VIM] 20060220 vendor dispute for CVE-2006-06692308523509 gasforumlight-archive-sql-injection(24616)Buffer overflow in l2cap.c in hcidump 1.29 allows remote attackers to caues a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet.20060206 [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC20060206 [ Secuobs - Advisory ] Bluetooth : DoS on hcidumpADV-2006-047918741hcidump-bluetooth-dos(24533)MDKSA-2006:041USN-256-12305618971DSA-99019122MDKSA-2006:041465Buffer overflow in Sony Ericsson K600i, V600i, W800i, and T68i cell phone allows remote attackers to caues a denial of service (reboot or shutdown) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet whose length field is less than the actual length of the packet.20060206 [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones20060206 [Full-disclosure] [ Secuobs - Advisory ] Bluetooth : DoS onADV-2006-047818747sony-bluetooth-dos(24534)16512Unspecified vulnerability in HP PSC 1210 All-in-One Drivers before 1.0.06 has unknown impact and attack vectors.16583ADV-2006-049818770Multiple SQL injection vulnerabilities in cms/index.php in Magic Calendar Lite 1.02, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) $total_login and (2) $total_password parameter.ADV-2006-0525magiccalendar-index-sql-injection(24588)20060220 [eVuln] Magic Calendar Lite Authentication Bypass1664616734188551015650459Buffer overflow in the arp command of IBM AIX 5.3 L, 5.3, 5.2.2, 5.2 L, and 5.2 allows local users to cause a denial of service (crash) via a long iftype argument.IY81476IY8142416584ADV-2006-053118773aix-arp-iftype-bo(24628)Cross-site scripting (XSS) vulnerability in search.php in Siteframe 5.0.1 allows remote attackers to inject arbitrary web script or HTML via the q parameter.ADV-2006-05331880416596siteframe-search-request-xss(24649)20060212 Siteframe Beaumont 5.0.1a <== Cross-Site Scripting VulnerabilityCross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter.ADV-2006-0542188201660820060214 [waraxe-2006-SA#044] - XSS in phpNuke 7.8 and older versionsphpnuke-header-xss(24650)425telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows remote unauthenticated attackers to cause a denial of service (server crash) via unknown vectors that trigger a null dereference.[heimdal-discuss] 20060206 Heimdal 0.7.2 and 0.6.6DSA-977USN-253-12324418894SUSE-SA:2006:0111667619005ADV-2006-0456ADV-2006-0628ADV-2006-065318961heimdal-telnetd-dos(24763)449PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553.OpenPKG-SA-2006.004ADV-2006-0605188902006-0008USN-258-11665010156361901519035postgresql-setsessionauth-dos(24719)498SQL injection vulnerability in index.php in the Your_Account module in PHP-Nuke 7.8 and earlier allows remote attackers to execute arbitrary SQL commands via the username variable (Nickname field).20060216 Critical SQL Injection PHPNuke <= 7.8 - Your_Account module16691ADV-2006-06361893123259phpnuke-youraccount-sql-injection(24769)20060216 Critical SQL Injection PHPNuke <= 7.8 - Your_Account moduleUnspecified vulnerability in WebGUI before 6.8.6-gamma allows remote attackers to create an account, when anonymous registration is disabled, via a certain URL.ADV-2006-05411881916612 webgui-anonymous-bypass-security(24695)Format string vulnerability in powerd.c in Power Daemon (powerd) 2.0.2 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the WHATIDO variable.ADV-2006-05451884116582 powerdaemon-syslog-format-string(24713)Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system in e107 before 0.7.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.ADV-2006-05401881616614e107-bbcode-xss(24625)Cross-site scripting (XSS) vulnerability in Virtual Hosting Control System (VHCS) 2.4.7.1 with v.1 patch and earlier allows remote attackers to inject arbitrary web script or HTML via the username, which is recorded in a log file but not properly handled when the administrator uses the admin log utility to read the log file.ADV-2006-05341879920060211 RS-2006-1: Multiple flaws in VHCS 2.x16600 vhcs-admin-xss(24664)change_password.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not verify the old password when a user changes the password, which may allow remote attackers to gain unauthorized access.ADV-2006-05341879920060211 RS-2006-1: Multiple flaws in VHCS 2.x16600 vhcs-change-password-weakness(24665)The check_login function in login.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not exit when authentication fails, which allows remote attackers to gain unauthorized access.ADV-2006-05341879920060211 RS-2006-1: Multiple flaws in VHCS 2.x16600 vhcs-checklogin-auth-bypass(24666)add_user.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not check user privileges when adding a new administrative user, which allows remote attackers to gain unauthorized access.ADV-2006-05341879920060211 RS-2006-1: Multiple flaws in VHCS 2.x16600 vhcs-adduser-privilege-escalation(24667)430process.php in DocMGR 0.54.2 does not initialize the $siteModInfo variable when a direct request is made, which allows remote attackers to include arbitrary local files or possibly remote files via a modified includeModule and siteModInfo variable.ADV-2006-0544188031660120060212 DocMGR <= 0.54.2 arbitrary remote inclusion docmgr-process-file-include(24694)428PHP remote file include vulnerability in application.php in nicecoder.com indexu 5.0.0 and 5.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.20060209 [ECHO_ADV_27$2006] Indexu <= 5.0.1 Remote File Inclusion18752ADV-2006-049410156071656522989indexu-application-file-include(24603)Cross-site scripting (XSS) vulnerability in the Registration Form in TTS Time Tracking Software 3.0 allows remote attackers to inject arbitrary web script or HTML via the UserName parameter.timetracking-registration-xss(24572)20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities16630ADV-2006-052418854Multiple SQL injection vulnerabilities in TTS Time Tracking Software 3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.timetracking-multiple-sql-injection(24571)20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities16630ADV-2006-052418854edituser.php in TTS Time Tracking Software 3.0 does not verify that the name and password are correct, which allows remote attackers to overwrite arbitrary data belonging to any account.timetracking-edituser-auth-bypass(24570)20060219 [eVuln] Time Tracking Software Multiple Vulnerabilities1663016731ADV-2006-052418854Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Timesheet 1 and 2 allow remote attackers to execute arbitrary SQL commands via the (1) yr, (2) month, (3) day, and (4) job parameters in (a) index.php and (b) changehrs.php.The vendor has supplied a patch which is available at: http://www.hotscripts.com/Detailed/51138.htmlphpmysqltimesheet-multiple-sql-injection(24567)20060217 [eVuln] PHP/MYSQL Timesheet Multiple SQL Injection Vulnerabilities16620ADV-2006-052218822451Multiple SQL injection vulnerabilities in rb_auth.php in Roberto Butti CALimba 0.99.2 beta and earlier allow remote attackers to execute arbitrary SQL commands and bypass login authentication via the (1) login and (2) password parameters.calimba-rbauth-sql-injection(24578)20060217 [eVuln] CALimba Authentication Bypass Vulnerability16632ADV-2006-052318856453Unspecified vulnerability in the loaders (load_*.php) in Ansilove before 1.03 allows remote attackers to read arbitrary files via unspecified vectors involving "converting files accessible by the webserver".ADV-2006-05361881016603 ansilove-load-information-disclosure(24681)Ansilove before 1.03 does not filter uploaded file extensions, which allows remote attackers to execute arbitrary code by uploading arbitrary files with dangerous extensions, then accessing them directly in the upload directory.ADV-2006-05361881016603 ansilove-filename-code-execution(24684)SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.ADV-2006-05461880123110zencart-multiple-sql-injection(24701)Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests.ADV-2006-054618801Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote attackers to cause unknown impact via unspecified vectors related to "other attempted exploits" other than SQL injection.ADV-2006-054618801zencart-multiple-sql-injection(24701)Cross-site scripting (XSS) vulnerability in search.php in QWikiWiki 1.5, and possibly 1.5.1 and other versions, allows remote attackers to inject arbitrary web script or HTML via the query parameter.ADV-2006-05621881416638qwikiwiki-search-xss(24669)imageVue 16.1 allows remote attackers to obtain folder permission settings via a direct request to dir.php, which returns an XML document that lists folders and their permissions.20060211 imageVue16.1 upload vulnerability1659418802imagevue-multiple-information-disclosure(24641)ADV-2006-0570readfolder.php in imageVue 16.1 allows remote attackers to list directories via modified path and ext parameters.20060211 imageVue16.1 upload vulnerability1659418802imagevue-multiple-information-disclosure(24641)ADV-2006-0570admin/upload.php in imageVue 16.1 allows remote attackers to upload arbitrary files to certain allowed folders via .. (dot dot) sequences in the path parameter. NOTE: due to the lack of details, the specific vulnerability type cannot be determined, although it might be due to directory traversal.20060211 imageVue16.1 upload vulnerability1659418802ADV-2006-0570 imagevue-upload-file-upload(24633)Unspecified vulnerability in index.php in imageVue 16.1 has unknown impact, probably a cross-site scripting (XSS) vulnerability involving the query string that is not quoted when inserted into style and body tags, as demonstrated using a bgcol parameter.20060211 imageVue16.1 upload vulnerability1659418802ADV-2006-057020060719 Re: imageVue16.1 upload vulnerability20061029 Re: imageVue16.1 upload vulnerability imagevue-index-sql-injection(24642)429iE Integrator 4.4.220114, when configured without a "bespoke error page" in acm.ini, allows remote attackers to obtain sensitive information via a URL that calls a non-existent .aspx script in the integrator/apps directory, which results in an error message that displays the installation path, web server name, IP, and port, session cookie information, and the IIS system username.ADV-2006-056818813 ieintegrator-error-information-disclosure(24714)Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command.VU#41924116625ADV-2006-0554ADV-2006-05551015619188281884316640sftp-logging-format-string(24651) GLSA-200703-13 24516HPSBTU02322ADV-2008-100829552Cross-site scripting vulnerability in eintrag.php in G&#xe4;stebuch (Gastebuch) before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the URL, which is used in the homepage parameter.This vulnerability is addressed in the following product release: Gastebuch, Gastebuch, 1.3.320060213 XSS vulnerability in guestbook-php-scriptADV-2006-05661884920060213 XSS vulnerability in guestbook-php-script16615gastebuch-homepage-xss(24670)20060213 XSS vulnerability in guestbook-php-script20060213 XSS vulnerability in guestbook-php-script20060213 XSS vulnerability in guestbook-php-script20060213 XSS vulnerability in guestbook-php-scriptPyBlosxom before 1.3.2, when running on certain webservers, allows remote attackers to read arbitrary files via an HTTP request with multiple leading / (slash) characters, which is accessed using the PATH_INFO variable.ADV-2006-05711885816641 pyblosxom-pathinfo-information-disclosure(24730)Multiple buffer overflows in NullSoft Winamp 5.13 and earlier allow remote attackers to execute arbitrary code via (1) an m3u file containing a long URL ending in .wma, (2) a pls file containing a File1 field with a long URL ending in .wma, or (3) an m3u file with a long filename, variants of CVE-2005-3188 and CVE-2006-0476.20060213 New winamp m3u/pls .WMA & .M3U Extension overflows166231015621ADV-2006-0613 winamp-m3u-filename-bo(24741) winamp-m3u-wma-bo(24740) winamp-pls-file1-bo(24739)444492Buffer overflow in Metamail 2.7-50 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via e-mail messages with a long boundary attribute, a different vulnerability than CVE-2004-0105.16611ADV-2006-056518796MDKSA-2006:047RHSA-2006:021710156541898719000SUSE-SR:2006:00519130DSA-99519226GLSA-200603-1619304 metamail-boundary-bo(24702)Double free vulnerability in isode.eddy in Isode M-Vault Server 11.3 allows remote attackers to execute arbitrary code via a crafted LDAP request, as demonstrated by ProtoVer Sample LDAP.[Dailydave] 20060213 eddy 0day16635ADV-2006-056718818isode-mvault-ldap-dos(24700)The (1) addfolder and (2) deletefolder functions in neomail-prefs.pl in NeoMail 1.28 do not validate the Session ID, which allows remote attackers to add and delete arbitrary files, when configured with homedirfolders and homedirspools disabled.ADV-2006-05641878516651 neomail-neomailprefs-bypass-security(24737)mail_html template in Squishdot 1.5.0 and earlier does not properly validate the (1) email and (2) title variables, which allows remote attackers to bypass spam filters by injecting SMTP headers, probably due to a CRLF injection vulnerability.ADV-2006-05511666718868squishdot-mailhtml-header-injection(24659)Directory traversal vulnerability in LinPHA 1.0 allows remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) lang parameter in docs/index.php and the language parameter in (2) install/install.php, (3) install/sec_stage_install.php, (4) install/third_stage_install.php, and (5) install/forth_stage_install.php. NOTE: direct static code injection is resultant from this issue, as demonstrated by inserting PHP code into the username, which is inserted into linpha.log, which is accessible from the directory traversal.20060211 Linpha <= 1.0 multiple arbitrary local inclusion16592ADV-2006-053518808 linpha-index-file-include(24663)426Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath parameter.20060213 EGS Enterprise Groupware System 1.0 rc4 remote commands execution & FlySpray 0.9.7 remote commands execution16618ADV-2006-056918847 flyspray-adodbpath-file-include(24735)432Cross-site scripting (XSS) vulnerability in sNews 1.3 allows remote attackers to inject arbitrary web script or HTML via the comment field.20060214 XSS bugs and SQL injection in sNews1664720060214 XSS and SQL injection in sNewssnews-comment-xss(24674)SQL injection vulnerability in index.php in sNews 1.3 allows remote attackers to execute arbitrary SQL commands via the (1) category and (2) id parameters.20060214 XSS bugs and SQL injection in sNews1664720060214 XSS and SQL injection in sNewssnews-index-sql-injection(24675)431IBM Tivoli Directory Server 6.0 allows remote attackers to cause a denial of service (crash) via a crafted LDAP request, as demonstrated by test 2532 in the ProtoVer Sample LDAP test suite.[Dailydave] 20060211 IBM Tivoli Directory Server 0day16593ADV-2006-053718779tivoli-directory-ldap-dos(24619)1015653The Internet Key Exchange version 1 (IKEv1) implementation in Avaya VSU 100, 2000, 7500, 10000, and CSU 5000, when running IPSec, allows remote attackers to cause a denial of service (crash) via certain IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of details in the advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to.VU#2263641661318836SQL injection vulnerability in member_login.php in PHP Classifieds 6.18 through 6.20 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter, which is used by the E-mail address field, and (2) password parameter.20060214 SQL injection in PHP Classifieds 6.2016642ADV-2006-060018881424Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted .m3u file that causes an incorrect strncpy function call when the player pauses or stops the file.20060223 NSFOCUS SA2006-01 : Winamp m3u File Processing Buffer Overflow Vulnerability167851015675 winamp-m3u-wma-bo(24740)476SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter.166521883120060216 RUNCMS 1.3a SQL injectionruncms-pmlite-sql-injection(24676)ADV-2006-05721015626settings.php in Reamday Enterprises Magic Downloads 1.1.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via modified (1) action, (2) passwd, (3) admin_password, (4) new_passwd, and (5) confirm_passwd variables, which are not initialized.ADV-2006-06021887716665 20060221 [eVuln] Magic Downloads Unauthorized Data Modification magicdownloads-settings-access(24615)468PHP remote file inclusion vulnerability in preview.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the php_script_path parameter.ADV-2006-0603188781666016665magicnewslite-preview-file-include(24608)profile.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via modified (1) action, (2) passwd, (3) admin_password, (4) new_passwd, and (5) confirm_passwd variables, which are not initialized.ADV-2006-06031887816665 magicnewslite-profile-access(24610)PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-2645.ADV-2006-05991888310156241666223204plumecms-prepend-file-include(24697)plumecms-frontinc-prepend-file-include(27699)Cross-site scripting (XSS) vulnerability in linking.php in CPG-Nuke Dragonfly CMS 9.0.6.1 allows remote attackers to inject arbitrary web script or HTML via a URI that is generated when creating a list of online users.230601678118919 ADV-2006-0688 cpg-dragonfly-linking-xss(24842)SQL injection vulnerability in mstrack.php in MusOX DF MSAnalysis (DFMSA), as used in some environments that use CPG-Nuke Dragonfly CMS, allows remote attackers to trigger path disclosure from a SQL syntax error, and possibly execute arbitrary SQL commands, via certain query data, probably involving the profile name.230601678323250 ADV-2006-0688SQL injection vulnerability in search.php in webSPELL 4.01.00 and earlier allows remote attackers to inject arbitrary SQL commands via the title_op parameter.ADV-2006-06061888516673webspell-search-sql-injection(24708)SQL injection vulnerability in functions.php in Teca Diary PE 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) yy, (2) mm, and (3) dd parameters.tecadiary-functions-sql-injection(24643)18876ADV-2006-0615101567416686 20060223 [eVuln] Teca Diary PE SQL Injection Vulnerability477Multiple unspecified vulnerabilities in Dovecot before 1.0beta3 allow remote attackers to cause a denial of service (application crash or hang) via unspecified vectors involving (1) "potential hangs" in the APPEND command and "potential crashes" in (2) dovecot-auth and (3) imap/pop3-login. NOTE: vector 2 might be related to a double free vulnerability.[Dovecot] 20060208 1.0beta3 releasedADV-2006-05491887016672dovecot-append-dos(24709)WmRoot/adapter-index.dsp in SAP Business Connector Core Fix 7 and earlier allows remote attackers to conduct spoofing (phishing) attacks via an absolute URL in the url parameter, which loads the URL inside a frame.20060215 CYBSEC - Security Pre-Advisory: Phishing Vector in SAP BCADV-2006-061118880166711015639sapbc-admin-spoofing(24751)20060515 CYBSEC - Security Advisory: Phishing Vector in SAP BC (BusinessConnector)Directory traversal vulnerability in SAP Business Connector (BC) 4.6 and 4.7 allows remote attackers to read or delete arbitrary files via the the fullName parameter to (1) sapbc/SAP/chopSAPLog.dsp or (2) invoke/sap.monitor.rfcTrace/deleteSingle. Details will be updated after the grace period has ended. NOTE: SAP Business Connector is an OEM version of webMethods Integration Server. webMethods states that this issue can only occur when the product is installed as root/admin, and if the attacker has access to a general purpose port; however, both are discouraged in the documentation. In addition, the attacker must already have acquired administrative privileges through other means.Apply patches (see SAP note 906401 and 908349).20060215 CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAPBCADV-2006-06111888016668101563920060515 CYBSEC - Security Advisory: Arbitrary File Read/Delete in SAP BC (Business Connector)1016122 20060515 CYBSEC - Security Advisory: Arbitrary File Read/Delete in SAP BC(Business Connector) 1016090** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability.20060214 [myimei]WordPress2.0.0~autors?website~XSS attack16656 wordpress-authorswebsite-xss(24736)The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.6 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a backslash character at the end of a connection string to UDP port 27015.16619halflife-svcheckforduplicatenames-dos(33505)Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom HTML::BBCode 1.04 and earlier, as used in products such as My Blog before 1.65, allows remote attackers to inject arbitray Javascript via a javascript URI in an (1) img or (2) url BBcode tag.20060215 [eVuln] My Blog BBCode XSS Vulnerabilities1665920060215 [eVuln] M. Blom HTML::BBCode perl module XSS Vulnerabilities18905ADV-2006-0614ADV-2006-064218925myblog-bbcode-xss(24668)Stack-based buffer overflow in the pam_micasa PAM authentication module in CASA on Novell Linux Desktop 9 and Open Enterprise Server 1 allows remote attackers to execute arbitrary code via unspecified vectors.SUSE-SA:2006:01016779ADV-2006-069318995eStara SIP softphone allows remote attackers to cause a denial of service (crash) via a SIP OPTIONS request with a negative Expires field.20060214 eStara SIP softphone several message-processing vulnerabilitiesADV-2006-06071887216629 estara-neg-integer-dos(24677)Multiple format string vulnerabilities in eStara SIP softphone allow remote attackers to cause a denial of service (hang) via SIP INVITE requests with format string specifiers in the SDP session description, as demonstrated using (1) the field name, (2) the o field (owner/creator and session identifier), or (3) the m field (media name and transport address).20060214 eStara SIP softphone several message-processing vulnerabilitiesADV-2006-06071887216629 estara-sdp-format-string(24678)eStara SIP softphone allows remote attackers to cause a denial of service (crash) via an INVITE request with a Content-Length field that has more than 9 digits.20060214 eStara SIP softphone several message-processing vulnerabilitiesADV-2006-060718872estara-content-length-dos(24679)16629Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address."ADV-2006-0804FEDORA-2006-13110157241908319108kernel-elf-dos(25001)USN-263-11692519220MDKSA-2006:059RHSA-2006:049320237DSA-109720671SUSE-SA:2006:028DSA-1103ADV-2006-255420914RHSA-2006:043721136217452039821983 MDKSA-2007:025 23607MDKSA-2006:059MDKSA-2007:025The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.This vulnerability affects all verison of Linux kernel 2.6.x before 2.6.15.6, and may be exclusive to Itanium systems.ChangeLog-2.6.15.6ADV-2006-085619078USN-263-11699319220MDKSA-2006:059DSA-109720671SUSE-SA:2006:028DSA-1103ADV-2006-255420914RHSA-2006:043721136RHSA-2006:057521465203982198322417 20060402-01-U 23660 19607 kernel-dieifkernel-dos(25068)MDKSA-2006:059Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors.LOG4NET-671709519241ADV-2006-095523905log4net-localsyslogappender-dos(25196)SUSE-SR:2006:026 22932Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.1963917541ADV-2006-13902463919735linux-uncanonical-addr-dos(25869)MDKSA-2006:08620157RHSA-2006:049320237SUSE-SA:2006:028USN-302-120716DSA-1103ADV-2006-255420914RHSA-2006:04372113621179SUSE-SA:2006:047MDKSA-2006:150217452039821983 FEDORA-2006-423 ADV-2006-1475 21498MDKSA-2006:086MDKSA-2006:150X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.20060320 [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.020060320 Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0MDKSA-2006:0561716919311SUSE-SA:2006:016FEDORA-2006-172102252ADV-2006-1017ADV-2006-102824000240011015793192561930719316xorg-geteuid-privilege-escalation(25341)19676oval:org.mitre.oval:def:1697MDKSA-2006:056606Certain patches for kpdf do not include all relevant patches from xpdf that were associated with CVE-2005-3627, which allows context-dependent attackers to exploit vulnerabilities that were present in CVE-2005-3627.MDKSA-2006:054RHSA-2006:02621918919190DSA-10081926420060310 [KDE Security Advisory] kpdf of KDE 3.3.x heap based buffer overflow170391015751kde-kpdf-patch-bo(25146)MDKSA-2006:054566Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.20060612 rPSA-2006-0100-1 freetypeDSA-1095MDKSA-2006:099USN-291-118326205252059120638SUSE-SA:2006:03720791RHSA-2006:05002106220060701-01-U1016522211352138521701102705ADV-2007-038123939MDKSA-2006:099Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via "an invalid and non-sensical ordering of table-related tags" that results in a negative array index.This vulnerability also affects Mozilla Suite before 1.7.1322066ADV-2008-008317516ADV-2006-135620060426 ZDI-06-011: Mozilla Firefox Table Rebuilding Code Execution VulnerabilityDSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941GLSA-200605-09RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:118920051mozilla-table-rebuilding-code-execution(25985)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078ADV-2006-3748ADV-2006-374922065nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors involving a "particular sequence of HTML tags" that leads to memory corruption.MDKSA-2006:075MDKSA-2006:076MDKSA-2006:07872921622oval:org.mitre.oval:def:1848 19696 19729 19780 20051 mozilla-nshtmlcontentsink-memory-corruption(25819)20060417 ZDI-06-009: Mozilla Firefox Tag Parsing Code Execution VulnerabilityRHSA-2006:0328VU#73693417516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.2621033102550ADV-2006-3391SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat parameter in an army action to index.php.20060212 Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit16606ADV-2006-056118840ipb-armysystem-sql-injection(24654)Multiple unspecified vulnerabilities in the (1) Filesystem in USErspace (FUSE) client and (2) NOOFS daemon in in Network Object Oriented File System (NOOFS) before 0.9.0 have unspecified impact and attack vectors.[fm-news] 20060204 Newsletter for Friday, February 03rd 20062305223053Niels Provos Honeyd before 1.5 replies to certain illegal IP packet fragments that other IP stack implementations would drop, which allows remote attackers to identify IP addresses that are being simulated using honeyd.20060212 honeyd security advisory: remote detection16595ADV-2006-055218867 honeyd-ipfrag-obtain-information(24728)Memory leak in Microsoft Internet Explorer 6 for Windows XP Service Pack 2 allows remote attackers to cause a denial of service (memory consumption) via JavaScript that uses setInterval to repeatedly call a function to set the value of window.status.20060214 memory leak in IE?23307ie-windowstatus-dos(24846)** DISPUTED ** dotProject 2.0.1 and earlier allows remote attackers to obtain sensitive information via direct requests with an invalid baseDir to certain PHP scripts in the db directory, which reveal the path in an error message. NOTE: the vendor disputes this issue, saying that it could only occur if the administrator ignores the installation instructions as well as warnings generated by check.php.20060214 dotproject <= 2.0.1 remote code execution20060215 Re: dotproject <= 2.0.1 remote code execution16648ADV-2006-06041887923206 dotproject-phpinfo-check-obtain-info(24745)** DISPUTED ** Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product.20060214 dotproject <= 2.0.1 remote code execution20060215 Re: dotproject <= 2.0.1 remote code execution16648ADV-2006-0604232092321223210232111887923213232142321523216232172321823219dotproject-multiple-basedir-file-include(24738)** DISPUTED ** dotProject 2.0.1 and earlier leaves (1) phpinfo.php and (2) check.php accessible under the /docs/ directory after installation, which allows remote attackers to obtain sensitive configuration information. NOTE: the vendor disputes this issue, saying that it could only occur if the administrator ignores the installation instructions as well as warnings generated by check.php.20060214 dotproject <= 2.0.1 remote code execution20060215 Re: dotproject <= 2.0.1 remote code execution16648ADV-2006-0604232072320818879 dotproject-phpinfo-check-obtain-info(24745)434Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary PHP code via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts, as demonstrated by an addressbook.update.php request with a contactgroupid value of phpinfo() preceded by facilitators.20060210 HiveMail <= 1.3 Multiple Vulnerabilitieshivemail-multiple-file-include(24618)ADV-2006-05271659118807Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via a URL encoded expression in the query string in (1) index.php and (2) possibly certain other scripts, which is not properly cleansed when accessed from the $_SERVER['PHP_SELF'] variable.20060210 HiveMail <= 1.3 Multiple Vulnerabilitieshivemail-index-xss(24622)ADV-2006-05271659118807Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts; and allow remote authenticated users to execute arbitrary SQL commands via (11) the folderid parameter in index.php and (12) possibly other parameters in certain other scripts, because $_SERVER['PHP_SELF'] is improperly handled.20060210 HiveMail <= 1.3 Multiple Vulnerabilitieshivemail-index-sql-injection(24623)ADV-2006-05271659118807422LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.ADV-2006-055018869 23229 lighttpd-ext-source-disclosure(24699)Buffer overflow in BlackBerry Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server 2.2 and 4.0 before SP3 Hotfix 4 for IBM Lotus Domino, 3.6 before SP7 and 5.0 before SP3 Hotfix 3 for Microsoft Exchangem, and 4.0 for Novell GroupWise before SP3 Hotfix 1 might allow user-assisted remote attackers to execute arbitrary code on the server via a crafted Microsoft Word document that is opened on a wireless device.20060210 Corrupt Word file may cause buffer overflow in the Blackberry Attachment Service16590ADV-2006-0530blackberry-attachment-word-bo(24629)WinAbility Folder Guard 4.11 allows local users to gain unauthorized access to certain capabilities of the application by renaming or moving the password file (FGuard.FGP), which disables the password requirement.20060213 Folder Guard password protection bypass20060213 Re: Folder Guard password protection bypass folderguard-fguard-bypass-authentication(24725)Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cPanel allows remote attackers to inject arbitrary web script or HTML via a URL encoded value in the fwd parameter.20060207 Re: cPanel Multiple Cross Site Scripting Vulnerability22971 cpanel-dowebmailforward-xss(24839)The Authentication, Authorization, and Accounting (AAA) capability in versions 5.0(1) and 5.0(3) of the software used by multiple Cisco Anomaly Detection and Mitigation products, when running with an incomplete TACACS+ configuration without a "tacacs-server host" command, allows remote attackers to bypass authentication and gain privileges, aka Bug ID CSCsd21455.20060215 TACACS+ Authentication Bypass in Cisco Anomaly Detection and Mitigation Products16661ADV-2006-0612cisco-tacacs-auth-bypass(24689)1015637101563818904 23237435GUI display truncation vulnerability in ICQ Inc. (formerly Mirabilis) ICQ 2003a, 2003b, Lite 4.0, Lite 4.1, and possibly other Windows versions allows user-assisted remote attackers to hide malicious file extensions, bypass Windows security warnings via a filename that is all uppercase and of a specific length, which truncates the malicious extension from the display and could trick a user into executing arbitrary programs.20060215 Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT16655ICQ Inc. (formerly Mirabilis) ICQ 2003a, 2003b, Lite 4.0, Lite 4.1, and possibly other Windows versions allows user-assisted remote attackers to hide malicious file extensions and bypass Windows security warnings via a filename that ends in an assumed-safe extension such as JPG, and possibly containing other modified properties such as company name, icon, and description, which could trick a user into executing arbitrary programs.20060215 Mirabiliz ICQ 2002/2003/ LITE 4.0/4.1 LONG (DIRECTORY + FILENAME) EXPLOIT16655CGIWrap before 3.10 allows remote attackers to obtain sensitive information via unknown attack vectors that cause errors in scripts that reveal system information.ADV-2006-060118797cgiwrap-error-information-disclosure(24717)16669Kadu 0.4.3 allows remote attackers to cause a denial of service (application crash) via a large number of image send requests.20060215 Kadu Remote Denial Of Service Fun1882420060215 Kadu Remote Denial Of Service FunADV-2006-0609kadu-image-request-dos(24720)Unspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors.10218618891ADV-2006-0608101563516658oval:org.mitre.oval:def:1580 Q-126 solaris-kerberos-command-execution(24680)Cross-site scripting (XSS) vulnerability in calendar.php in MyBulletinBoard (MyBB) 1.0.4 allows remote attackers to inject arbitrary web script or HTML via a URL that is not sanitized before being retured as a link in "advanced details". NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-06351886623264mybb-advanceddetails-xss(24748)Format string vulnerability in PunkBuster 1.180 and earlier, as used by Soldier of Fortune II and possibly other games, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in invalid cvar values, which are not properly handled when the server kicks the player and records the reason.18917FULLDISC:20060216 Soldier of Fortune II format string through PunkBuster 1.1801670320060216 Soldier of Fortune II format string through PunkBuster 1.180punkbuster-cvars-format-string(24792)448SQL injection vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to execute arbitrary SQL commands via unspecified vectors in the extended receiving box function.ADV-2006-05321881723099hitachi-businesslogic-input-sql-injection(23877)16602hitachi-businesslogic-recbox-sql-injection(24621)Cross-site scripting (XSS) vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the extended receiving box function.ADV-2006-05321881716602hitachi-businesslogic-recbox-xss(24620)SQL injection vulnerability in deleteSession() in DB_eSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $_sess_id_set variable, which is usually derived from PHPSESSID.20060211 DB_eSession deleteSession() SQL injection16598ADV-2006-05282310418805 20060501 Re: DB_eSession deleteSession() SQL injection dbesession-deletesession-sql-injection(24673)Multiple SQL injection vulnerabilities in show.php in BirthSys 3.1 allow remote attackers to execute arbitrary SQL commands via the $month variable. NOTE: a vector regarding the $date parameter and data.php (date.php) was originally reported, but this appears to be in error.[VIM] 20060215 EV0074 BirthSys 3.1 SQL injection (fwd)birthsys-show-date-sql-injection(24617)16684ADV-2006-06212318518893467Cross-site scripting (XSS) vulnerability in guestex.pl in Teca Scripts Guestex 1.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.23182guestex-script-xss(24644)16711ADV-2006-06401892720060224 [eVuln] Guestex XSS Vulnerability1015678490Unspecified vulnerability in guestex.pl in Teca Scripts Guestex 1.0 allows remote attackers to execute arbitrary shell commands via the email parameter, possibly involving shell metacharacters.23183guestex-script-execute-code(24645)16711ADV-2006-06401892720060224 [eVuln] Guestex Shell Command Execution Vulnerability489Multiple SQL injection vulnerabilities in XMB Forums 1.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) $u2u_select array parameter to u2u.inc.php and (2) $val variable (fidpw0 cookie value) in today.php.20060212 XMB Forums Multiple VulnerabilitiesADV-2006-052923117231181882116604 xmbforum-multiple-sql-injection(24646)Cross-site scripting (XSS) vulnerability in u2u.php in XMB Forums 1.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter, as demonstrated using a URL-encoded iframe tag.20060212 XMB Forums Multiple VulnerabilitiesADV-2006-05292311916604 xmbforum-u2u-xss(24647)Multiple cross-site scripting (XSS) vulnerabilities in weblog.pl in PerlBlog 1.09b and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) email parameters.perlblog-weblog-xss(24691)167071892420060227 [eVuln] PerlBlog Multiple Vulnerabilities508Directory traversal vulnerability in weblog.pl in PerlBlog 1.09b and earlier allows remote attackers to read certain files via the month parameter.perlblog-weblog-directory-traversal(24690)167071892420060227 [eVuln] PerlBlog Multiple Vulnerabilities508Unspecified vulnerability in weblog.pl in PerlBlog 1.09b and earlier allows remote attackers to create arbitrary files and possibly execute arbitrary code via unspecified attack vectors related to improper handling of (1) the reply parameter, possibly involving injection of (2) the name parameter and (3) the body parameter.perlblog-weblog-command-execution(24692)167071892420060227 [eVuln] PerlBlog Multiple Vulnerabilities508Cross-site scripting (XSS) vulnerability in page.php in in Siteframe Beaumont, possibly 5.0.2 or 5.0.1a, allows remote attackers to inject arbitrary web script or HTML via the comment_text parameter to the user comment page (/edit/Comment).20060216 Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability166952326718892 siteframe-comment-xss(24836)443D-Link DWL-G700AP with firmware 2.00 and 2.01 allows remote attackers to cause a denial of service (CAMEO HTTP service crash) via a request composed of "GET" followed by a space and two newlines, possibly triggering the crash due to missing arguments.20060216 D-Link DWL-G700AP httpd DoS16690ADV-2006-063718932dlink-admin-interface-dos(24762)441Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to include and execute arbitrary local files via a direct request with a path parameter with a null character and beginning with (1) '/' (slash) for an absolute pathname or (2) a drive letter (such as "C:"), which bypasses checks for ".." sequences and trailing ".php" extensions.20060216 PHPKIT >= 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions)1015640Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path parameter that specifies a (1) UNC share or (2) ftps URL, which bypasses the check for "http://", "ftp://", and "https://" URLs.20060216 PHPKIT >= 1.6.1r2 arbitrary local/remote inclusion (unproperly patched in previous versions)1015640445wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earlier, allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile, (2) trackArtist, and (3) trackTitle parameters, which can result in providing false information about songs, occupying excessive disk space with very long parameter values, and storing executable code that might be invoked through a different vulnerability. NOTE: since this issue, as described by the original researcher, is entirely dependent on the presence of another vulnerability, it could be argued that Wimpy cannot be responsible for how its data file is processed by applications outside of its control. Since this issue might only be useful as a facilitator manipulation in another vulnerability, perhaps it should not be included in CVE.1669618900 wimpy-wimpytrackplays-no-auth(24770)Kyocera 3830 (aka FS-3830N) printers have a back door that allows remote attackers to read and alter configuration settings via strings that begin with "!R!SIOP0", as demonstrated using (1) a connection to to TCP port 9100 or (2) the UNIX lp command.16685ADV-2006-06201889620060215 Kyocera Network Printers23245 kyocera-fs3830n-no-auth(24772)Certain unspecified Kyocera printers have a default "admin" account with a blank password, which allows remote attackers to access an administrative menu via a telnet session.ADV-2006-06201889620060215 Kyocera Network Printers23246 kyocera-fs3830n-blank-password(24774)Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a denial of service by sending crafted LDAP packets to port 389/TCP, as demonstrated by the ProtoVer LDAP testsuite.[Dailydave] 20060214 MailSite (WorldMail) fun16675ADV-2006-059818888mailsite-ldap-dos(24686)PHP remote file inclusion vulnerability in index.php in DreamCost HostAdmin allows remote attackers to include arbitrary files via the $path variable, which is not initialized before use.16682ADV-2006-06181890120060215 HostAdmin - Remote Command Execution Vulnerabilityhostadmin-path-file-include(24723)2324120060215 HostAdmin - Remote Command Execution Vulnerability1016273 20060605 [MajorSecurity #9]HostAdmin <= 3.1 - Remote File Include VulnerabilityCross-site scripting (XSS) vulnerability in preferences.personal.php in V-webmail 1.6.2 allows remote attackers to inject abitrary web script or HTML via the newid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-06391877616706vwebmail-preferencespersonal-xss(24749)23260frameset.php in V-webmail 1.6.2 allows remote attackers to conduct phishing attacks by referencing arbitrary websites in the rframe parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-06391877616706vwebmail-frameset-spoofing(24753)23261help.php in V-webmail 1.6.2 allows remote attackers to obtain the installation path via unspecified invalid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-063918776vwebmail-help-path-disclosure(24754)23262Absolute path traversal vulnerability in convert.cgi in Quirex 2.0.2 and earlier allows remote attackers to read arbitrary files, and possibly execute arbitrary code, via the (1) quiz_head, (2) quiz_foot, and (3) template variables.1892616709ADV-2006-064120060226 [eVuln] Quirex Arbitrary File Disclosure Vulnerability quirex-convert-information-disclosure(24672)Cross-site scripting (XSS) vulnerability in default.php in Clever Copy 3.0 allows remote attackers to inject arbitrary web script or HTML via the Subject field when sending private messages (privatemessages.php). NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16681ADV-2006-06162323518873clevercopy-subject-xss(24747)Nokia N70 cell phone allows remote attackers to caues a denial of service (reboot or shutdown) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet whose length field is less than the actual length of the packet, possibly triggering a buffer overflow, as demonstrated using the Bluetooth Stack Smasher (BSS).20060215 [ Secuobs - Advisory ] Another kind of DoS on Nokia cell phones16666ADV-2006-053823061nokia-bluetooth-l2cap-dos(24688)18724Multiple directory traversal vulnerabilities in the IMAP service in Macallan Mail Solution before 4.8.05.004 allow remote authenticated users to read e-mails of other users or create, modify, or delete directories via a .. (dot dot) in the argument to the (1) CREATE, (2) SELECT, (3) DELETE, or (4) RENAME commands.1670418775ADV-2006-0644232691015647macallan-imap-directory-traversal(24761)Microsoft Internet Explorer allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page with an anchor element with a legitimate "href" attribute, a form whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL. NOTE: this issue is very similar to CVE-2004-1104, although the manipulations are slightly different.20060216 Internet Explorer Phishing mouseover issue20060218 Re: Internet Explorer Phishing mouseover issue20060223 Re: Internet Explorer Phishing mouseover issue23609ie-ahref-status-spoofing(17938)Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in (1) the pnVarCleanFromInput function in pnAPI.php, (2) the pnSecureInput function in pnAntiCracker.php, and (3) the htmltext parameter in an edituser operation to user.php.20060219 Multiple vulnerabilities in PostNuke <= 0.76116752ADV-2006-067318937postnuke-user-nslanguages-xss(24823)SQL injection vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is off, allows remote attackers to execute arbitrary SQL commands via the language parameter to admin.php.20060219 Multiple vulnerabilities in PostNuke <= 0.76116752ADV-2006-067318937postnuke-nslanguages-sql-injection(24827)Cross-site scripting (XSS) vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is enabled, allows remote attackers to inject arbitrary web script or HTML via the language parameter in a missing or translation operation.20060219 Multiple vulnerabilities in PostNuke <= 0.76116752ADV-2006-067318937postnuke-user-nslanguages-xss(24823)The signature verification functionality in the YaST Online Update (YOU) script handling relies on a gpg feature that is not intended for signature verification, which prevents YOU from detecting malicious scripts or code that do not pass the signature check when gpg 1.4.x is being used.SUSE-SA:2006:00916889SUSE-SA:2006:013Off-by-one error in TIN 1.8.0 and earlier might allow attackers to execute arbitrary code via unknown vectors that trigger a buffer overflow.OpenPKG-SA-2006.00516728ADV-2006-0702SUSE-SR:2006:00519130GLSA-200611-18 tin-offbyone-bo(24841)The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters.20060218 [waraxe-2006-SA#045] - Bypassing CAPTCHA in phpNuke 6.x-7.91672218936455Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page parameter in adodb-pager.inc.php and (2) other unspecified vectors related to PHP_SELF.20060218 ADOdb Library Cross Site Scripting16720ADV-2006-06641892823362DSA-1029DSA-1030DSA-1031195551959019591GLSA-200604-07ADV-2006-2021 19691452Stack-based buffer overflow in NJStar Chinese and Japanese Word Processor 4.x and 5.x before 5.10 allows user-assisted attackers to execute arbitrary code via font names in NJStar (.njx) documents.20060220 Secunia Research: NJStar Word Processor Font Name Buffer OverflowADV-2006-06701870216737233541015649njstar-font-name-bo(24773)461MUTE 0.4 allows remote attackers to cause a denial of service (messages not forwarded) and obtain sensitive information about a target by filling a client's mWebCache cache with malicious "zombie" nodes.2333618980 mute-mwebcache-security-bypass(24931)Multiple SQL injection vulnerabilities in Skate Board 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) usern parameter in (a) sendpass.php, and the (2) usern and (3) passwd parameters and (4) sf_cookie cookie in (b) login.php and (c) logged.php.2330123302233031897820060303 [eVuln] Skate Board Multimple Vulnerabilities16936skateboard-sendpass-sql-injection(24778) skateboard-authentication-bypass(24779)540Unspecified vulnerability in config.php in Skate Board 0.9 allows remote authenticated administrators to execute arbitrary PHP code by causing certain variables in config.php to be modified, possibly due to XSS or direct static code injection.233041897820060303 [eVuln] Skate Board Multimple Vulnerabilities16936skateboard-config-file-include(24780)540Cross-site scripting (XSS) vulnerability in reguser.php in Skate Board 0.9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters involved with the registration form.233051897820060303 [eVuln] Skate Board Multimple Vulnerabilities16936skateboard-registration-xss(24781)540The VisNetic AntiVirus Plug-in (DKAVUpSch.exe) for Mail Server 4.6.0.4, 4.6.1.1, and possibly other versions before 4.6.1.2, does not drop privileges before executing other programs, which allows local users to gain privileges.ADV-2006-07011658320060223 Secunia Research: Visnetic AntiVirus Plug-in for MailServerPrivilege Escalation167881015670 visnetic-av-plugin-privilege-elevation(24928)Heap-based buffer overflow in WinACE 2.60 allows user-assisted attackers to execute arbitrary code via a large header block in an ARJ archive.16786ADV-2006-07091725120060223 Secunia Research: WinACE ARJ Archive Handling Buffer Overflow233831015672winace-arj-header-bo(24872)479response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) "." (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files.20060301 Secunia Research: Lighttpd Script Source Disclosure VulnerabilityADV-2006-07822354218886lighttpd-source-code-disclosure(24976)168931015703523NetworkActiv Web Server 3.5.15 allows remote attackers to read script source code via a crafted URL with a "/" (forward slash) after the file extension.20060301 Secunia Research: NetworkActiv Web Server Script Source DisclosureVulnerabilityADV-2006-078318947networkactiv-script-source-disclosure(24979)16895Orion Application Server before 2.0.7, when running on Windows, allows remote attackers to obtain the source code of JSP files via (1) . (dot) and (2) space characters in the extension of a URL.Update to version 2.0.7 or contact the vendor for a patch.ADV-2006-10551895020060323 Secunia Research: Orion Application Server JSP Source DisclosureVulnerability17204240531015823orion-jsp-source-disclosure(25405)20060323 Secunia Research: Orion Application Server JSP Source Disclosure VulnerabilityAbsolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (b) VisNetic MailServer before 8.5.0.5 allows remote attackers to include arbitrary files via a full Windows path and drive letter in the (1) language parameter in accounts/inc/include.php and (2) lang_settings parameter in admin/inc/include.php, which is not properly sanitized by the securepath function, a related issue to CVE-2005-4556.19002ADV-2006-2825189531896620060717 Secunia Research: IceWarp Web Mail Two File InclusionVulnerabilities20060717 Secunia Research: VisNetic Mail Server Two File InclusionVulnerabilities10165131016514visnetic-include-file-include(27773)27328Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows remote authenticated users to include arbitrary files via a modified language parameter and a full Windows or UNC pathname in the lang_settings parameter to mail/index.html, which is not properly sanitized by the validatefolder PHP function, possibly due to an incomplete fix for CVE-2005-4558.19002ADV-2006-2825189531896620060717 Secunia Research: IceWarp Web Mail Two File InclusionVulnerabilities20060717 Secunia Research: VisNetic Mail Server Two File InclusionVulnerabilities10165131016514visnetic-language-file-include(27780)Dwarf HTTP Server 1.3.2 allows remote attackers to obtain the source code of JSP files via (1) dot, (2) space, (3) slash, or (4) NULL characters in the filename extension of an HTTP request.20060313 Secunia Research: Dwarf HTTP Server Source Disclosure andCross-Site ScriptingDwarf HTTP Server Source Disclosure and Cross-Site ScriptingADV-2006-09371896217123238361015779dwarfhttp-extension-information-disclosure(25178)576Cross-site scripting (XSS) vulnerability in Dwarf HTTP Server 1.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified error messages.20060313 Secunia Research: Dwarf HTTP Server Source Disclosure andCross-Site ScriptingDwarf HTTP Server Source Disclosure and Cross-Site ScriptingADV-2006-09371896217123238371015779dwarfhttp-url-xss(25179)SQL injection vulnerability in index.php in BXCP 0.299 allows remote attackers to execute arbitrary SQL commands via the tid parameter.ADV-2006-066018929bxcp-tid-sql-injection(24783) 1513Unspecified vulnerability in EmuLinker Kaillera Server before 0.99.17 allows remote attackers to cause a denial of service (probably resource consumption) via a crafted packet that causes a "ghost game" to be left on the server.ADV-2006-06651893816733 emulinker-packet-handling-dos(24784)Multiple SQL injection vulnerabilities in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to inject arbitrary SQL commands via the (1) userid variable to users.php or (2) sessid variable to lib-sessions.php.ADV-2006-06611892020060219 Geeklog Remote Code Execution23348geeklog-users-sessions-sql-injection(24775)16755Multiple unspecified vulnerabilities in lib-common.php in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to include arbitrary local files and execute arbitrary code via (1) absolute paths in unspecified parameters and (2) the language cookie, as demonstrated for code execution using error.log.ADV-2006-06611892020060219 Geeklog Remote Code Execution2334916755Multiple unspecified vulnerabilities in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allow remote attackers to bypass authentication or gain "unauthorized network access" via unknown attack vectors.ADV-2006-06681895216726233591015648xerox-workcentre-auth-bypass(24804)Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to cause a denial of service via a crafted Postscript request.ADV-2006-066818952167231015648xerox-workcentre-postscript-dos(24805)Cross-site scripting vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.ADV-2006-06681895216727xerox-workcentre-xss(24806)Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to "reduce effectiveness of security features" via unknown attack vectors.ADV-2006-0668189521015648Cross-site scripting vulnerability in E-Blah Platinum 9.7 allows remote attackers to inject arbitrary web script or HTML via the referer (HTTP_REFERER), which is not sanitized when the log file is viewed by the administrator using "Click Log".16713ADV-2006-0638232991899220060302 [eVuln] E-Blah Platinum 'Referer' XSS Vulnerabilityeblah-httpreferer-xss(24777)528The scripting engine in Internet Explorer allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary code via a web page that contains a recurrent call to an infinite loop in Javascript or VBscript, which consumes the stack, as demonstrated by resetting the "location" variable within the loop.20060216 Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines.20060218 Re: Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines. 16687 ie-script-engine-stack-dos(24788)PHP remote file include vulnerability in index.php in Tasarim Rehberi allows remote attackers to execute arbitrary PHP code via a URL in the (1) sayfaadi or (2) sayfa parameter. NOTE: this might be a site-specific issue. If so, it should not be included in CVE.20060218 Tasarim Rehberi Index.PHP Remote Command ExucetionMultiple SQL injection vulnerabilities in admin.asp in WPC.easy allow remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameter.20060218 SLQ Injection vulnerability in WPCeasyADV-2006-06621894516721456Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Directory 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) Add URL and (2) Suggest Category module. NOTE: the provenance of this information is unknown; portions of the details are obtained from third party information.ADV-2006-0674189651674623372barracuda-multiple-xss(24807)Uniden UIP1868P VoIP Telephone and Router has a default password of admin for the web-based configuration utility, which allows remote attackers to obtain sensitive information on the device such as telephone numbers called, and possibly connect to other hosts. NOTE: it is possible that this password was configured by a reseller, not the original vendor; if so, then this is not a vulnerability in the product.20060216 Uniden UIP1868P (VoIP phone/gateway) default easy-to-guess password vulnerability uniden-uip1868p-default-account(24786)SQL injection vulnerability in dropbase.php in MitriDAT Web Calendar Pro allows remote attackers to modify internal SQL queries and cause a denial of service (inaccessible database) via the tabls parameter.20060215 Web Calendar Pro - Denial of Service SQL Injection Vulnerabilitywebcalendarpro-dropbase-sql-injection(24729)16789ADV-2006-070018902Mozilla Thunderbird 1.5 allows user-assisted attackers to cause an unspecified denial of service by tricking the user into importing an LDIF file with a long field into the address book, as demonstrated by a long homePhone field.20060217 Mozila Thunderbird 1.5 Address Book DoS1671620060221 Mozila Thunderbird 1.5 Address Book DoS thunderbird-address-book-dos(24810)469IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 has world-readable permissions for (1) /etc/neusecure.conf, (2) /opt/NeuSecure/etc/cms-3.0.236.buildconf, and (3) /opt/NeuSecure/bin/ns_archiver.log, which allows local users to read sensitive information such as passwords. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues.20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform1670010156421892223270232711669323914 netcool-neosecure-config-weak-permission(24785)IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 stores cleartext passwords in the (1) CMS_DBPASS, (2) CMSM_DBPASS, and (3) RPT_DBPASS fields in /etc/neusecure.conf, and in (4) /opt/NeuSecure/bin/ns_archiver.log, which allows local users to gain privileges. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues.20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform20060216 Password disclosure and remote access in Netcool/NeuSecure Security information management platform16698101564218922232702327116693 netcool-neosecure-config-weak-permission(24785) netcool-neosecure-plaintext-password(24787)The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly reassemble certain fragmented packets with IP options, which allows remote attackers to evade detection of certain attacks, possibly related to IP option lengths.20060217 SNORT Incorrect fragmented packet reassembly1670518959 snort-frag3-detection-bypass(24811)manage_user_page.php in Mantis 1.00rc4 and earlier does not properly handle a sort parameter containing a ' (quote) character, which allows remote attackers to trigger a SQL error that may be repeatedly reported to a user who makes subsequent web accesses with the MANTIS_MANAGE_COOKIE cookie. NOTE: this issue might be the same as vector 2 in CVE-2005-4519.20060215 [BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc416657 mantis-manageuserpagesql-injection(24726)Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) hide_status, (2) handler_id, (3) user_monitor, (4) reporter_id, (5) view_type, (6) show_severity, (7) show_category, (8) show_status, (9) show_resolution, (10) show_build, (11) show_profile, (12) show_priority, (13) highlight_changed, (14) relationship_type, and (15) relationship_bug parameters in (a) view_all_set.php; the (16) sort parameter in (b) manage_user_page.php; the (17) view_type parameter in (c) view_filters_page.php; and the (18) title parameter in (d) proj_doc_delete.php. NOTE: item 17 might be subsumed by CVE-2005-4522.20060215 [BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc42324822487DSA-11332140016657Cross-site scripting (XSS) vulnerability in Calacode @Mail 4.3 allows remote attackers to inject arbitrary web script or HTML via a modified javascript: string in the SRC attribute of an IMG element in an e-mail message, as demonstrated by "java script:." NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.Successful exploitation of this issue requires a victim user has @Mail configured to display images in email messages.16683ADV-2006-06172323618874@mail-html-image-xss(24742)Leif M. Wright's Blog 3.5 stores the config file and other txt files under the web root with insufficient access control, which allows remote attackers to read the administrator's password.1671218923 webblog-txt-obtain-information(24752)522Leif M. Wright's Blog 3.5 does not make a password comparison when authenticating an administrator via a cookie, which allows remote attackers to bypass login authentication, probably by setting the blogAdmin cookie.1671418923 webblog-cookie-auth-bypass(24755)522Leif M. Wright's Blog 3.5 allows remote authenticated users with administrative privileges to execute arbitrary programs, including shell commands, by configuring the sendmail path to a malicious pathname.18923 webblog-sendmail-command-execution(24757)522Multiple cross-site scripting (XSS) vulnerabilities in Leif M. Wright's Blog 3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Referer and (2) User-Agent HTTP headers, which are stored in a log file and not sanitized when the administrator views the "Log" page, possibly using the ViewCommentsLog function.1671518923 webblog-headers-xss(24758)522Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via ".." sequences in unspecified vectors.16760ADV-2006-0677cherrypy-staticfilter-directory-traversal(24809)18944GLSA-200605-1620344The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.TA06-053AVU#99970816736ADV-2006-0671189631015652macosx-zip-command-execution(24808)23510TA06-062ASQL injection vulnerability in include/includes/user/login.php in ilchClan before 1.05g allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-06761895123370ilchclan-login-sql-injection(24830)SQL injection vulnerability in the forum module of ilchClan 1.05g and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter, when creating a newpost.ADV-2006-0672189511673523369ilchclan-index-sql-injection(24829) 1516Direct static code injection vulnerability in write.php in Admbook 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via the X-Forwarded-For HTTP header field, which is inserted into content-data.php.ADV-2006-066318930admbook-index-command-execution(24771)16753 1512Buffer overflow in the IMAP service of TrueNorth Internet Anywhere (IA) eMailserver 5.3.4 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long SEARCH argument.20060220 [AJECT] TrueNorth IA eMailserver 5.3.4 buffer overflow vulnerability16744ADV-2006-068623377101566418986ia-emailserver-imap-bo(24812)PHP remote file inclusion vulnerability in common.php in Intensive Point iUser Ecommerce allows remote attackers to include arbitrary files via a URL in the include_path variable, which is not initialized before being used.20060215 iUser Ecommerce - Remote Command Execution Vulnerabilityiuser-ecommerce-file-include(24724)ADV-2006-0699189031678723429Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10 and earlier, as used in products such as Barracuda Spam Firewall, allows user-assisted attackers to execute arbitrary code via a crafted ZOO file that causes the combine function to return a longer string than expected.20060223 zoo contains exploitable buffer overflows16790ADV-2006-0705101566819002GLSA-200603-05SUSE-SR:2006:0051913019148DSA-99119166SUSE-SR:2006:0061940820060403 Barracuda ZOO archiver security bug leads to remote compromiseADV-2006-1220101586619514 zoo-misc-bo(24904)546SQL injection vulnerability in login.php in Scriptme SmE GB Host 1.21 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the Username parameter.20060216 [eVuln] SmE GB Host Authentication Bypass Vulnerability1660918823 ADV-2006-0543 smegbhost-login-sql-injection(24544)Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element.20060218 e107 CMS 0.7.2 Chatbox plugin XSS vulnerability16719 e107-chatbox-xss(24815)Unquoted Windows search path vulnerability in (1) snsmcon.exe, (2) the autostartup mechanism, and (3) an unspecified installation component in StarForce Safe'n'Sec Personal + Anti-Spyware 2.0 and earlier, and possibly other StarForce Safe'n'Sec products, might allow local users to gain privileges via a malicious "program" file in the C: folder.20060219 [TZO-062006] Safe'nVulnerable16762Michael Salzer Guestbox 0.6, and other versions before 0.8, allows remote attackers to post an admin comment to a guestbook entry via a certain modified form, possibly related to the nummer parameter.20060220 Guestbox XSS/an admin bypass20060302 Re: Guestbox XSS/an admin bypassADV-2006-06751894623374 guestbox-admin-access(24797)Multiple cross-site scripting (XSS) vulnerabilities in Michael Salzer Guestbox 0.6, and other versions before 0.8, allow remote attackers to inject arbitrary web script or HTML via (1) HTML tags that follow a "http://" string, which bypasses a regular expression check, and (2) other unspecified attack vectors.20060220 Guestbox XSS/an admin bypass20060302 Re: Guestbox XSS/an admin bypass16751ADV-2006-06751894623375guestbox-gbshow-xss(24798)Michael Salzer Guestbox 0.6, and other versoins before 0.8, allows remote attackers to obtain the source IP addresses of guestbook entries via a direct request to /gb/gblog.20060220 Guestbox XSS/an admin bypass23376guestbox-gblog-obtain-information(24799)20060302 Re: Guestbox XSS/an admin bypassADV-2006-067518946460Unspecified vulnerability in InfoVista PortalSE 2.0 Build 20087 on Solaris 8 without the IV00038969 hotfix allows remote attackers to read arbitrary files via a crafted URL.20060222 IRM 017: Multiple Vulnerabilities in Infovista Portal SE16776ADV-2006-0695189941015669 vistaportal-parameter-directory-traversal(24893)InfoVista PortalSE 2.0 Build 20087 on Solaris 8 allows remote attackers to obtain sensitive information by specifying a nonexistent server in the server field, which reveals the path in an error message.20060222 IRM 017: Multiple Vulnerabilities in Infovista Portal SE16776ADV-2006-0695189941015669 vistaportal-server-path-disclosure(24894)473filescan in Global Hauri ViRobot 2.0 20050817 does not verify the Cookie HTTP header, which allows remote attackers to gain administrative privileges via an arbitrary cookie value.20060222 [INetCop Security Advisory] Global Hauri Virobot cookie exploit16768ADV-2006-0691189741015658virobot-filescan-auth-bypass(24850)PunBB 1.2.10 and earlier allows remote attackers to cause a denial of service (resource consumption) by registering many user accounts quickly.20060219 PunBB 1.2.10 Multiple DoS Vulnerabilities punbb-register-ip-dos(24837)PunBB 1.2.10 and earlier allows remote attackers to conduct brute force guessing attacks for an account's password, which may be as short as 4 characters.20060219 PunBB 1.2.10 Multiple DoS Vulnerabilities punbb-login-bruteforce(24838)Buffer overflow in certain versions of South River (aka SRT) WebDrive, possibly version 6.08 build 1131 and version 8, allows remote attackers to cause a denial of service (application crash and persistent erratic behavior) via a long string in the name entry field.20060222 South River WebDrive Buffer Overflow Vulnerability webdrive-name-bo(24903)Multiple unspecified injection vulnerabilities in unspecified Auth Container back ends for PEAR::Auth before 1.2.4, and 1.3.x before 1.3.0r4, allow remote attackers to "falsify authentication credentials," related to the "underlying storage containers."20060222 Multiple Injection Vulnerabilities in PHP PEAR::Auth ModulePackage Information: Auth 1.2.4Package Information: Auth 1.3.0r416758ADV-2006-0696101566619008auth-multiple-injections(24854)GLSA-200603-1319301Directory traversal vulnerability in the "remember me" feature in liveuser.php in PHP Extension and Application Repository (PEAR) LiveUser 0.16.8 and earlier allows remote attackers to determine file existence, and possibly delete arbitrary files with short pathnames or possibly read arbitrary files, via a .. (dot dot) in the store_id value of a cookie.20060221 PEAR LiveUser File Access Vulnerabilities16761ADV-2006-06971015659liveuser-liveuser-file-access(24852)liveuser-liveuser-file-deletion(24853)466SQL injection vulnerability in pages.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: version 2.3 was later reported to be vulnerable as well.20060220 MiniNuke CMS System all versions (pages.asp) SQL Injection167302343818439mininuke-pages-sql-injection(24803)20060321 Mini-Nuke<=1.8.2 SQL injection (6)20060420 Mini-NUKE v2.3<<--- SQL Injection1763620060421 Re: Mini-NUKE v2.3<<--- SQL InjectionDirectory traversal vulnerability in the _setTemplate function in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to read and include arbitrary files via the mos_change_template parameter. NOTE: CVE-2006-1794 has been assigned to the SQL injection vector.1893516775ADV-2006-071920060224 Mambo Multiple Vulnerabilities23505493Directory traversal vulnerability in init.inc.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the lang parameter.ADV-2006-066910156461894120060218 Coppermine Photo Gallery <=1.4.3 remote code execution16718 coppermine-init-file-include(24814)Absolute path traversal vulnerability in docs/showdocs.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via the f parameter, and possibly remote files using UNC share pathnames.ADV-2006-066910156461894120060218 Coppermine Photo Gallery <=1.4.3 remote code execution16718 coppermine-showdoc-file-include(24816)Multiple unspecified vulnerabilities in Intensive Point iUser Ecommerce before 2.2 have unspecified vectors and impact, as addressed by "Urgent secure fixes". NOTE: this might be a duplicate of CVE-2006-0854, but the vendor announcement for this issue (from January 8, 2005) is too vague to be sure, and CVE-2006-0854 does not provide version information.1678719003iuser-ecommerce-undisclosed(24906)Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 allows remote attackers to inject arbitrary web script or HTML via the lid parameter.20060222 [KAPDA::#27] - Runcms 1.x Cross_Site_Scripting vulnerability16769ADV-2006-069410156631899723388runcms-ratefile-xss(24871)POPFile before 0.22.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors involving character sets within e-mail messages.ADV-2006-06981897516792DSA-106120205Cross-site scripting vulnerability in Easy Forum 2.5 allows remote attackers to inject arbitrary web script or HTML via the image variable.ADV-2006-070618996easyforum-join-xss(24831)20060304 [eVuln] Easy Forum XSS Vulnerability1695823430Noah's Classifieds 1.3 allows remote attackers to obtain the installation path via a direct request to include files, as demonstrated by classifieds/gorum/category.php.20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilitiesADV-2006-07031015667 noahs-category-path-disclosure(24898)SQL injection vulnerability in the search tool in Noah's Classifieds 1.3 allows remote attackers to execute arbitrary SQL commands via unspecified attack vectors.20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities16773ADV-2006-07031015667 noahs-search-sql-injection(24896)Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) inf parameter; or, when register_globals is enabled, the (2) upperTemplate and (3) lowerTemplate parameters.20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities16772ADV-2006-07031015667 noahs-indexphp-xss(24895)Multiple PHP remote file include vulnerabilities in gorum/gorumlib.php in Noah's Classifieds 1.3, when register_globals is enabled, allow remote attackers to include arbitrary PHP files via the (1) upperTemplate and (2) lowerTemplate parameters, as demonstrated using the lowerTemplate parameter to index.php.20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities16780ADV-2006-07031015667 noahs-gorumlib-file-include(24899)Directory traversal vulnerability in include.php in Noah's Classifieds 1.3 allows remote attackers to include arbitrary local files via the otherTemplate parameter to index.php.20060222 [KAPDA::#29]Noah's classifieds multiple vulnerabilities16778ADV-2006-07031015667 noahs-include-directory-traversal(24900)OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.FreeBSD-SA-06:0916892ADV-2006-08051015706 openssh-openpam-dos(25116) 23797520The WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.20060222 Mozilla Thunderbird : Remote Code Execution & Denial of Service167701015665MDKSA-2006:052MDKSA-2006:076MDKSA-2006:07819821DSA-1046GLSA-200604-1820060404-01-USUSE-SA:2006:02219811198231986319902DSA-1051USN-276-11995019941SUSE-SA:2006:02119721GLSA-200605-09RHSA-2006:0329RHSA-2006:0330FLSA:189137-1HPSBUX02122SCOSA-2006.26210332365310255021622HPSBUX02156oval:org.mitre.oval:def:2024 20051 mozilla-inline-fwd-code-execution(25983)MDKSA-2006:052MDKSA-2006:076MDKSA-2006:078ADV-2006-374922065Cross-site scripting (XSS) vulnerability in show_news.php in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the show parameter.ADV-2006-0685189812340020060221 [myimei]CuteNews1.4.1~ Add Comment For Protected UserNames~ XSS Attack16740 cutenews-shownews-xss(24835)Cross-site scripting (XSS) vulnerability in register.php in DEV web management system 1.5 allows remote attackers to inject arbitrary web script or HTML via the "City/Region" field (mesto variable). NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-0723187141681223468dev-cityregion-xss(24875)Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbitrary PHP code by including a base64-encoded representation of the code in a cookie. NOTE: this description was significantly updated on 20060605 to reflect new details after an initial vague advisory.ADV-2006-0720169021680123466phplib-code-execution(24873)1016123index.php in Invision Power Board (IPB) 2.0.1, with Code Confirmation disabled, allows remote attackers to cause an unspecified denial of service by registering a large number of users.16616 1489Cross-site scripting (XSS) vulnerability in Calcium 3.10.1 allows remote attackers to inject arbitrary web script or HTML via the EventText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-0724190071685123471 calcium-eventtext-xss(24907)Directory traversal vulnerability in SpeedProject Squeez 5.1, as used in (1) ZipStar 5.1 and (2) SpeedCommander 11.01.4450, allows remote attackers to overwrite arbitrary files via unspecified manipulations in a (1) JAR or (2) ZIP archive.20060224 SpeedCommander 11.0 & ZipStar 5.1 & Squeez 5.1 Directory traversalADV-2006-0731234651900616807 speedproject-zip-jar-directory-traversal(24909)Multiple directory traversal vulnerabilities in NOCC Webmail 1.0 allow remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing NULL (%00) byte in (1) the _SESSION['nocc_theme'] parameter in (a) html/footer.php; and (2) the lang and (3) theme parameters and the (4) Accept-Language HTTP header field, when force_default_lang is disabled, in (b) index.php, as demonstrated by injecting PHP code into a profile and accessing it using the lang parameter in index.php.20060223 NOCC Webmail <= 1.0 multiple vulnerabilities1692123416167932341723418234191015671 nocc-index-file-include(24934)NOCC Webmail 1.0 stores e-mail attachments in temporary files with predictable filenames, which makes it easier for remote attackers to execute arbitrary code by accessing the e-mail attachment via directory traversal vulnerabilities.20060223 NOCC Webmail <= 1.0 multiple vulnerabilities1692116793234201015671NOCC Webmail 1.0 allows remote attackers to obtain sensitive information via a direct request to (1) the profiles directory, which leaks e-mail addresses contained in filenames of profiles, and (2) the tmp directory, which lists names of uploaded attachments.20060223 NOCC Webmail <= 1.0 multiple vulnerabilities169211679323420234221015671Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the html_error_occurred parameter in error.php, (2) html_filter_select parameter in filter_prefs.php, (3) html_no_mail parameter in no_mail.php, the (4) page_line, (5) prev, and (6) next parameters in html_bottom_table.php, and the (7) _SESSION['nocc_theme'] parameter in footer.php.20060223 NOCC Webmail <= 1.0 multiple vulnerabilities169211679323423234242342523426234271015671NOCC Webmail 1.0 allows remote attackers to obtain the installation path via a direct request to html/header.php.20060223 NOCC Webmail <= 1.0 multiple vulnerabilities16921167931015671478Cross-site scripting (XSS) vulnerability in Sources/Register.php in Simple Machine Forum (SMF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For HTTP header field.ADV-2006-07261900420060306 [eVuln] Simple Machines Forum - SMF %27X-Forwarded-For%27 XSS Vulnerability1684123480[VIM] 20060410 VEndor ACK: Simple Machines Forum Register.php X-Forwarded-For XSS smf-register-xss(24915)545** DISPUTED ** SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this issue, saying that "[we] have a behind the scenes complex state management system that uses a combination of keys placed in JavaScript and Session State (server side) that protects against the type of SQL injection you describe. We have tested for many of the cases and have not found it to be an issue." Further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection; however, the vendor did not receive a response from the original researcher.16798ADV-2006-07251884223479vpmi-servicerequests-sql-injection(24885)[VIM] 20060310 vendor dispute: VCS[VIM] 20060310 Re: vendor dispute: VCSCrypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode, uses an initialization vector (IV) of 8 bytes, which results in weaker encryption when used with a cipher that requires a larger block size than 8 bytes, such as Rijndael.20060223 Vulnerability in Crypt::CBC Perl module, versions <= 2.161680218755DSA-99619187GLSA-200603-1519303SUSE-SR:2006:01520899 crypt-cbc-header-weak-encryption(24954)488RHSA-2008:0261Directory traversal vulnerability in index.php in 4Images 1.7.1 and earlier allows remote attackers to read and include arbitrary files via ".." (dot dot) sequences in the template parameter.milw0rm.com [2006-02-26]ADV-2006-0754190261685520060301 4images <=1.7.1 remote code execution1533235294images-template-file-include(24938)518nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite.[Dailydave] 20060226 fun with FreeBSD kernel1901719017FreeBSD-SA-06:101683823511freebsd-nfsd-kernel-dos(24918)521Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code.1021611682619042ADV-2006-07561015680oval:org.mitre.oval:def:1628 solaris-hsfs-privilege-elevation(24911)MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.ADV-2006-075219034168501015693MDKSA-2006:06419502USN-274-119814DSA-1071DSA-10732024120253DSA-107920333RHSA-2006:054420625USN-274-2 20060225 mysql <= 5.0.18 RHSA-2007:0083 mysql-query-log-bypass-security(24966)MDKSA-2006:064A "programming error" in fast_ipsec in FreeBSD 4.8-RELEASE through 6.1-STABLE and NetBSD 2 through 3 does not properly update the sequence number associated with a Security Association, which allows packets to pass sequence number checks and allows remote attackers to capture IPSec packets and conduct replay attacks.FreeBSD-SA-06:1117191101580919366bsd-ipsec-replay(25398)NetBSD-SA2006-01124068SQL injection vulnerability in D3Jeeb Pro 3 allows remote attackers to execute arbitrary SQL commands via the catid parameter in (1) fastlinks.php and (2) catogary.php.20060226 2 SQL Injection in d3jeeb16853ADV-2006-0757101568719062 d3jeeb-catid-sql-injection(24941)SQL injection vulnerability in PHP-Nuke before 7.8 Patched 3.2 allows remote attackers to execute arbitrary SQL commands via encoded /%2a (/*) sequences in the query string, which bypasses regular expressions that are intended to protect against SQL injection, as demonstrated via the kala parameter.20060225 [waraxe-2006-SA#047] - Evading sql-injection filters in phpNuke 7.8PHP-Nuke 7.8 Patched 3.2 allows remote attackers to bypass SQL injection protection mechanisms via /%2a (/*) sequences with the "ad_click" word in the query string, as demonstrated via the kala parameter.20060225 [waraxe-2006-SA#047] - Evading sql-injection filters in phpNuke 7.8497Invision Power Board (IPB) 2.1.4 and earlier allows remote attackers to view sensitive information via a direct request to multiple PHP scripts that include the full path in error messages, including (1) PEAR/Text/Diff/Renderer/inline.php, (2) PEAR/Text/Diff/Renderer/unified.php, (3) PEAR/Text/Diff3.php, (4) class_db.php, (5) class_db_mysql.php, and (6) class_xml.php in the ips_kernel/ directory; (7) mysql_admin_queries.php, (8) mysql_extra_queries.php, (9) mysql_queries.php, and (10) mysql_subsm_queries.php in the sources/sql directory; (11) sources/acp_loaders/acp_pages_components.php; (12) sources/action_admin/member.php and (13) sources/action_admin/paysubscriptions.php; (14) login.php, (15) messenger.php, (16) moderate.php, (17) paysubscriptions.php, (18) register.php, (19) search.php, (20) topics.php, (21) and usercp.php in the sources/action_public directory; (22) bbcode/class_bbcode.php, (23) bbcode/class_bbcode_legacy.php, (24) editor/class_editor_rte.php, (25) editor/class_editor_std.php, (26) post/class_post.php, (27) post/class_post_edit.php, (28) post/class_post_new.php, (29) and post/class_post_reply.php in the sources/classes directory; (30) sources/components_acp/registration_DEPR.php; (31) sources/handlers/han_paysubscriptions.php; (32) func_usercp.php; (33) search_mysql_ftext.php, and (34) search_mysql_man.php in the sources/lib/ directory; and (35) convert/auth.php.bak, (36) external/auth.php, and (37) ldap/auth.php in the sources/loginauth directory.20060221 Invision Power Board 2.1.4 Multiple Vulnerabilitiesinvisionpowerboard-multiple-info-disclosure(24840) 20070419 IPB (Invision Power Board) Full Path DisclusureInvision Power Board (IPB) 2.1.4 and earlier allows remote attackers to list directory contents via a direct request to multiple directories, including (1) sources/loginauth/convert/, (2) sources/portal_plugins/, (3) cache/skin_cache/cacheid_2/, (4) ips_kernel/PEAR/, (5) ips_kernel/PEAR/Text/, (6) ips_kernel/PEAR/Text/Diff/, (7) ips_kernel/PEAR/Text/Diff/Renderer/, (8) style_images/1/folder_rte_files/, (9) style_images/1/folder_js_skin/, (10) style_images/1/folder_rte_images/, and (11) upgrade/ and its subdirectories.20060221 Invision Power Board 2.1.4 Multiple Vulnerabilitiesinvisionpowerboard-multiple-info-disclosure(24840)NmService.exe in Ipswitch WhatsUp Professional 2006 allows remote attackers to cause a denial of service (CPU consumption) via crafted requests to Login.asp, possibly involving the (1) "In]" and (2) "b;tnLogIn" parameters, or (3) malformed btnLogIn parameters, possibly involving missing "[" (open bracket) or "[" (closing bracket) characters, as demonstrated by "&btnLogIn=[Log&In]=&" or "&b;tnLogIn=[Log&In]=&" in the URL. NOTE: due to the lack of diagnosis by the original researcher, the precise nature of the vulnerability is unclear.20060222 IpSwitch WhatsUp Professional 2006 DoS16771ADV-2006-070423494whatsup-nmservice-dos(24864)472Oreka before 0.5 allows remote attackers to cause a denial of service (application crash) via a "certain RTP sequence."23300ADV-2006-08121909516937SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through 2.18.4 and 2.20 allows remote authenticated users with administrative privileges to execute arbitrary SQL commands via the whinedays parameter, as accessible from editparams.cgi.20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4Bugzilla Bug 3124981673818979bugzilla-editparams-sql-injection(24819)ADV-2006-069223378Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly handle certain characters in the mostfreqthreshold parameter in duplicates.cgi, which allows remote attackers to trigger a SQL error.20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4Bugzilla Bug 312498ADV-2006-0692bugzilla-duplicates-sql-injection(42802)Bugzilla 2.16.10 does not properly handle certain characters in the (1) maxpatchsize and (2) maxattachmentsize parameters in attachment.cgi, which allows remote attackers to trigger a SQL error.Bugzilla Bug 313441ADV-2006-0692Bugzilla 2.19.3 through 2.20 does not properly handle "//" sequences in URLs when redirecting a user from the login form, which could cause it to generate a partial URL in a form action that causes the user's browser to send the form data to another domain.20060221 [BUGZILLA] Security Advisory for Bugzilla 2.20, 2.21.1, and 2.18.4Bugzilla Bug 3250791674518979bugzilla-login-data-redirection(24821)ADV-2006-0692464Melange Chat Server (aka M-Chat), when accessed via a web browser, automatically sends cookies and other sensitive information for a server to any port specified in the associated link, which allows local users on that server to read the cookies from HTTP headers and possibly gain sensitive information, such as credentials, by setting up a listening port and reading the credentials when the victim clicks on the link.20060221 grab cookie information with Melange Chat Server 1.101674718984melange-chat-command-information-disclosure(24868)463Buffer overflow in RITLabs The Bat! 3.60.07 allows remote attackers to execute arbitrary code via a long Subject field.20060223 NSA Group Security Advisory NSAG-&sup1;198-23.02.2006 Vulnerability The Bat v. 3.60.071679718989ADV-2006-0717thebat-subject-bo(24882)485SQL injection vulnerability in index.php (aka the login page) in Oi! Email Marketing System 3.0 (aka Oi! 3) allows remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.20060223 HYSA-2006-003 Oi! Email Marketing 3.0 SQL InjectionADV-2006-07182346218993Oi! Email Marketing System 3.0 (aka Oi! 3) stores the server's FTP password in cleartext on a Configuration web page, which allows local users with superadministrator privileges, or attackers who have obtained access to the web page, to view the password.20060223 HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection16794483Multiple directory traversal vulnerabilities in connector.php in FCKeditor 2.0 FC, as used in products such as RunCMS, allow remote attackers to list and create arbitrary directories via a .. (dot dot) in the CurrentFolder parameter to (1) GetFoldersAndFiles and (2) CreateFolder.20060223 NSA Group Security Advisory NSAG-&sup1;195-23.02.2006 Vulnerability FCKeditor 2.0 FC 20060519 Re: NSA Group Security Advisory NSAG-&sup1;195-23.02.2006 Vulnerability FCKeditor 2.0 FC fckeditor-connector-obtain-information(24878)484CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to upload arbitrary files via a modified CurrentFolder parameter in a direct request to admin/filemanager/upload.php.20060223 NSA Group Security Advisory NSAG-&#xb9;197-23.02.2006 Vulnerability CubeCart 3.0.0 ? 3.0.616796cubecart-connector-file-include(24883)482Multiple cross-site scripting (XSS) vulnerabilities in MyPHPNuke (MPN) 1.88 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the letter parameter in reviews.php and (2) the dcategory parameter in download.php.20060224 Advisory: MyPHPNuke <= 1.8.8 multiple XSS vulnerabilities16815ADV-2006-075019052myphpnuke-reviews-download-xss(24887)491Cross-site scripting (XSS) vulnerability in Brown Bear iCal 3.10 allows remote attackers to inject arbitrary web script or HTML via the Calendar Text field when a new event is added. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.This vulnerability affects Brown Bear iCal version 3.10 and previous.ADV-2006-0727190011684523472 ical-calendartext-xss(24919)Format string vulnerability in the IMAP4rev1 server in Alt-N MDaemon 8.1.1 and possibly 8.1.4 allows remote attackers to cause a denial of service (CPU consumption) by creating and then listing folders whose names contain format string specifiers.ADV-2006-07291892116854 mdaemon-imap-foldername-dos(24916)Multiple directory traversal vulnerabilities in Allume StuffIt Standard and Deluxe 9.0, ZipMagic Deluxe 9.0, and StuffIt Expander 9.0.0.21 Engine 9.0.0.21 allow remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a (1) zip or (2) tar archive.20060224 StuffIt and ZipMagic Family of products Directory traversal16806ADV-2006-07321901023463stuffit-zipmagic-archive-directory-traversal(24886)Multiple cross-site scripting (XSS) vulnerabilities in the JGS-XA JGS-Gallery Addon 4.0.0 and earlier for Woltlab Burning Board (wBB) 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) userid parameter in (a) jgs_galerie_slideshow.php and (b) jgs_galerie_scroll.php, and the (2) katid parameter in (c) jgs_galerie_slideshow.php.Vulnerability affects JGS-XA, JGS-Gallery Addon versions 4.0.0 and previous.20060224 Advisory: Woltlab Burning Board 2.x (JGS-Gallery MOD <= 4.0)multiple XSS vulnerabilitiesnukedx.com1681016843wbb-jgsgallerymod-xss(24888)20060224 Advisory: Woltlab Burning Board 2.x (JGS-Gallery MOD <= 4.0) multiple XSS vulnerabilitiesThe POP3 Server in ArGoSoft Mail Server Pro 1.8 allows remote attackers to obtain sensitive information via the _DUMP command, which reveals the operating system, registered user, and registration code.20060224 NSA Group Security Advisory NSAG-&#xb9;198-23.02.2006 Vulnerability ArGoSoft Mail Server Pro16808ADV-2006-073318990Directory traversal vulnerability in the IMAP server in ArGoSoft Mail Server Pro 1.8.8.1 allows remote authenticated users to create arbitrary folders via a .. (dot dot) in the RENAME command.20060224 NSA Group Security Advisory NSAG-&#xb9;200-24.02.2006 Vulnerability ArGoSoft Mail Server Pro IMAP16809ADV-2006-073318990Directory traversal vulnerability in Webmail in ArGoSoft Mail Server Pro 1.8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the UIDL parameter.ADV-2006-073318990487Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive.20060224 Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal16805ADV-2006-07281901123481Directory traversal vulnerability in zip.lib.php 0.1.1 in PEAR::Archive_Zip allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a ZIP archive.20060224 Archive_Tar v 1.2(Tested) (Tar file management class) Directory traversal20060225 Archive_Zip (Zip file management class) Directory traversal ziplib-directory-traversal(24972)486Cross-site scripting (XSS) vulnerability in PHPX 3.5.9 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in a url XCode tag in a posted message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16799ADV-2006-072218688phpx-xcode-tag-xss(24874)Cross-site scripting (XSS) vulnerability in webinsta Limbo 1.0.4.2 allows remote attackers to inject arbitrary web script or HTML via the message field in the Contact Form.16811ADV-2006-072118723webinsta-limbo-contact-form-xss(24877)23469Microsoft Word 2003 allows remote attackers to cause a denial of service (application crash) via a crafted file, as demonstrated by 101_filefuzz.[Dailydave] 20060221 word dos 4fun16782Free Host Shop Website Generator 3.3 allows remote authenticated users with administrative privileges to upload and execute arbitrary files via a formname parameter with a filename containing a dangerous file extension and a trailing %00.190141682320060225 NSA Group Security Advisory NSAG-&sup1;202-25.02.2006 Vulnerability WEBSITE GENERATOR 3.3U.N.U. Mailgust 1.9 allows remote attackers to obtain sensitive information via a direct request to index.php with method=showfullcsv, which reveals the POP3 server configuration, including account name and password.18998mailgust-index-info-disclosure(24890)Cross-site scripting (XSS) vulnerability in eZ publish 3.7.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the RefererURL parameter.20060225 Advisory: eZ publish <= 3.7.3 (imagecatalogue module) XSSvulnerability168171015683 ezpublish-referrerurl-xss(24956)SQL injection vulnerability in DCI-Taskeen 1.03 allows remote attackers to execute arbitrary SQL commands via the (1) id or (2) action parameter to (a) basket.php, or (3) id or (4) page parameter to (b) cat.php.20060225 SQL Injection in DCI-Taskeen168281015685 dci-taskeen-multiple-scripts-sql-injection(24963)495Multiple direct static code injection vulnerabilities in savesettings.php in ShoutLIVE 1.1.0 allow remote attackers to execute arbitrary PHP code via variables that are written to settings.php.234821904716857ADV-2006-075520060307 [eVuln] ShoutLIVE PHP Code Execution & Multiple XSS Vulnerabilities shoutlive-savesettings-file-include(24897)557Multiple cross-site scripting (XSS) vulnerabilities in post.php in ShoutLIVE 1.1.0 allow remote attackers to inject arbitrary web script or HTML via certain variables when posting new messages.234831904716857ADV-2006-075520060307 [eVuln] ShoutLIVE PHP Code Execution & Multiple XSS Vulnerabilities shoutlive-post-xss(24901)557SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the aff_news_form parameter, a different vulnerability than CVE-2005-1509.1656728444SQL injection vulnerability in the sondages module in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.20060225 PwsPHP Injection SQL on Index.php20060226 Re: PwsPHP Injection SQL on Index.php1015684ADV-2006-0748496Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1.20060226 Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion16848101568923620archangel-admin-auth-bypass(24984) 3859PHP remote file include vulnerability in admin/index.php in Archangel Weblog 0.90.02 allows remote authenticated administrators to execute arbitrary PHP code via a URL ending in a NULL (%00) in the index parameter.20060226 Archangel Weblog 0.90.02 Admin Authentication Bypass & Remote File Inclusion168481015689archangel-index-file-include(25142)23621archangel-admin-auth-bypass(24984)Cross-site scripting (XSS) vulnerability in Thomson SpeedTouch modems running firmware 5.3.2.6.0 allows remote attackers to inject arbitrary web script or HTML via the name parameter to the LocalNetwork page.20060226 Thomson SpeedTouch 500 modems vulnerable to XSS16839ADV-2006-076510156881906923527 speedtouch-localnetwork-xss(24977)Thomson SpeedTouch modem running firmware 5.3.2.6.0 allows remote attackers to create users that cannot be deleted via scripting code in the "31" parameter in a NewUser function, which is not filtered by the modem when creating the account, but cannot be deleted by the administrator, possibly due to cleansing that occurs in the administrator interface.20060226 Thomson SpeedTouch 500 modems vulnerable to XSS16839ADV-2006-0765101568819069AOL 9.0 Security Edition revision 4184.2340, and probably other versions, uses insecure permissions (Everyone/Full Control) for the "America Online 9.0" directory, which allows local users to gain privileges by replacing critical files.AOL has released fixes to address this issue. These fixes can be automatically applied by logging in to the service.1958320060818 Secunia Research: AOL Insecure Default Directory PermissionsADV-2006-3317101671718734aol-default-insecure-permissions(28445) 279951416RaidenHTTPD 1.1.47 allows remote attackers to obtain source code of script files, including PHP, via crafted requests involving (1) "." (dot), (2) space, and (3) "/" (slash) characters.This vulnerability affects RaidenHTTPD, RaidenHTTPD version 1.1.47 and may affect all previous versions.RaidenHTTPD Script Source Disclosure VulnerabilityADV-2006-0807236161903216934raidenhttpd-extension-obtain-information(25037)unalz 0.53 allows user-assisted attackers to overwrite arbitrary files via an ALZ archive with ".." (dot dot) sequences in a filename.20060313 Secunia Research: unalz Filename Handling Directory TraversalVulnerabilityADV-2006-0938190631710523835unalz-archive-directory-traversal(25171)101578020060313 Secunia Research: unalz Filename Handling575The GUI (nod32.exe) in NOD32 2.5 runs with SYSTEM privileges when the scheduler runs a scheduled on-demand scan, which allows local users to execute arbitrary code during a scheduled scan via unspecified attack vectors.19054 ADV-2006-1242 24394nuauth in NuFW before 1.0.21 does not properly handle blocking TLS sockets, which allows remote authenticated users to cause a denial of service (service hang) by flooding packets at the authentication server.This vulnerability affects NuFW, NuFW Firewall versions 1.0.20 and previous.NuFW 1.0.21, minor security fixADV-2006-07621904616868Direct static code injection vulnerability in func.inc.php in ZoneO-Soft freeForum before 1.2.1 allows remote attackers to execute arbitrary PHP code via the (1) X-Forwarded-For and (2) Client-Ip HTTP headers, which are stored in Data/flood.db.php.ADV-2006-0759190201687720060310 [eVuln] FreeForum PHP Code Execution & Multiple XSS Vulnerabilities16871Cross-site scripting (XSS) vulnerability in func.inc.php in ZoneO-Soft freeForum before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) subject parameters.ADV-2006-0759190201687720060310 [eVuln] FreeForum PHP Code Execution & Multiple XSS Vulnerabilities freeforum-func-xss(24925)SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected.20060228 MyBB 1.3 NewSQL InjectionADV-2006-07741906120060303 MyBB 1.04 Perl Exploitmybb-misc-sql-injection(24953)1663123554 1539512uConfig agent in Compex NetPassage WPE54G router allows remote attackers to cause a denial of service (unresposiveness) via crafted datagrams to UDP port 7778.16894ADV-2006-0780101569019037netpassage-udp-dos(24968)SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows remote attackers to execute arbitrary SQL commands via the haber_id parameter. NOTE: this product has also been referred to as "Cilem News," although that does not appear to be the proper name.20060224 Advisory: CilemNews System <= 1.1 Remote SQL20060224 Advisory: CilemNews System <= 1.1 Remote SQL Injection Vulnerability101567720060224 Advisory: CilemNews System <= 1.1 Remote SQLADV-2006-08812361819157cilemnews-sql-injection(24920)16813SQL injection vulnerability in vuBB 0.2 allows remote attackers to execute arbitrary SQL commands via the pass parameter in a cookie.ADV-2006-07991908416930vubb-index-sql-injection(25019) 1543Multiple buffer overflows in STLport 5.0.2 might allow local users to execute arbitrary code via (1) long locale environment variables to a strcpy function call in c_locale_glibc2.c and (2) long arguments to unspecified functions in num_put_float.cpp.ADV-2006-08001905116928 stlport-strcpy-local-bo(25159)Client Firewall in NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to bypass firewall program execution rules by replacing an allowed program with an arbitrary program.20060301 NCP VPN/PKI Client - various Bugs1690620060301 NCP VPN/PKI Client - various Bugs19082 ncp-client-firewall-bypass-security(25242)NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to bypass security protections and configure privileged options via a long argument to ncpmon.exe, which provides access to alternate privileged menus, possibly due to a buffer overflow.20060301 NCP VPN/PKI Client - various Bugs1690620060301 NCP VPN/PKI Client - various Bugs19082 ncp-ncpmon-bo(25243)NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users cause a denial of service (CPU consumption) via a large number of arguments to ncprwsnt.exe, possibly due to a buffer overflow.20060301 NCP VPN/PKI Client - various Bugs1690620060301 NCP VPN/PKI Client - various Bugs19082 ncp-ncprwsnt-dos(25248)NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users cause a denial of service (memory usage and cpu utilization) via a flood of arbitrary UDP datagrams to ports 0 to 65000. NOTE: this issue was reported as a buffer overflow, but that term usually does not apply in flooding attacks.20060301 NCP VPN/PKI Client - various Bugs1690620060301 NCP VPN/PKI Client - various Bugs19082 ncp-udp-dos(25249)The ncprwsnt service in NCP Network Communication Secure Client 8.11 Build 146, and possibly other versions, allows local users to execute arbitrary code by modifying the connect.bat script, which is automatically executed by the service after a connection is established.20060301 NCP VPN/PKI Client - various Bugs1690620060301 NCP VPN/PKI Client - various Bugs19082 ncp-connect-command-execution(25251)524PHP remote file inclusion vulnerability in index.php in Top sites de PixelArtKingdom allows remote attackers to include and execute arbitrary files via the page parameter.20060227 PixelArtKingdom TopSites Remote Command Exucetion507PHP remote file inclusion vulnerability in index.php in one or more ActiveCampaign products, possibly SupportTrio, allows remote attackers to include and execute arbitrary files via the page parameter.20060227 Knowledgebases Remote Command Exucetion3228 activecampaign-index-command-execution(24989)505Directory traversal vulnerability in Lionel Reyero DirectContact 0.3b allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.20060227 directory traversal in DirectContact 0.3b20060227 directory traversal in DirectContact 0.3bADV-2006-076123519101568619053directcontact-dotdot-dir-traversal(24930)20060312 directory traversal Fixed in DirectContact 0.3c16849506SQL injection vulnerability in news.php in Tony Baird Fantastic News 2.1.1 allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the category vector is already covered by CVE-2005-3846.20060226 2 SQL Injection in Fantastic News16842 fantasticnews-news-sql-injection(24943)501SQL injection vulnerability in topics.php in Appalachian State University phpWebSite 0.10.2 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter.phpWebSite topic SQL-Injection168251682520060412 phpWebSite 0.10.? (topics.php) Remote SQL Injection Exploit20060523 sql injection in phpWebSite 0.8.3 1525 phpwebsite-topics-sql-injection(25799)Cross-site scripting (XSS) vulnerability in failure.asp in Battleaxe bttlxeForum 2.0 allows remote attackers to inject arbitrary web script or HTML via the err_txt parameter.This vulnerability affects Battleaxe Software, bttlxeForum versions 2.0 and previous20060226 bttlxeForum 2.* XSS Vulnerability16821ADV-2006-07762354019043bttlxeforum-failure-xss(24981)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0459. Reason: This candidate is a reservation duplicate of CVE-2006-0459. Notes: All CVE users should reference CVE-2006-0459 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Directory traversal vulnerability in scan_lang_insert.php in Boris Herbiniere-Seve SPiD 1.3.1 allows remote attackers to read arbitrary files via the lang parameter.20060225 NSA Group Security Advisory NSAG-&#xb9;201-25.02.2006 Vulnerability SPiD v1.3.116822ADV-2006-076619033spid-scanlanginsert-file-include(24955)Craig Morrison Mail Transport System Professional (aka MTS Pro) acts as an open relay when configured to relay all mail through an external SMTP server, which allows remote attackers to relay mail by connecting to the MTS Pro server, then sending a MAIL FROM that specifies a domain that is local to the server.20060225 Mail Transport System Professional--Open Relay HoleADV-2006-07861906716840 mts-mail-relay(24985)Multiple cross-site scripting (XSS) vulnerabilities in the View Headers (aka viewheaders) functionality in ArGoSoft Mail Server Pro 1.8.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the Subject header, (2) the From header, and (3) certain other unspecified headers.This vulnerability affects ArGoSoft, Mail Server Pro version 1.8.8.5, and may affect all previous versions.20060227 Secunia Research: ArGoSoft Mail Server Pro viewheaders ScriptInsertionSecunia Research 27/02/2006 advisory16834ADV-2006-07512351218991 argosoft-mailserverpro-viewheaders-xss(24945)504Unspecified vulnerability in the local weblog publisher in Nidelven IT Issue Dealer before 0.9.96 has unknown impact and attack vectors.This vulnerability affects Nidelven IT, Issue Dealer versions 0.9.95 and previous.N/A2350219018issuedealer-unpublished-issue-disclosure(24929)16884Multiple cross-site scripting (XSS) vulnerabilities in Jay Eckles CGI Calendar 2.7 allow remote attackers to inject arbitrary web script or HTML via the year parameter in (1) index.cgi and (2) viewday.cgi.20060226 CGI Calendar XSS VulnerabilityADV-2006-076419066 cgicalendar-index-viewday-xss(24946)Directory traversal vulnerability in e-merge WinAce 2.6 and earlier allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a (1) zip or (2) tar archive.This vulnerability affects e-merge, WinAce versions 2.6 and previous.20060224 WinAce Archiver v2.6 Directory traversalWinAce Archiver v2.6 Directory traversal16800ADV-2006-07302346419013winace-rar-tar-directory-traversal(24902)The on-access scanner for McAfee Virex 7.7 for Macintosh, in some circumstances, might not activate when malicious content is accessed from the web browser, and might not prevent the content from being saved, which allows remote attackers to bypass virus protection, as demonstrated using the EICAR test file.20060228 Virex on-access scanning unreliableCross-site scripting (XSS) vulnerability in index.php in QwikiWiki 1.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060228 QwikiWiki v1.4 XSS Vulnerability43852616874qwikiwiki-index-xss(24950)23700510Cross-site scripting (XSS) vulnerability in inc_header.php in EJ3 TOPo 2.2.178 allows remote attackers to inject arbitrary web script or HTML via the gTopNombre parameter.This vulnerability affects EJ3, TOPo version 2.2.178, and possibly all previous versions.20060228 EJ3 TOPo - Cross Site Scripting Vulnerability16879ADV-2006-07752354119070topo-incheader-xss(24980)511Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.20060227 WordPress 2.0.1 Multiple VulnerabilitiesAdvisory-1720060228 FW: WordPress 2.0.1 Multiple Vulnerabilities20060302 Re: FW: WordPress 2.0.1 Multiple VulnerabilitiesADV-2006-077719050 wordpress-wpcommentspost-xss(24957)WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. Other vectors might be covered by CVE-2005-1688. NOTE: if the typical installation of WordPress does not list any site-specific files to wp-includes, then vector [13] is not an exposure.20060227 WordPress 2.0.1 Multiple VulnerabilitiesAdvisory-1720060228 FW: WordPress 2.0.1 Multiple Vulnerabilities20060302 Re: FW: WordPress 2.0.1 Multiple VulnerabilitiesADV-2006-077719050The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.This vulnerability affects ISC, BIND versions 9.3.2 and previous.20060228 recursive DNS servers DDoS as a growing DDoS problemThe Measurement Factory DNS SurveyDNS-recursion121605The default configuration of the DNS Server service on Windows Server 2003 and Windows 2000, and the Microsoft DNS Server service on Windows NT 4.0, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.This vulnerability affects all versions of Windows 2000 -and- Windows Server 2003.20060228 recursive DNS servers DDoS as a growing DDoS problemThe Measurement Factory DNS Survey Executive SummaryDNS-recursion121605Stack-based buffer overflow in the volume manager daemon (vmd) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors.20060327 ZDI-06-005: Symantec VERITAS NetBackup Volume Manager Buffer OverflowVU#88080117264ADV-2006-1124241721015832netbackup-vmd-sscanf-bo(25471)639Stack-based buffer overflow in the NetBackup Catalog daemon (bpdbm) in Veritas NetBackup Enterprise Server 5.0 through 6.0 and DataCenter and BusinesServer 4.5FP and 4.5MP allows attackers to execute arbitrary code via unknown vectors.20060327 SYM06-006, Veritas NetBackup: Multiple Overflow Vulnerabilities in NetBackup Daemons20060327 ZDI-06-006: Symantec VERITAS NetBackup Database Manager Buffer OverflowVU#74413717264ADV-2006-1124101583219417netbackup-bpdbm-sprintf-bo(25472)642Buffer overflow in the NetBackup Sharepoint Services server daemon (bpspsserver) on NetBackup 6.0 for Windows allows remote attackers to execute arbitrary code via crafted "Request Service" packets to the vnetd service (TCP port 13724).20060327 TSRT-06-01: Symantec VERITAS NetBackup vnetd Buffer Overflow Vulnerability17264VU#377441ADV-2006-1124101583219417netbackup-vnetd-bo(25473)Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.Upgrade to GroupWise Messenger, 2.0 Public Beta 2 to fix this issue.20060413 ZDI-06-008: Novell GroupWise Messenger Accept-Language Buffer OverflowZDI-06-008TID10100861 17503ADV-2006-135510159111966324617 groupwise-accept-language-bo(25828)The web management interface in 3Com TippingPoint SMS Server before 2.2.1.4478 does not restrict access to certain directories, which might allow remote attackers to obtain potentially sensitive information such as configuration settings.Upgrade to 3Com TippingPoint SMS Server version 2.2.1.447820060509 ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure VulnerabilityADV-2006-175225360101605120058tippingpoint-sms-information-disclosure(26338)17935870Multiple Sophos Anti-Virus products, including Anti-Virus for Windows 5.x before 5.2.1 and 4.x before 4.05, when cabinet file inspection is enabled, allows remote attackers to execute arbitrary code via a CAB file with "invalid folder count values," which leads to heap corruption.The vendor has issued a fixed version20060508 ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability17876ADV-2006-1730101604120028 20060508 ZDI-06-012: Sophos Anti-Virus CAB Unpacking Code Execution Vulnerability sophos-cab-parsing-bo(26305)869EMC Dantz Retrospect 7 backup client 7.0.107, and other versions before 7.0.109, and 6.5 before 6.5.138 allows remote attackers to cause a denial of service (client termination and loss of backup service) via a malformed packet to TCP port 497, which triggers an assert error.This vulnerability affects EMC Dantz, Retrospect versions 7.0.x (all 7.0.x versions previous to 7.0.109) as well as versions 6.5.x (all 6.5.x versions previous to 6.5.138)20060302 EMC Dantz Retrospect 7 Backup client DoS VulnerabilityRetrospect client security update16933ADV-2006-0811101571419097 retrospect-backup-packet-dos(25143)Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed.20060408 phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2[php-cvs] 20060330 cvs: php-src /ext/standard info.c1736220060408 phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2101587919599ADV-2006-1290RHSA-2006:027619832MDKSA-2006:074RHSA-2006:050120222SUSE-SA:2006:024GLSA-200605-08ADV-2006-268520951USN-320-12125224484php-phpinfo-long-array-xss(25702)21564RHSA-2006:054920060501-01-U1977519979200522021021125MDKSA-2006:074675The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) permits encryption with a NULL key, which results in cleartext communication that allows remote attackers to read an SSL protected session by sniffing network traffic.17176ADV-2006-1043101579919324netware-nile-ssl-cleartext(25380)24046The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) sometimes selects a weak cipher instead of an available stronger cipher, which makes it easier for remote attackers to sniff and decrypt an SSL protected session.ADV-2006-1043101579919324netware-nile-weak-encryption(25381)24047The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and Novell Open Enterprise Server (OES) allows a client to force the server to use weak encryption by stating that a weak cipher is required for client compatibility, which might allow remote attackers to decrypt contents of an SSL protected session.ADV-2006-1043101579919324netware-nile-forced-weak-encryption(25382)24048Multiple SQL injection vulnerabilities in Pentacle In-Out Board 3.0 and earlier allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) newsid parameter to newsdetailsview.asp and (2) password parameter to login.asp.20060225 Advisory: Pentacle In-Out Board <= 6.03 (login.asp) AuthencationByPass Vulnerability20060225 Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.aspnewsid) Remote SQL Injection Vulnerability20060225 Advisory: Pentacle In-Out Board <= 6.0320060225 Advisory: Pentacle In-Out Board <= 6.03Advisory 13: Pentacle In-Out Board <= 6.03 Advisory 14: Pentacle In-Out Board <= 6.03 16818ADV-2006-074910156821902420060225 Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.asp newsid) Remote SQL Injection Vulnerability20060225 Advisory: Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass VulnerabilitySQL injection vulnerability in the board module in LanSuite LanParty Intranet System 2.0.6 and 2.1.0 beta allows remote attackers to execute arbitrary SQL commands via the fid parameter.This vulnerability affects Lansuite, LanParty Intranet System version 2.1 (Beta) & LanSuite, LanParty Intranet System versions 2.0.6 and previous.152616836ADV-2006-07471904823533lansuite-fid-sql-injection(24940) 1526NETGEAR WGT624 Wireless DSL router has a default account of super_username "Gearguy" and super_passwd "Geardog", which allows remote attackers to modify the configuration. NOTE: followup posts have suggested that this might not occur with all WGT624 routers.20060226 NETGEAR WGT624 ? Wireless DSL router default user name/password vulnerability20060227 Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerability1683520060413 Re: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerabilitynetgear-wgt624-default-account(24926)20071220 Re: Re: NETGEAR WGT624 Wireless DSL router default user name/password vulnerabilityThe backup configuration option in NETGEAR WGT624 Wireless Firewall Router stores sensitive information in cleartext, which allows remote attackers to obtain passwords and gain privileges.20060227 NETGEAR WGT624 ? Wireless DSL Firewall/Router vulnerability16837 netgear-wgt624-cleartext-config(24927)Cross-site scripting (XSS) vulnerability in agencyprofile.asp in Parodia 6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the AG_ID parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.ADV-2006-07631902523548parodia-agencyprofile-xss(24971)16865agencyprofile.asp in Parodia 6.2 and earlier might allow remote attackers to obtain sensitive information by triggering an SQL error via an invalid AG_ID parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.This vulnerability affects CactuSoft, Parodia version 6.2, and may affect all previous versions as well.19025Multiple SQL injection vulnerabilities in sendcard.php in sendcard before 3.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.Summary: sendcard 3.3.0 released 16900ADV-2006-077819056sendcard-unspecified-sql-injection(24978)Multiple SQL injection vulnerabilities in N8cms 1.1 and 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) dir and (2) page_id parameter to index.php.ADV-2006-077919068n8cms-index-sql-injection(24974)20060309 n8cms 1.1 & 1.2 version Sql &#304;njection And XSSn8cms-sql-injection(25125)16858Multiple cross-site scripting (XSS) vulnerabilities in N8cms 1.1 and 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) dir and (2) page_id parameter to (a) index.php and (3) userid parameter to (b) mailto.php. NOTE: it is possible that issues 1 and 2 are resultant from SQL injection.This vulnerability may affect all versions of Nathan Landry, n8cms.n8cms 1.1 & 1.2 versionADV-2006-077919068n8cms-mailto-xss(24975)20060309 n8cms 1.1 & 1.2 version Sql &#304;njection And XSSn8cms--xss(25126)16858562M4 Project enigma-suite before 0.73.3 (Windows) has a default password of "nominal" for the "enigma-client" account, which allows local users to gain access.2357219077ADV-2006-0787enigma-suite-default-acoount(24993)Buffer overflow in socket/request.c in CrossFire before 1.9.0, when oldsocketmode is enabled, allows remote attackers to cause a denial of service (segmentation fault) and possibly execute code by sending the server a large request.This vulnerability affects CrossFire versions 1.8.0 and previous.CrossFire <= 1.8.0 oldsocketmode buffer-overflow 0.1N/AADV-2006-076019044crossfire-oldsocketmode-bo(24932)1688323549DSA-100119194GLSA-200604-1119785LetterMerger 1.2 stores user information in Access database files with insecure permissions, which allows local users to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.169172359919074lettermerger-files-disclose-information(25020)SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment.GLSA-200603-01169501910919123 wordpress-comment-sql-injection(25321)PHP remote file include vulnerability in index.php in SMartBlog (aka SMBlog) 1.2 allows remote attackers to include and execute arbitrary PHP files via (1) the pg parameter and (2) a query string without a parameter.20060301 SMBlog Remote Command Exucetion16905 smartblog-index-file-include(25220)Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.This vulnerability affects all versions of PHP from 4.0.x through 5.1.x 20060228 (PHP) mb_send_mail security bypassADV-2006-0772186942353416878SUSE-SA:2006:024 19979Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mail function, allows remote attackers to read and create arbitrary files via the sendmail -C and -X arguments. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.20060301 Re: (PHP) mb_send_mail security bypass16878SUSE-SA:2006:024 19979517Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote attackers to execute arbitrary code via JavaScript that calls IsComponentInstalled with a long first argument.ie-iscomponentinstalled-bo(24923)16870The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.20060228 (PHP) imap functions bypass safemode and open_basedir restrictionsADV-2006-077218694php-imap-restriction-bypass(24964)MDKSA-2006:1222105021546 23535MDKSA-2006:122516SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter.20060302 sql in Dawaween V 1.031690923827 dawaween-poems-sql-injection(25163)Cross-site scripting (XSS) vulnerability in fce.php in UKiBoard 3.0.1 allows remote attackers to inject arbitrary web script or HTML via a BBCode url tag when using the show_post function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, some of which reference a source URL that appears to be for an unrelated issue.16912ukiboard-fce-xss(24990)SQL injection vulnerability in forumlib.php in Johnny_Vegas Vegas Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.ADV-2006-079020060313 [eVuln] Vegas Forum SQL Injection Vulnerability1707919219 vegasforum-forumlib-sql-injection(25167)574Cross-site scripting (XSS) vulnerability in sol_menu.php in PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) 3 allows remote attackers to inject arbitrary web script or HTML via the kuladi parameter ($kul_adi variable).20060228 PEHEPE Membership Management System Multiple VulnerabilitiesADV-2006-07811905516885PHP remote file include vulnerability in sol_menu.php in PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) 3 allows remote attackers to include and execute arbitrary PHP code via a URL in the uye_klasor parameter, along with a misafir[] parameter that is set to UYE_SEVIYE.This vulnerability affects PeHePe, Membership Management System (a.k.a Uyelik Sistemi) versions 3.0 and previous.20060228 PEHEPE Membership Management System Multiple Vulnerabilitiespehepe-membership-management-system-multiple-vulnerabilitiesADV-2006-0781190551688723567pehepe-uyeklasor-command-execution(24970)515Directory traversal vulnerability in HP System Management Homepage (SMH) 2.0.0 through 2.1.4 on Windows allows remote attackers to access certain files via unspecified vectors.This vulnerability affects all versions of HP, System Management Homepage from 2.0.0 through 2.1.4. This vulnarebility is only present in the following Windows OS environments: Microsoft Windows 2000, 2003, 2003 for x64, 2003 for Itanium and also Windows XP.SSRT061118HPSBMA02099ADV-2006-076910156921905916876 hp-system-managemenet-homepage-dir-traversal(24996)SQL injection vulnerability in MgrLogin.asp in Addsoft StoreBot 2005 Professional allows remote attackers to execute arbitrary SQL commands via the Pwd parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.This vulnerability affects all versions of AddSoft, StoreBot 2005 Professional Edition.16897ADV-2006-07842357519019storebot-mgrlogin-sql-injection(24987)Cross-site scripting (XSS) vulnerability in manage.asp in Addsoft StoreBot 2002 Standard allows remote attackers to inject arbitrary web script or HTML via the ShipMethod parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16898ADV-2006-07852357419060storebot-manage-xss(24986)JFacets before 0.2 allows remote attackers to gain privileges as any account via a GET request with a modified account profileID.This vulnerability affects JFacets versions prior to 0.2.jfacets-0.2[1439037] Security issueADV-2006-076719031jfacets-auth-authentication-bypass(24958)feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via a "/" (slash) in the feed parameter to index.php, which reveals the path in an error message.20060302 JOOMLA CMS 1.0.7 DoS & path disclosing1.0.8 Changelog joomla-multiple-disclose-path(25028)23815527feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to cause a denial of service (stressed file cache) by creating many files via filenames in the feed parameter to index.php.20060302 JOOMLA CMS 1.0.7 DoS & path disclosing1.0.8 Changelog 1910523817527The cross-site scripting (XSS) countermeasures in class.inputfilter.php in Joomla! 1.0.7 allow remote attackers to cause a denial of service via a crafted mosmsg parameter to index.php with a malformed sequence of multiple tags, as demonstrated using "<<>AAA<><>", possibly due to nested or empty tags.20060302 JOOMLA CMS 1.0.7 DoS & path disclosing1.0.8 Changelog 23816Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via an unspecified attack vector that reveals the path.1.0.8 Changelog ADV-2006-081819105joomla-multiple-disclose-path(25028)23818config/config_inc.php in iGENUS Webmail 2.02 and earlier allows remote attackers to include arbitrary local files via the SG_HOME parameter.ADV-2006-0753190362353016829igenus-sg-home-file-include(24935)Eval injection vulnerability in the decode function in rpc_decoder.php for phpRPC 0.7 and earlier, as used by runcms, exoops, and possibly other programs, allows remote attackers to execute arbitrary PHP code via the base64 tag.20060226 phpRPC Library Remote Code Execution1683310156911902819058 ADV-2006-0745502Multiple cross-site scripting (XSS) vulnerabilities in Dragonfly CMS before 9.0.6.1 allow remote attackers to inject arbitrary web script or HTML via (1) uname, (2) error, (3) profile or (4) the username filed parameter to the (a) Your_Account module, (5) catid, (6) sid, (7) Story Text or (8) Extended text text fields in the (b) News module, (9) month, (10) year or (11) sa parameter to the (c) Stories_Archive module, (12) show, (13) cid, (14) ratetype, or (15) orderby parameter to the (d) Web_Links module, (16) op, or (17) pollid parameter to the (e) Surveys module, (18) c parameter to the (f) Downloads module, (19) meta, or (20) album parameter to the (g) coppermine module, or the search box in the (21) Search, (22) Stories_Archive, (23) Downloads, and (24) Topics module.16784ADV-2006-0688101566118940 cpg-dragonfly-multiple-xss(24843)Multiple cross-site scripting (XSS) vulnerabilities in Woltlab Burning Board (wBB) allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to galerie_index.php and possibly (2) galerie_onfly.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. The second vector might not be XSS.16843Unspecified vulnerability in the Oracle Diagnostics module 2.2 and earlier allows remote attackers to access diagnostics tests via unknown attack vectors.16844VU#29895819076Multiple unspecified vulnerabilities in the Oracle Diagnostics module 2.2 and earlier have unknown impact and attack vectors, related to "permissions."SecurityAnalysis-OracleDiag02061684419076SQL injection vulnerability in the Oracle Diagnostics module 2.2 and earlier allows remote attackers to execute arbitrary SQL commands via uknown attack vectors.1684419076 oracle-diagnostics-sql-injection(25259)Buffer overflow in SecureCRT 5.0.4 and earlier and SecureFX 3.0.4 and earlier allows remote attackers to have an unknown impact when a Unicode string is converted to a "narrow" string.ADV-2006-08061904016935 securecrt-securefx-string-bo(25092)SAP Web Application Server (WebAS) Kernel before 7.0 allows remote attackers to inject arbitrary bytes into the HTTP response and obtain sensitive authentication information, or have other impacts, via a ";%20" followed by encoded HTTP headers.20060301 SAP Web Application Server http request url parsing vulnerabilityADV-2006-081019085101570218006sap-was-url-obtain-information(25003)Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php.This vulnerability affects all versions of Jelsoft, vBulletin between 3.0.12 and 3.5.320060302 [KAPDA::#26]vBulletin.3.5.3~3.0.12-XSSvBulletin 3.0.12-3.5.3 Cross_Site_Scripting20060302 vBulletin3.0.12&3.5.3~is_valid_email()~XSS AttackADV-2006-0808236141910016919Multiple cross-site scripting (XSS) vulnerabilities in Gregarius 0.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) rss_query parameter to search.php or (2) tag parameter to tags.php.20060303 Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities16939ADV-2006-0819236782367919102gregarius-multiple-xss(25058)Multiple SQL injection vulnerabilities in Gregarius 0.5.2 allow remote attackers to execute arbitrary SQL commands via the (1) folder parameter to feed.php or (2) rss_query parameter to search.php.20060303 Gregarius 0.5.2 XSS and SQL Injection Vulnerabilities16939ADV-2006-0819236802368119102gregarius-feed-sql-injection(25059)537Stack-based buffer overflow in Microsoft Visual Studio 6.0 and Microsoft Visual InterDev 6.0 allows user-assisted attackers to execute arbitrary code via a long DataProject field in a (1) Visual Studio Database Project File (.dbp) or (2) Visual Studio Solution (.sln).20060304 Visual Studio 6.0 Buffer Overflow VulnerabilityMicrosoft Visual Studio 'dbp' File Handling Buffer Overflow Proof of Concept Exploit16953ADV-2006-0825101572120060305 Microsoft Visual Studio 6.0 Sp6 Malformed .dbp File BoF Exploit1908123711visualstudio-dataproject-bo(25148)Multiple buffer overflows in LISTSERV 14.3 and 14.4, including LISTSERV Lite and HPO, with the web archive interface enabled, allow remote attackers to execute arbitrary code via unknown attack vectors related to the WA CGI. NOTE: technical details will be released after the grace period has ended on 20060603.This vulnerability affects L-Soft, Listserv (LITE and HPO) 14.4 and all prior versions that are installed with the web archive interface.20060304 Critical Risk Vulnerability in L-Soft ListservWA Security Alert16951ADV-2006-08241015722VU#84113219106 listserv-wa-cgi-bo(25168)The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.20060228 Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities1688117516ADV-2006-1356MDKSA-2006:07819821DSA-1046GLSA-200604-18SUSE-SA:2006:022198231986319902DSA-1051USN-276-11995019941GLSA-200605-09RHSA-2006:0330HPSBUX02156oval:org.mitre.oval:def:1975 20051 thunderbird-inline-information-disclosure(24959)MDKSA-2006:078ADV-2006-374922065514server.cpp in Monopd 0.9.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a string containing a large number of characters that are escaped when Monopd produces XML output.ADV-2006-08441913316981 monopd-string-dos(25161)Unspecified vulnerability in the "Remember Me login functionality" in Joomla! 1.0.7 and earlier has unknown impact and attack vectors.Joomla! 1.0.7 and earlier allows attackers to bypass intended access restrictions and gain certain privileges via certain attack vectors related to the (1) Weblink, (2) Polls, (3) Newsfeeds, (4) Weblinks, (5) Content, (6) Content Section, (7) Content Category, (8) Contact items, or (9) Contact Search, (10) Content Search, (11) Newsfeed Search, or (12) Weblink Search.This vulnerability affects Joomla! versions 1.0.7 and previous.1.0.8 Changelog ADV-2006-081819105joomla-multiple-bypass-security(25033) 23822Multiple SQL injection vulnerabilities in the Admin functionality in Joomla! 1.0.7 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via unknown attack vectors.ADV-2006-08181910523819** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that "The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers."2361719075kwikpay-payroll-insecure-permissions(25114)SQL injection vulnerability in Akarru Social BookMarking Engine before 0.4.3.4 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors, possibly involving the username parameter to akarru.lib/users.php.16989ADV-2006-084119112 akarru-users-sql-injection(25115)The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.[selinux] 20060313 [SECURITY] SELinux ptrace bug (CVE-2006-1052)[git-commits-head] 20060311 [PATCH] selinux: tracer SID fixUSN-281-1178301995525232MDKSA-2006:08620157RHSA-2006:057521465DSA-11842209322417MDKSA-2006:086** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1861. Reason: This candidate is a reservation duplicate of CVE-2006-1861. Notes: All CVE users should reference CVE-2006-1861 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read.2006-002017402ADV-2006-127319495USN-281-119955SUSE-SA:2006:028USN-302-12071620398 FEDORA-2006-423 ADV-2006-1475 24443 19735 linux-fillwritebuffer-dos(25693)The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processers in a security-relevant fashion that was not addressed by the kernels.Upgrade to Linux Kernel version 2.6.16.9 : http://www.kernel.org/FreeBSD-SA-06:14[linux-kernel] 20060419 RE: Linux 2.6.16.9ADV-2006-1426197241971517600248071015966amd-fpu-information-disclosure(25871)DSA-109720671SUSE-SA:2006:028USN-302-120716DSA-1103ADV-2006-255420914RHSA-2006:057921035RHSA-2006:043721136RHSA-2006:05752146520398219832241720061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4ADV-2006-435320061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2ADV-2006-45022287522876 FEDORA-2006-423 ADV-2006-1475 24746 1973520061113 VMSA-2006-0009 - VMware ESX Server 3.0.0 AMD fxsave/restore issueRace condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file.DSA-1040FEDORA-2006-33817635ADV-2006-1465USN-278-1MDKSA-2006:083 gdm-slavec-symlink(26092) RHSA-2007:0286MDKSA-2006:083BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.1733019477busybox-passwd-weak-security(25569) RHSA-2007:0244 2509825848The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trust account password in cleartext in log files, which allows local users to obtain the password and spoof the server in the domain.20060330 [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account credentials in winbindd log files19455FEDORA-2006-25917314ADV-2006-117924263101585019468samba-logfile-account-cleartext(25575)2006-001819539Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might allow user-assisted attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space, which causes less memory to be allocated than required.SUSE-SR:2006:00817409ADV-2006-12881957219571DSA-1037DSA-103819731197571977919790 xzgv-jpeg-bo(25718)756Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.Update to version 7.15.3.ADV-2006-10081927120060320 [SSAG#001] :: cURL tftp:// URL Buffer Overflow17154curl-tftp-bo(25318)FEDORA-2006-189GLSA-200603-192006-001623982193351934419371Unspecified vulnerability in lurker.cgi for Lurker 2.0 and earlier allows attackers to read arbitrary files via unknown vectors.This vulnerability affects all versions of Lurker from 0.1a through 0.2[Lurker-users] 20060302 Serious security vulnerabilities foundRelease Name: 2.1ADV-2006-08501913623694DSA-9991700319145 lurker-lurker-information-disclosure(25149)Unspecified vulnerability in Lurker 2.0 and earlier allows remote attackers to create or overwrite files in any writable directory that is named "mbox".This vulnarability affects all verions of Lurker from 0.1a through 0.2 [Lurker-users] 20060302 Serious security vulnerabilities foundRelease Name: 2.1ADV-2006-08501913623695DSA-9991700319145 lurker-mbox-error(25153)Multiple cross-site scripting (XSS) vulnerabilities in Lurker 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.This vulnerability affects all verions of Lurker from 0.1a through 2.0[Lurker-users] 20060302 Serious security vulnerabilities foundRelease Name: 2.1ADV-2006-08501913623696DSA-9991700319145 lurker-unspecified-xss(25154)SQL injection vulnerability in search.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to execute arbitrary SQL commands via the forums[] parameter.20060302 MyBB 1.0.4 New SQL Injection19061mybb-search-sql-injection(25018)Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems with preemption enabled, allows local users to cause a denial of service (oops) via multiple ptrace tasks that perform single steps, which can cause corruption of the DEBUG_STACK stack during the do_debug function call.DSA-1017[linux-kernel] 20060207 [PATCH] arch/x86_64/kernel/traps.c PTRACE_SINGLESTEP oops172162409819374[linux-kernel] 20060207 [PATCH] arch/x86_64/kernel/traps.c PTRACE_SINGLESTEP oopsUSN-281-119955MDKSA-2006:15121614MDKSA-2006:151Linksys WRT54G routers version 5 (running VXWorks) allow remote attackers to cause a denial of service by sending a malformed DCC SEND string to an IRC channel, which causes an IRC connection reset, possibly related to the masquerading code for NAT environments, and as demonstrated via (1) a DCC SEND with a single long argument, or (2) a DCC SEND with IP, port, and filesize arguments with a 0 value.20060303 linksys router + irc DoS20060306 Re: linksys router + irc DoS20060306 RE: linksys router + irc DoS20060304 Various router DoS 16954 multiple-vendor-dccsend-dos(25230)Netgear 614 and 624 routers, possibly running VXWorks, allow remote attackers to cause a denial of service by sending a malformed DCC SEND string to an IRC channel, which causes an IRC connection reset, possibly related to the masquerading code for NAT environments, and as demonstrated via (1) a DCC SEND with a single long argument, or (2) a DCC SEND with IP, port, and filesize arguments with a 0 value.This vulnerability may affects NetGear Router models 614 and 624 (including WGR614, WGT624, WGT624SC, WGU624, and possibly others) and is most likely related to VXWorks.20060303 linksys router + irc DoS20060306 Re: linksys router + irc DoS20060306 RE: linksys router + irc DoS20060304 Various router DoSyet another irc related bug - netgear edition 16954 multiple-vendor-dccsend-dos(25230)Unspecified vulnerability in the session handling for Geeklog 1.4.x before 1.4.0sr2, 1.3.11 before 1.3.11sr5, 1.3.9 before 1.3.9sr5, and possibly earlier versions allows attackers to gain privileges as arbitrary users via unknown vectors.ADV-2006-085117010Cross-site scripting (XSS) vulnerability in dv_gbook.php in DVguestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via the f parameter.16968ADV-2006-084219098dvguestbook-index-dvgbook-xss(25049)20060309 DVguestbook 1.0 And 1.2.2 Cross Site ScriptingCross-site scripting (XSS) vulnerability in index.php in DVguestbook 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the page parameter.16968ADV-2006-084319099dvguestbook-index-dvgbook-xss(25049)20060309 DVguestbook 1.0 And 1.2.2 Cross Site ScriptingCross-site scripting (XSS) vulnerability in Daverave Simplog 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via a blog post.20060304 Simplog <= 1.0.2 Vulnerabilities16965 simplog-post-xss(25066)Directory traversal vulnerability in index.php in Daverave Simplog 1.0.2 and earlier allows remote attackers to include or read arbitrary .txt files via the (1) act and (2) blogid parameters.20060304 Simplog <= 1.0.2 VulnerabilitiesADV-2006-08391911516965 simplog-index-traverse-directories(25067)542Jason Boettcher Liero Xtreme 0.62b and earlier allow remote attackers to cause a denial of service (application crash or hang) via a long argument to the connect command.20060306 Multiple vulnerabilities in Liero Xtreme 0.62bADV-2006-08491907916992 liero-connect-dos(25185)Format string vulnerability in the visualization function in Jason Boettcher Liero Xtreme 0.62b and earlier allows remote attackers to execute arbitrary code via format string specifiers in (1) a nickname, (2) a dedicated server name, or (3) a mapname in a level (aka .lxl) file.20060306 Multiple vulnerabilities in Liero Xtreme 0.62bADV-2006-08491907916990 liero-visualization-format-string(25187)549SQL injection vulnerability in index.php, possibly during a showtopic operation, in Invision Power Board (IPB) 2.1.5 allows remote attackers to execute arbitrary SQL commands via the st parameter.20060306 SQL injection in Invision Power Board v2.1.51697120060405 Re: SQL injection in Invision Power Board v2.1.5 invision-index-sql-injection(25254)Multiple cross-site scripting (XSS) vulnerabilities in the commentary in Evo-Dev evoBlog allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter and (2) other unspecified parameters.20060306 evoBlog Remote Name tag Script injection169832382620060423 Re: evoBlog Remote Name tag Script injection544Multiple buffer overflows in htpasswd, as used in Acme thttpd 2.25b, and possibly other products such as Apache, might allow local users to gain privileges via (1) a long command line argument and (2) a long line in a file. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included.20060305 htpasswd bufferoverflow and command execution in thttpd-2.25b.[thttpd] 20060305 htpasswd.c security issues[thttpd] 20060305 Re: htpasswd.c security issues1697220041029 Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?20040916 FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory.20041029 Apache 1.3.33 local buffer overflow in apache 1.3.31 not fixed in .33?20070102 Apache 1.3.37 htpasswd buffer overflow vulnerabilityapache-htpasswd-strcpy-bo(31236) thttpd-command-file-bo(25216)htpasswd, as used in Acme thttpd 2.25b and possibly other products such as Apache, might allow local users to gain privileges via shell metacharacters in a command line argument, which is used in a call to the system function. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included.20060305 htpasswd bufferoverflow and command execution in thttpd-2.25b.[thttpd] 20060305 htpasswd.c security issues[thttpd] 20060305 Re: htpasswd.c security issues2382816972 thttpd-command-line-bo(25217)Cross-site scripting (XSS) vulnerability in login.php in Game-Panel 2.6.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the message parameter, possibly requiring a URL encoded value.20060304 Game-Panel <= 2.1.6 XSS16979ADV-2006-086419143 gamepanel-login-xss(25144)SQL injection vulnerability in forgotten_password.php in Jonathan Beckett PluggedOut Nexus 0.1 allows remote attackers to execute arbitrary SQL commands via the email parameter.20060302 PluggedOut Nexus SQL injectionADV-2006-080919089nexus-forgottenpassword-sql-injection(25017)101571516915536Multiple cross-site scripting (XSS) vulnerabilities in phpArcadeScript 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the gamename parameter in tellafriend.php, (2) the login_status parameter in loginbox.php, (3) the submissionstatus parameter in index.php, the (4) cell_title_background_color and (5) browse_cat_name parameters in browse.php, the (6) gamefile parameter in displaygame.php, and (7) possibly other parameters in unspecified PHP scripts.20060304 phpArcadeScript XSS Injections16957ADV-2006-082119124533Multiple directory traversal vulnerabilities in PHP-Stats 0.1.9.1 and earlier allow remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the (1) option[language] and (2) option[template] parameters, and (3) possibly other parameters, to (a) admin.php and (b) other unspecified scripts. NOTE: the admin.php/option[language] vector can be used by remote unauthenticated attackers to include arbitrary files in conjunction with CVE-2006-1085.20060304 PHP-Stats <= 0.1.9.1 remote commands execution16963ADV-2006-08221911620060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution20060327 Re: PHP-Stats <= 0.1.9.1 remote commands executionMultiple SQL injection vulnerabilities in PHP-Stats 0.1.9.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the option[prefix] parameter in admin.php and other unspecified PHP scripts, and (2) the PC_REMOTE_ADDR HTTP header to click.php.20060304 PHP-Stats <= 0.1.9.1 remote commands execution16963ADV-2006-08221911620060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution20060327 Re: PHP-Stats <= 0.1.9.1 remote commands executionadmin.php in PHP-Stats 0.1.9.1 and earlier allows remote attackers to bypass authentication, gain administrator privileges, and execute arbitrary PHP code by modifying the option[admin_pass] parameter and setting the pass_cookie to the MD5 hash of the specified password.20060304 PHP-Stats <= 0.1.9.1 remote commands execution16963ADV-2006-08221911620060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution20060327 Re: PHP-Stats <= 0.1.9.1 remote commands execution** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1083. Reason: This candidate is a duplicate of CVE-2006-1083. Notes: All CVE users should reference CVE-2006-1083 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Direct static code injection vulnerability in the modify_config action in admin.php for PHP-Stats 0.1.9.1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the option_new[compatibility_mode] parameter, which is not filtered before being stored in config.php. NOTE: this vulnerability can be exploited by remote unauthenticated attackers in conjunction with the option[admin_pass] authentication bypass vulnerability.20060304 PHP-Stats <= 0.1.9.1 remote commands execution16963ADV-2006-08221911620060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution20060327 Re: PHP-Stats <= 0.1.9.1 remote commands executionPHP-Stats 0.1.9.1 and earlier allows remote attackers to obtain potentially sensitive information via a direct request to checktables.php, which lists the database table_prefix.20060304 PHP-Stats <= 0.1.9.1 remote commands execution16963ADV-2006-08221911620060322 Re: PHP-Stats <= 0.1.9.1 remote commands execution20060327 Re: PHP-Stats <= 0.1.9.1 remote commands executionCross-site scripting (XSS) vulnerability in header.php in PunBB 1.2.10 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly handled when the PHP_SELF variable is used to handle a pun_page tag.changelog 1.2.10_to_1.2.11.txtpatch/punbb-1.2.10_to_1.2.11.patch19039ADV-2006-077316891 punbb-header-xss(24982)register.php in PunBB 1.2.10 allows remote attackers to cause an unspecified denial of service via a flood of new user registrations.This vulnerability affects PunBB version 1.2.10, and may affect all previous versions.changelogs/1.2.10_to_1.2.11.txtpunbb-1.2.10_to_1.2.11.patchADV-2006-0773 punbb-register-ip-dos(24837)Kaspersky Antivirus 5.0.5 and 5.5.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via unknown attack vectors.20060303 Kaspersky Memory/CPU Usage Leak by design16942 kaspersky-unspecified-dos(25221)535Unspecified vulnerability in the pagedata subsystem of the process file system (/proc) in Solaris 8 through 10 allows local users to cause a denial of service (system hang or panic) via unknown attack vectors that cause cause the kmem_oversize arena to allocate a large amount of system memory that does not get freed.This vulnerability affects all versions of Sun, Solaris 8.x through 10.x10215916966ADV-2006-0829101572319128 19716 solaris-proc-pagedata-dos(25152)oval:org.mitre.oval:def:1618Unspecified vulnerability in IBM WebSphere 5.0.2.10 through 5.0.2.15 and 5.1.1.4 through 5.1.1.9 allows remote attackers to obtain sensitive information via unknown attack vectors, which causes JSP source code to be revealed.1015716ADV-2006-078816908SQL injection vulnerability in Datenbank MOD 2.7 and earlier for Woltlab Burning Board allows remote attackers to execute arbitrary SQL commands via the fileid parameter to (1) info_db.php or (2) database.php.20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities169142380823810Directory traversal vulnerability in the FileSession object in Mod_python module 3.2.7 for Apache allows local users to execute arbitrary code via a crafted session cookie.16916ADV-2006-0768modpython-filesession-command-execution(24965)101576419239** DISPUTED ** Cross-site scripting (XSS) vulnerability in index.php in NZ Ecommerce allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor has disputed this issue in a comment on the researcher's blog, but research by CVE suggests that this might be a legitimate problem.This vulnerability most likely affects all versions of Digital Builder, NZ Ecommerce.nz-ecommerce-sqlxss-vuln16931ADV-2006-08032360019088Multiple cross-site scripting (XSS) vulnerabilities in Datenbank MOD 2.7 and earlier for Woltlab Burning Board allow remote attackers to inject arbitrary web script or HTML via the fileid parameter to (1) info_db.php or (2) database.php.This vulnerability may only affect Datenbank MOD 2.7 and earlier versions in a Woltlab Burning Board environment. 20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities2380923811 20060301 Woltlab Burning Board 2.x (Datenbank MOD fileid) MultipleVulnerabilities wbb-multiple-xss(25004)** DISPUTED ** Multiple SQL injection vulnerabilities in NZ Ecommerce allow remote attackers execute arbitrary SQL commands via the (1) informationID or (2) ParentCategory parameter to index.php. NOTE: the vendor has disputed this issue in a comment on the researcher's blog, but research by CVE suggests that this might be a legitimate problem.16931ADV-2006-08032360119088PHP remote file include vulnerability in logIT 1.3 and 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the pg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16932Buffer overflow in the sgetstr function in shared/cube.h in Sauerbraten 2006_02_28 and earlier, as derived from the Cube engine, allows remote attackers to execute arbitrary code via long streams of input data.20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_2820060306 Multiple vulnerabilities in Cube engine 2005_08_2916986ADV-2006-0848ADV-2006-08471911019111sauerbraten-sgetstr-bo(25083)GLSA-200603-1019199The (1) sgetstr and (2) getint functions in Sauerbraten 2006_02_28, as derived from the Cube engine, allow remote attackers to cause a denial of service (segmentation fault) via long streams of input data that trigger an out-of-bounds read, as demonstrated using SV_EXT tag data in the Cube engine, which is not properly handled by getint.20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_2820060306 Multiple vulnerabilities in Cube engine 2005_08_2916986ADV-2006-0848ADV-2006-08471911019111sauerbraten-multiple-dos(25085)GLSA-200603-1019199Sauerbraten 2006_02_28, as derived from the Cube engine, allows remote attackers to cause a denial of service (client exit) by forcing the server to change to a map (ogz) file whose name contains ".." sequences and has a certain length that prevents the addition of the ".ogz" extension.20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_2820060306 Multiple vulnerabilities in Cube engine 2005_08_2916986ADV-2006-0848ADV-2006-08471911019111GLSA-200603-1019199 sauerbraten-sprintf-dos(25086)548engine/server.cpp in Sauerbraten 2006_02_28, as derived from the Cube engine, allows remote attackers to cause a denial of service (segmentation fault) via a client that does not completely join the game and times out, which results in a null pointer dereference.20060306 Multiple vulnerabilities in Sauerbraten engine 2006_02_2816986ADV-2006-0848sauerbraten-engineserver-dos(25087)550Multiple SQL injection vulnerabilities in Pixelpost 1.5 beta 1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the showimage parameter in index.php; and the (2) USER_AGENT, (3) HTTP_REFERER, and (4) HTTP_HOST HTTP header fields as used in the book_vistor function in includes/functions.php. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue.These vulnerabilities may affect all versions of Pixelpost.20060304 Pixel Post Multiple VulnerabilitiesPixel Post <=1.4.3 Multiple Vulnerabilities<=1.4.3, 1.5 beta 1 Multiple Vulnerabilities 16964ADV-2006-0823pixelpost-functions-sql-injection(25046)pixelpost-index-sql-injection(25044)Pixelpost 1.5 beta 1 and earlier allows remote attackers to obtain configuration information via a direct request to includes/phpinfo.php, which calls the phpinfo function. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue.This vulnerability may affect all versions of Pixelpost.20060304 Pixel Post Multiple VulnerabilitiesPixel Post <=1.4.3 Multiple Vulnerabilities<=1.4.3, 1.5 beta 1 Multiple Vulnerabilities 16964ADV-2006-0823pixelpost-phpinfo-obtain-information(25048)Cross-site scripting (XSS) vulnerability in Pixelpost 1.5 beta 1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) message, (2) name, (3) url, and (4) email parameters when commenting on a post. NOTE: the vendor has disputed some issues from the original disclosure, but due to the vagueness of the dispute, it is not clear whether the vendor is disputing this particular issue.20060304 Pixel Post Multiple Vulnerabilities16964ADV-2006-0823pixelpost-functions-xss(25047)Cross-site scripting (XSS) vulnerability in news.php in NMDeluxe before 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the nick parameter.This vulnerability affects NMDeluxe versions 1.0 and previous. NMDeluxe XSS & SQL Injection VulnerabilitiesN/AADV-2006-086019117nmdeluxe-news-xss(25069)20060317 [eVuln] NMDeluxe XSS & SQL Injection Vulnerabilities17017595SQL injection vulnerability in news.php in NMDeluxe before 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.This vulnerability affcts NMDeluxe versions 1.0 and previous.NMDeluxe XSS & SQL Injection VulnerabilitiesN/AADV-2006-086019117nmdeluxe-news-sql-injection(25070)20060317 [eVuln] NMDeluxe XSS & SQL Injection Vulnerabilities17017595SQL injection vulnerability in index.asp in Total Ecommerce 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: it is not clear whether this report is associated with a specific product. If not, then it should not be included in CVE.20060304 Advisory: TotalECommerce (index.asp id) Remote SQL InjectionVulnerability.ADV-2006-08401910316960totalecommerce-index-sql-injection(25045)530Cross-site scripting (XSS) vulnerability in Aztek Forum 4.0 allows remote attackers to inject arbitrary web script or HTML via the message body in a new message.20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC)AZTEK forums 4.0 multiple vulnerabilities (PoC)169382361019096 1547 aztekforum-multiple-xss(25035)Aztek Forum 4.0 allows remote attackers to obtain sensitive information via a "*/*" in the msg parameter to index.php, which reveals usernames and passwords in a MySQL error message, possibly due to a forced SQL error or SQL injection.20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC)AZTEK forums 4.0 multiple vulnerabilities (PoC)1693823611 1547 aztekforum-info-disclosure(25036)Aztek Forum 4.0 allows remote attackers to obtain sensitive information via a long login value in a register form, which displays the installation path in a MySQL error message.20060302 AZTEK forums 4.0 multiple vulnerabilities (PoC)AZTEK forums 4.0 multiple vulnerabilities (PoC)1693823612 1547539SQL injection vulnerability in podcast.php in Loudblog before 0.42 allows remote attackers to execute arbitrary SQL commands via the id parameter.This vulnerability affects Loudblog versions 0.41 and previous.20060307 Loudblog 0.41 SQL Injection, Local file read/includeLoudblog ForumADV-2006-08781917217023 loudblog-podcast-sql-injection(25101)Multiple directory traversal vulnerabilities in Loudblog before 0.42 allow remote attackers to read or include arbitrary files via a .. (dot dot) and trailing %00 (NULL) byte in the (1) template and (2) page parameters in (a) index.php, and the (3) language parameter in (b) inc/backend_settings.php.This vulnerability affects Loudblog versions 0.41 and previous.20060307 Loudblog 0.41 SQL Injection, Local file read/includeLoudblog forumADV-2006-08781917217023 loudblog-index-directory-traversal(25103)nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/private key pair without any specified DiscreteLogGroup parameters, chooses random parameters that could allow an attacker to crack the private key in significantly less time than a brute force attack.SA#12: Insecure Generation of Diffie-Hellman keys17006ADV-2006-0862101571919137ncipher-hsm-weak-key(25060)20060308 nCipher Advisory #12: Insecure Generation of Diffie-Hellman keysThe CBC-MAC integrity functions in the nCipher nCore API before 2.18 transmit the initialization vector IV as part of a message when the implementation uses a non-zero IV, which allows remote attackers to bypass integrity checks and modify messages without being detected.SA#13: CBC-MAC IV misleading programming interface17011ADV-2006-0862101571819137ncipher-ncore-bypass-security(25062)20060308 nCipher Advisory #13: CBC-MAC IV misleading programming interfacenCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) netHSM, (4) payShield, (5) SecureDB, (6) DSE200 Document Sealing Engine, (7) Time Source Master Clock (TSMC), and possibly other products, contains certain options that were only intended for testing and not production, which might allow remote attackers to obtain information about encryption keys and crack those keys with less effort than brute force.SA#14: Presence of flaws in firmware security17012ADV-2006-0862101571819137ncipher-firmware-weak-security(25063)20060309 nCipher Advisory #14: Presence of flaws in firmware securitySQL injection vulnerability in bmail before Aardvark PR9.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving GBK character sets.Release Name: PR9.1ADV-2006-086319147bmail-gbkcharacterset-sql-injection(25073)fantastico in Cpanel does not properly handle when it has insufficient permissions to perform certain file operations, which allows remote authenticated users to obtain the full pathname, which is leaked in a PHP error message.20060307 Cpanel Path Disclosure Vulnerability cpanel-fantastico-path-disclosure(25277)Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1.1 and earlier, with register_globals enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) its_url parameter in the documents page and (2) url parameter in the send_write page of (a) index.php; (3) subject, and (4) images parameters to (b) calendar.php; (5) bid, (6) replying_msg, (7) subject, (8) body, and (9) mid parameters to (c) forums.php; (10) subject and (11) message parameters to (d) inbox.php; (12) subject_color and (13) email parameters to (e) lostpassword.php; and the (14) c_name, (15) content_inicial, and (16) cid parameters to (f) mycontents.php. NOTE: the calendar.php/day vector is already subsumed by CVE-2006-0220, and the calendar.php/month, calendar.php/year, and search.php/q parameters for calendar.php are already subsumed by CVE-2004-2511.20060309 DCP Portal: Multiple XSS VulnerabilitiesDCP Portal: Multiple XSS Vulnerabilities17050239762397723978239792398023981 dcpportal-multiple-scripts-xss(25279)392Cross-site scripting (XSS) vulnerability in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the query string to index.php.BUGTRAQ:20060304 [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerabilityadvisory-277169611015726 cutenews-index-script-xss(25052)531Cross-site scripting (XSS) vulnerability in Default.asp in D2KBlog 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.20060308 [KAPDA::#32] - d2kBlog 1.0.3 Multiple VulnerabilitiesADV-2006-0896191771703523771d2kblog-default-msg-xss(25214)559SQL injection vulnerability in D2KBlog 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the memName parameter in a cookie.20060308 [KAPDA::#32] - d2kBlog 1.0.3 Multiple VulnerabilitiesADV-2006-0896191771703523770d2kblog-memname-sql-injection(25215)559Buffer overflow in RevilloC MailServer and Proxy 1.21 allows remote attackers to execute arbitrary code via a long USER command.20060307 RevilloC mail server USER command heap overflowN/A20060309 RevilloC MailServer 1.x 'USER' Command Handling Remote Buffer Overflow Exploit16997ADV-2006-086719119revilloc-user-bo(25072)237351015739Grisoft AVG Free 7.1, and other versions including 7.0.308, sets Everyone/Full Control permissions for certain update files including (1) upd_vers.cfg, (2) incavi.avm, and (3) unspecified drivers, which might allow local users to gain privileges.remark,1560140416952ADV-2006-0845101572819118 20060303 AVG 7 granting Everyone Full Control to updated files... even its drivers avg-update-gain-privilieges(25139)Gallery 2 up to 2.0.2 allows remote attackers to spoof their IP address via a modified X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is checked by Gallery before other more reliable sources of IP address information, such as REMOTE_ADDR.20060303 Gallery 2 Multiple VulnerabilitiesGallery 2 Multiple Vulnerabilities101571719104ADV-2006-0813 gallery-header-spoofing(25120)Cross-site scripting (XSS) vulnerability in Gallery 2 up to 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is not properly handled when adding a comment to an album.20060303 Gallery 2 Multiple Vulnerabilities1694023596101571719104ADV-2006-0813 gallery-getremotehostaddress-xss(25117)Directory traversal vulnerability in the session handling class (GallerySession.class) in Gallery 2 up to 2.0.2 allows remote attackers to access and delete files by specifying the session in a cookie, which is used in constructing file paths before the session value is sanitized.20060303 Gallery 2 Multiple Vulnerabilities23597101571719104ADV-2006-0813 16948 gallery-sessionid-bypass-security(25118)SQL injection vulnerability in config.php in EKINboard 1.0.3 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username cookie.16861ADV-2006-07582354719045ekinboard-config-sql-injection(24922)20060308 [eVuln] EKINboard 'img' BBCode XSS & Cookie 'username' SQL Injection VulnerabilitiesCross-site scripting (XSS) vulnerability in EKINboard 1.0.3 allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in a BBCode img tag.16861ADV-2006-07582354619045ekinboard-bbcode-xss(24921)20060308 [eVuln] EKINboard 'img' BBCode XSS & Cookie 'username' SQL Injection Vulnerabilities558Cross-site scripting (XSS) vulnerability in read.php in bitweaver CMS 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the comment_title parameter.ADV-2006-08371910116973 bitweaver-titlefield-xss(25053)SQL injection vulnerability in show.php in vbzoom 1.11 allow remote attackers to execute arbitrary SQL commands via the MainID parameter. NOTE: the SubjectID vector is already covered by CVE-2005-4729.20060306 SQL injection & XSS IN vbzoom v1.1116955552Multiple cross-site scripting (XSS) vulnerabilities in vbzoom 1.11 allow remote attackers to inject arbitrary web script or HTML via the UserID parameter to (1) comment.php or (2) contact.php. NOTE: the profile.php/UserName vector is already covered by CVE-2005-2441.20060306 SQL injection & XSS IN vbzoom v1.1123812238131695616969 vbzoom-comment-contact-xss(25090)552SQL injection vulnerability in CyBoards PHP Lite 1.25, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the parent parameter to (1) post.php and possibly (2) process_post.php.ADV-2006-082023692191351710720060314 [eVuln] CyBoards PHP Lite SQL Injection Vulnerability16987 cyboards-processpost-sql-injection(25061)582Multiple cross-site scripting (XSS) vulnerabilities in sBlog 0.7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to search.php or (2) username parameter to comments_do.php.ADV-2006-088319151170442375923760sblog-username-xss(25111)Buffer overflow in the PostScript file interpreter code for Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows attackers to cause a denial of service via unknown vectors.ADV-2006-08572372410157381914617014 xerox-postscript-interpreter-dos(25172)Multiple unspecified vulnerabilities in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allow remote attackers to cause an unspecified denial of service via a crafted PostScript file that will (1) "navigate through the directory" or (2) a "file sent to expose TCP/IP ports".ADV-2006-0857237252372610157381914617014 xerox-postscript-navigate-dos(25173) xerox-postscript-tcpip-dos(25174)Unspecified vulnerability in the web server code in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows remote attackers to cause a denial of service (memory corruption) via unknown vectors.ADV-2006-08572372710157381914617014 xerox-web-corruption-dos(25175)Unspecified vulnerability in the ESS/ Network Controller in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, causes the Immediate Image Overwrite feature to fail after a power loss, which could leave data exposed to attack.ADV-2006-085723728101573819146 xerox-image-overwrite-dos(25176)SQL injection vulnerability in rss.php in RedBLoG 0.5 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.ADV-2006-08941918117041redblog-catid-sql-injection(25122)Buffer overflow in qmailadmin.c in QmailAdmin before 1.2.10 allows remote attackers to execute arbitrary code via a long PATH_INFO environment variable.16994ADV-2006-0852qmialadmin-qmailadmin-bo(25065)2370519262GLSA-200611-1523019Unspecified vulnerability in Ravenous Web Server before 0.7.1 allows remote attackers to access arbitrary rvplg files, with unknown impact.ADV-2006-08591701323706 ravenous-rvplg-unauth-access(25191)Cross-site scripting (XSS) vulnerability in FTPoed Blog Engine 1.1 allows remote attackers to inject arbitrary web script or HTML via the comment_body parameter, as used by the comment field, when posting a comment.20060305 FTPoed Blog Engine =>v1.1 HTML Injection Vulnerability1015725 ftpoed-comment-xss(25138)Cross-site scripting (XSS) vulnerability in HitHost 1.0.0 allows remote attackers to inject arbitrary web script or HTML via (1) the user parameter in deleteuser.php and (2) the hits parameter in viewuser.php.20060306 histhost v1.0.0 xss and possible rmdirADV-2006-0886191552375723758hithost-viewuser-deleteuser-xss(25105)17025Format string vulnerability in the safe_cprintf function in acebot_cmds.c in Alien Arena 2006 Gold Edition 5.00 allows remote attackers (possibly authenticated) to execute arbitrary code via unspecified vectors when the server sends crafted messages to the clients.20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00ADV-2006-0882191441702823747 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 alien-safe-cprintf-format-string(25199)Stack-based buffer overflow in the Cmd_Say_f function in g_cmds.c in Alien Arena 2006 Gold Edition 5.00 allows remote attackers (possibly authenticated) to execute arbitrary code by sending a long message to the server.20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00ADV-2006-0882191441702823748 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 alien-cmd-sa-f-bo(25200)The Com_sprintf function in q_shared.c in Alien Arena 2006 Gold Edition 5.00 does not properly NULL terminate certain long strings, which allows remote attackers (possibly authenticated) to cause a denial of service (application crash) via a long skin, weapon, or model name.20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00ADV-2006-0882191441702823749 20060307 Multiple vulnerabilities in Alien Arena 2006 GE 5.00 alien-com-sprintf-dos(25201)Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp.20060309 INFIGO-2006-03-01: PeerCast streaming server remote buffer overflow17040GLSA-200603-17ADV-2006-09002377719169peercast-url-bo(25113)19291PHP remote file inclusion vulnerability in lib/OWL_API.php in OWL Intranet Engine 0.82, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the xrms_file_root parameter, which is not initialized before use.N/AADV-2006-08682373419142owl-intranet-owlapi-file-include(25082)17021Buffer overflow in Tenes Empanadas Graciela (TEG) 0.11.1, automatically appends an _ (underscore) to the end of duplicate nicknames, which allows remote attackers to cause a denial of service (application crash) by creating multiple users with long, identical nicknames, which triggers an off-by-one error.Tenes Empanadas Graciela (TEG)16982ADV-2006-084619134 teg-nickname-offbyone-dos(25165)Cross-site scripting vulnerability in index.php in M-Phorum 0.2 allows remote attackers to inject arbitrary web script or HTML via the go parameter.20060309 M-Phorum Cross Site Scripting1912123951 mphorum-index-xss(25312)20070821 Vulnerabilities digest25394PHP remote file inclusion vulnerability in index.php in M-Phorum 0.2 allows remote attackers to include arbitrary files via the go parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16977ADV-2006-08271912123740 mphorum-index-file-include(25102)SQL injection vulnerability in D2-Shoutbox 4.2 allows remote attackers to execute arbitrary SQL commands via the load parameter, when performing a Shoutbox action through Invision Power Board (IPB).D2-Shoutbox 4.2(IPB Mod)<=SQL injection16984ADV-2006-086519132d2shoutbox-index-sql-injection(25074)PHP remote file inclusion vulnerability in archive.php in Fantastic News 2.1.2 allows remote attackers to include arbitrary files via the CONFIG[script_path] variable. NOTE: 2.1.4 was also reported to be vulnerable.16985ADV-2006-0826fantasticnews-archive-file-include(25064)ADV-2006-35132180723519fantasticnews-configscriptpath-file-include(31121)21796Cross-site scripting (XSS) vulnerability in manas tungare Site Membership Script before 8 March, 2006 allows remote attackers to inject arbitrary web script or HTML via the Error parameter in (1) login.asp and (2) default.asp.N/AADV-2006-088419156170452375323754manas-tungare-login-default-xss(25109)SQL injection vulnerability in manas tungare Site Membership Script before 8 March, 2006 allows remote attackers to execute arbitrary SQL commands via the Username parameter in login.asp.N/AADV-2006-0884191561704523755manas-tungare-login-sql-injection(25110)Cross-site scripting (XSS) vulnerability in Vz Scripts ADP Forum 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the Subject field (possibly messaggio parameter) when posting a new message in post.php.20060309 ADP Forum 2.0,* script &#304;njectionADP Forum 2.0,* script &#xdd;njectionADV-2006-09011704723961 adp-forum-subject-xss(25189)Kerio MailServer before 6.1.3 Patch 1 allows remote attackers to cause a denial of service (application crash) via a crafted IMAP LOGIN command.N/AADV-2006-08981915020060313 Kerio MailServer bugfun17043237721015748kerio-mailserver-imap-dos(25150)Format string vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in the query string argument in an HTTP GET request.20060309 Easy File Sharing Web Server Multiple Vulnerablilities1917817046ADV-2006-091223792easyfilesharing-logging-dos(25135)Cross-site scripting (XSS) vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote attackers to inject arbitrary web script or HTML via the Description field in creating a folder or uploading a file.20060309 Easy File Sharing Web Server Multiple Vulnerablilities1917817046ADV-2006-091223793easyfilesharing-description-xss(25136)Absolute path traversal vulnerability in Easy File Sharing (EFS) Web Server 3.2 allows remote registered users to execute arbitrary code by uploading a malicious file to the Windows startup folder.20060309 Easy File Sharing Web Server Multiple Vulnerablilities1704623791easyfilesharing-startup-file-upload(39994)Directory traversal vulnerability in Nodez 4.6.1.1 and earlier allows remote attackers to read or include arbitrary PHP files via a .. (dot dot) in the op parameter, as demonstrated by inserting malicious Email parameters into list.gtdat, then accessing list.gtdat using the op parameter.Local File InclusionADV-2006-08991916517066237741015747nodez-op-file-include(25119)Cross-site scripting (XSS) vulnerability in Nodez 4.6.1.1 allows remote attackers to inject arbitrary web script or HTML via the op parameter. NOTE: it is possible that this issue is resultant from the directory traversal vulnerability.PHP Code Injection ADV-2006-08991916517066237761015747nodez-op-xss(25121)Nodez 4.6.1.1 and earlier stores sensitive data in the list.gtdat file under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing list.gtdat.N/A1706623775Cross-site scripting (XSS) vulnerability in the mediamanager module in DokuWiki before 2006-03-05 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors relating to "handling EXIF data."Release 2006-03-05ADV-2006-09091918617065dokuwiki-mediamanger-xss(25137)Monotone 0.25 and earlier, when a user creates a file in a directory called "mt", and when checking out that file on a case-insensitive file system such as Windows or Mac OS X, places the file into the "MT" bookkeeping directory, which could allow context-dependent attackers to execute arbitrary Lua programs as the user running monotone.[Monotone-devel] 20060308 [ANNOUNCE] Monotone 0.25.2 -- security fix release17139ADV-2006-099019260 monotone-mt-lua-code-execution(25294)SGI ProPack 3 SP6 kernel displays the frame buffer contents of the last session after a reboot, which might allow local users to obtain sensitive information.20060402-01-U24571 19607The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow.DSA-1149MDKSA-2006:140ADV-2006-3234214272143421437SUSE-SR:2006:020ncompress-decompress-underflow(28315)RHSA-2006:06631945510168362188020060901-01-P22036GLSA-200610-032229622377 21467MDKSA-2006:140Stack-based buffer overflow in the createPKCS10 function in Cryptomathic Cenroll ActiveX Control 1.1.0.0 allows remote attackers to execute arbitrary code via vectors related to the TDC Digital signature.20060505 Cryptomathic ActiveX Buffer Overflow (TDC Digital signature)17852ADV-2006-167525282101603419968 cryptomathic-primeink-createpkcs10-bo(26255)Sendmail before 8.13.7 allows remote attackers to cause a denial of service via deeply nested, malformed multipart MIME messages that exhaust the stack during the recursive mime8to7 function for performing 8-bit to 7-bit conversion, which prevents Sendmail from delivering queued messages and might lead to disk consumption by core dump files.HPSBTU02116VU#14671820473ADV-2006-2189RHSA-2006:051510246018433101629515779IY85415IY85930FreeBSD-SA-06:17.sendmailGLSA-200606-19MDKSA-2006:104[3.8] 008: SECURITY FIX: June 15, 200620060601-01-PSSA:2006-166-01SUSE-SA:2006:032ADV-2006-2351ADV-2006-2388ADV-2006-2389ADV-2006-23902064120650206512065420673206752067920683206842069420060620 Sendmail MIME DoS vulnerability20060621 Re: Sendmail MIME DoS vulnerability20060602-01-U207262078220060624 Re: Sendmail MIME DoS vulnerabilityADV-2006-27982104220060721 rPSA-2006-0134-1 sendmail sendmail-cf21160HPSBUX02124ADV-2006-313521327DSA-1155216122619721647 sendmail-multipart-mime-dos(27128)MDKSA-2006:104useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.MDKSA-2006:09018111ADV-2006-200620370GLSA-200606-0220506 shadow-utils-useradd-file-permission(26958) RHSA-2007:0276 25098 20070511 rPSA-2007-0096-1 shadow 2526720070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerMDKSA-2006:090RHSA-2007:043120070602-01-PADV-2007-322910182212562925894258962690927706VU#312692The WeOnlyDo! SFTP (wodSFTP) ActiveX control is marked as safe for scripting, which allows remote attackers to read and write files in arbitrary locations by accessing the control from a web page.VU#37860418192ADV-2006-206420361 wodsftp-activex-unauth-access(26752)Buffer overflow in eBay Enhanced Picture Services (aka EPUImageControl Class) in EUPWALcontrol.dll before 1.0.3.48, as used in Sell Your Item (SYI), Setup & Test eBay Enhanced Picture Services, Picture Manager Enhanced Uploader, and CARad.com Add Vehicle, allows remote attackers to execute arbitrary code via a crafted HTML document.VU#597721ADV-2006-2698101644520969ebay-epuimagecontrol-bo(27631)18921Tamarack MMSd before 7.992 allows remote attackers to cause a denial of service (crash) via malformed RFC1006 (OSI over TCP/IP) packets.VU#372878tamarack-mmsd-packet-dos(28053)19202ADV-2006-30801016734Adobe Graphics Server 2.0 and 2.1 (formerly AlterCast) and Adobe Document Server (ADS) 5.0 and 6.0 allows local users to read files with certain extensions or overwrite arbitrary files and execute code via a crafted SOAP request to the AlterCast web service in which the request uses the (1) saveContent or (2) saveOptimized ADS commands, or the (3) loadContent command.20060315 Secunia Research: Adobe Document/Graphics Server File URI ResourceAccessAdobe Graphics Server and Adobe Document Server configuration security vulnerability 17113101576919229ADV-2006-09561015768adobe-unauth-command-access(25247)23924588The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges.USN-262-1Bug #34606 in shadow (Ubuntu)170861015761ADV-2006-09272386819200ubuntu-installer-password-disclosure(25170)Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.20060509 [EEYEB20051011B] - Microsoft Distributed Transaction Coordinator Denial of ServiceMS06-01817905ADV-2006-174220000253361016047oval:org.mitre.oval:def:1295oval:org.mitre.oval:def:1779oval:org.mitre.oval:def:1912oval:org.mitre.oval:def:1990 msdtc-message-dos(25558)864Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.MS06-013VU#503124TA06-101AADV-2006-131818957174501015900oval:org.mitre.oval:def:1677oval:org.mitre.oval:def:1711oval:org.mitre.oval:def:787 ie-html-execute-code(25542)Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.MS06-013TA06-101A17453ADV-2006-1318189571015900oval:org.mitre.oval:def:1446oval:org.mitre.oval:def:1589oval:org.mitre.oval:def:1651oval:org.mitre.oval:def:1704oval:org.mitre.oval:def:791 VU#959049 ie-com-activex-execute-code(25545)Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.MS06-013VU#824324TA06-101AADV-2006-1318189571015900oval:org.mitre.oval:def:1144oval:org.mitre.oval:def:1290oval:org.mitre.oval:def:1296oval:org.mitre.oval:def:1773 20060525 [BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with an International Domain Name (IDN) using double-byte character sets (DBCS), aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Customers should apply the update immediately.MS06-013TA06-101AVU#341028ADV-2006-131818957174541015900oval:org.mitre.oval:def:1020oval:org.mitre.oval:def:1484oval:org.mitre.oval:def:79220060411 Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerabilityie-double-byte-execute-code(25551)Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.MS06-013VU#95964917455ADV-2006-1318189571015900oval:org.mitre.oval:def:1541oval:org.mitre.oval:def:1735oval:org.mitre.oval:def:1783oval:org.mitre.oval:def:965 ie-ioleclientsite-execute-code(25552)Microsoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site.MS06-013ADV-2006-131818957174571015892oval:org.mitre.oval:def:1251oval:org.mitre.oval:def:1710 ie-popup-zone-bypass(25555)Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.MS06-01317460ADV-2006-1318189571015899oval:org.mitre.oval:def:1336oval:org.mitre.oval:def:1498oval:org.mitre.oval:def:1645oval:org.mitre.oval:def:1725oval:org.mitre.oval:def:1740 ie-browser-window-spoofing(25557)670Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."MS06-02918381ADV-2006-2326TA06-164AVU#13818810162802063426441oval:org.mitre.oval:def:1070oval:org.mitre.oval:def:1161oval:org.mitre.oval:def:1315 20060614 SEC Consult SA-20060613-0 :: Outlook Web Access Cross Site Scripting Vulnerability exchange-owa-xss(25550)Integer signedness error in the enet_protocol_handle_incoming_commands function in protocol.c for ENet library CVS version Jul 2005 and earlier, as used in products including (1) Cube, (2) Sauerbraten, and (3) Duke3d_w32, allows remote attackers to cause a denial of service (application crash) via a packet with a large command length value, which leads to an invalid memory access.20060312 Multiple vulnerabilities in ENet library (Jul 2005)ADV-2006-09401920810157672384420060312 Multiple vulnerabilities in ENet library (Jul 2005)17087enet-signedness-dos(25157)The enet_protocol_handle_send_fragment function in protocol.c for ENet library CVS version Jul 2005 and earlier, as used in products including (1) Cube, (2) Sauerbraten, and (3) Duke3d_w32, allows remote attackers to cause a denial of service (application crash) via a packet fragment with a large total data size, which triggers an application abort when memory allocation fails.20060312 Multiple vulnerabilities in ENet library (Jul 2005)ADV-2006-094019208101576720060312 Multiple vulnerabilities in ENet library (Jul 2005)1708723845enet-packet-dos(25158)Multiple cross-site scripting (XSS) vulnerabilities in QwikiWiki 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) from and (2) help parameters to (a) index.php; (3) action, (4) page, (5) debug, (6) help, (7) username, or (8) password parameters to (b) login.php; the (7) help parameter to (c) pageindex.php; or (8) help parameter to (d) recentchanges.php.QwikiWiki 1.5 <== Multiple Script Insertion Vulnerability1706419182qwikiwiki-multiple-scripts-xss(25128)ADV-2006-091023786237872378823789SafeDisc installs the driver service for the secdrv.sys driver with insecure permissions, which allows local users to gain privileges by changing the configuration to reference a malicious program.20060311 Copy protection scheme SafeDisc allows privilege escalation17070safedisk-secdrv-gain-privileges(25162)Comvigo IM Lock 2006 uses a simple substitution cipher to encrypt a password stored in the msnvs\prc registry value, for which all users have Read permission, which allows local users to bypass the product's blocking functionality by decrypting the password.20060306 IM Lock 2006 - Insecure Registry Permission VulnerabilityADV-2006-08661914016988 imlock-password-weak-encryption(25219)Cross-site scripting (XSS) vulnerability in iframe.php in daverave Link Bank allows remote attackers to inject arbitrary web script or HTML via the site parameter.20060306 link bank code execution and xssADV-2006-088519154linkbank-iframe-xss(25107)1700123751Direct static code injection vulnerability in add_link.txt in daverave Link Bank allows remote attackers to execute arbitrary PHP code via the url_name parameter, which is not sanitized before being stored in links.txt, which is later used in an include statement.20060306 link bank code execution and xssADV-2006-088519154linkbank-multiple-php-injection(25108)17004 23750553Directory traversal vulnerability in resetpw.php in eschew.net phpBannerExchange 2.0 and earlier, and other versions before 2.0 Update 5, allows remote attackers to read arbitrary files via a .. (dot dot) in the email parameter during a "Recover password" operation (recoverpw.php).20060307 phpBannerExchange 2.0 Directory Traversal VulnerabilityADV-2006-086919127phpbannerexchange-resetpw-dir-traversal(25071)phpbannerexchange-recoverpw-dir-traversal(25080)20060307 phpBannerExchange 2.0 Directory Traversal Vulnerability2372016996Multiple cross-site scripting (XSS) vulnerabilities in textfileBB 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mess and (2) user parameters in messanger.php, possibly requiring a URL encoded value.20060308 textfileBB <= 1.0 Multiple XSSADV-2006-089719149101574417029 textbb-messanger-xss(25091)PHP remote file include vulnerability in common.php in txtForum 1.0.4-dev and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the skin parameter to login.php, and possibly other parameters to other PHP scripts, related to include statements in common.php.20060309 txtForum: Script Injection Vulnerability1706123952txtforum-login-file-include(25131)Multiple cross-site scripting (XSS) vulnerabilities in txtForum 1.0.4-dev and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prev, (2) next, and (3) rand5 parameters in (a) index.php; the (4) r_username and (5) r_loc parameters in (b) new_topic.php; the (6) r_num, (7) r_family_name, (8) r_icq, (9) r_yahoo, (10) r_aim, (11) r_homepage, (12) r_interests, (13) r_about, (14) selected1, (15) selected0, (16) signature_selected1, (17) signature_selected0, (18) smile_selected1, (19) smile_selected0, (20) ubb_selected1, and (21) ubb_selected0 parameters in (c) profile.php; the (22) quote and (23) tid parameters in (d) reply.php; and the (24) tid, (25) sticked, and (26) mid parameters in (e) view_topic.php.20060309 txtForum: Multiple XSS Vulnerabilities170542395323954239552395623957txtforum-multiple-xss(25132)Multiple cross-site scripting (XSS) vulnerabilities in myWebland myBloggie 2.1.3 beta and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) confirmredirect and (2) post_id parameters in (a) delcomment.php, as reachable when mode=delcom from index.php; and the (3) del and (4) message parameters in (b) upload.php, the (5) errormsg parameter in (c) addcat.php, (d) edituser.php, (e) adduser.php, and (f) editcat.php, the (6) trackback_url parameter in (g) add.php, (7) id parameter in (h) deluser.php, (8) cat_id parameter in (i) delcat.php, and (9) post_id parameter in (j) del.php, as reachable from admin.php.20060309 MyBloggie: Multiple XSS Vulnerabilities17048239732397423975239862398723988239892399023991mybloggie-index-admin-xss(25134)23992Matt Johnston Dropbear SSH server 0.47 and earlier, as used in embedded Linux devices and on general-purpose operating systems, allows remote attackers to cause a denial of service (connection slot exhaustion) via a large number of connection attempts that exceeds the MAX_UNAUTH_CLIENTS defined value of 30.20060307 Dropbear SSH server Denial of Service17024dropbear-connection-dos(25075)1015742PHP Upload Center stores password hashes under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for the upload/users/[USERNAME] file.20060309 PHP Upload Center Download users password hashes And phpshell Upload23627Sergey Korostel PHP Upload Center allows remote attackers to execute arbitrary PHP code by uploading a file whose name ends in a .php.li extension, which can be accessed from the upload directory.20060309 PHP Upload Center Download users password hashes And phpshell UploadADV-2006-08172362619107564PHP Advanced Transfer Manager 1.00 through 1.30 stores sensitive information, including password hashes, under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for a users/[USERNAME] file.20060309 PHP Advanced Transfer Manager Download users password hashesphpatm-password-hash-disclosure(25127)1713420060613 Re: PHP Advanced Transfer Manager Download users password hashes565The web interface for IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 includes the MySQL database username and password in cleartext in body.phtml, which allows remote attackers to gain privileges by reading the source. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues.20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage17032 netcool-neusecure-ns-unauth-access(25270)IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 configures a MySQL database to allow connections from any source IP address with the ns database account, which allows remote attackers to bypass the Netcool/NeuSecure application layer and perform unauthorized database actions. NOTE: IBM has privately confirmed to CVE that a fix is available for these issues.20060308 Remote access to NeuSecure/Netcool backend database via web interface credentials leakage netcool-neusecure-ns-unauth-access(25270)Unspecified vulnerability in index.php in Core CoreNews 2.0.1 allows remote attackers to execute arbitrary commands via the page parameter, possibly due to a PHP remote file include vulnerability. NOTE: this vulnerability could not be confirmed by source code inspection of CoreNews 2.0.1, which does not appear to use a "page" parameter or variable.20060309 CoreNews 2.0.1 Remote Command Exucetion17067corenews-index-command-execution(25180) 20060313 Oddness - CoreNews 2.0.1 Remote Command Exucetion 24080754JiRo's Banner System Experience and Professional 1.0 and earlier allows remote attackers to bypass access restrictions and gain privileges via a direct request to certain scripts in the files directory, as demonstrated by using addadmin.asp to create a new administrator account.20060309 Advisory: Jiros Banner Experience Pro Remote Privilege Escalation.ADV-2006-0911191841706023780 20060309 Advisory: Jiros Banner Experience Pro Remote Privilege Escalation. jbspro-security-bypass(25169)UnrealIRCd 3.2.3 allows remote attackers to cause an unspecified denial of service by causing a linked server to send malformed TKL Q:Line commands, as demonstrated by "TKL - q\x08Q *\x08PoC."20060309 UnrealIRCd3.2.3 Server-Link Denial of ServiceUnreal 3.2.4 releasedADV-2006-09082377819188unrealircd-server-link-dos(25130)17057Cross-site scripting (XSS) vulnerability in misc.php in Woltlab Burning Board (wBB) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the percent parameter. NOTE: this issue has been disputed in a followup post, although the original disclosure might be related to reflected XSS.20060304 Wbb 2.3. xss20060304 Re: Wbb 2.3. xss16959 wbb-misc-xss(25156)Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x allows remote attackers to inject arbitrary web script or HTML via the id parameter.20060304 [KAPDA::#31] - Runcms 1.x Cross_Site_Scripting vulnerability in bigshow.php169701899723823474SQL injection vulnerability in DSPoll 1.1 allows remote attackers to execute arbitrary SQL commands via the pollid parameter to (1) results.php, (2) topolls.php, (3) pollit.php.ADV-2006-09321920917103dspoll-pollid-sql-injection(25192)101575820060324 [eVuln] DSPoll Multiple SQL Injection Vulnerabilities238792388023881620622Unspecified vulnerability in the HTTP proxy in Novell BorderManager 3.8 and earlier allows remote attackers to cause a denial of service (CPU consumption and ABEND) via unknown attack vectors related to "media streaming over HTTP 1.1".17031ADV-2006-08791916323752Directory traversal vulnerability in Gallery 2.0.3 and earlier, and 2.1 before RC-2a, allows remote attackers to include arbitrary PHP files via ".." (dot dot) sequences in the stepOrder parameter to (1) upgrade/index.php or (2) install/index.php.ADV-2006-089519175gallery-multiple-index-file-include(25129)17051Integer overflow in the mach_msg_send function in the kernel for Mac OS X might allow local users to execute arbitrary code via unknown attack vectors related to a large message header size, which leads to a heap-based buffer overflow.1705628453Untrusted search path vulnerability in the TrueVector service (VSMON.exe) in Zone Labs ZoneAlarm 6.x and Integrity does not search ZoneAlarm's own folders before other folders that are specified in a user's PATH, which might allow local users to execute code as SYSTEM by placing malicious DLLs into a folder that has insecure permissions, but is searched before ZoneAlarm's folder. NOTE: since this issue is dependent on the existence of a vulnerability in a separate product (weak permissions of executables or libraries, or the execution of malicious code), perhaps it should not be included in CVE.20060308 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.00020060309 Re: 18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite build 6.1.744.00020060309 Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarmADV-2006-0947101574317037 zonealarm-path-gain-privileges(25097)Multiple cross-site scripting (XSS) vulnerabilities in zeroboard 4.1 pl7 allows allow remote attackers to inject arbitrary web script or HTML via the (1) memo box title, (2) user email, and (3) homepage fields.20060312 [INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability20060312 [INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability17075ADV-2006-094419214zeroboard-multiple-fields-xss(25212)23847Cross-site scripting (XSS) vulnerability in Jupiter Content Manager 1.1.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in the image BBcode tag.20060311 Jupiter CMS <= 1.1.5 multiple XSS attack vectors.17072ADV-2006-094219215jupitercm-bbcodetag-xss(25241)2383920060412 Re: Jupiter CMS <= 1.1.5 multiple XSS attack vectors.572Directory traversal vulnerability in dwnld.php in GuppY 4.5.11 allows remote attackers to overwrite arbitrary files via a "%2E." (mixed encoding) in the pg parameter.20060310 [KAPDA::#33] - GuppY <= 4.5.11 Remote DoS vulnerabilityGuppY <= 4.5.11 Remote DoS vulnerabilityThe 3 last news (Forum)17068ADV-2006-0936101575319222guppy-dwnld-file-deletion(25141)2384623993569CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.20060314 [DRUPAL-SA-2006-004] Drupal 4.6.6 / 4.5.8 fixes mail header injection issueAdvisory ID: DRUPAL-SA-2006-004 1924517104DSA-10072391219257drupal-header-data-manipulation(25206)579Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.20060314 [DRUPAL-SA-2006-002] Drupal 4.6.6 / 4.5.8 fixes XSS issueAdvisory ID: DRUPAL-SA-2006-002 1924517104DSA-10072391019257drupal-undisclosed-xss(25202)581Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.20060314 [DRUPAL-SA-2006-001] Drupal 4.6.6 / 4.5.8 fixes access control issueAdvisory ID: DRUPAL-SA-2006-0011924517104DSA-10072390919257drupal-menumodule-bypass-security(25197)578Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier.This vulnerability affects Drupal versions 4.6.x before 4.6.6, as well as versions 4.5.x before 4.5.820060314 [DRUPAL-SA-2006-003] Drupal 4.6.6 / 4.5.8 fixes session fixation issueAdvisory ID: DRUPAL-SA-2006-0031924517104DSA-100719257drupal-login-session-hijacking(25205)23911580SQL injection vulnerability in search.asp in Hosting Controller 6.1 (Hotfix 2.9) allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.This vulnerability may affect all versions of Hosting Controller previous to 6.1 Hotfix 2.9 as well.ADV-2006-09142380219191hosting-controller-search-sql-injection(25140)Multiple cross-site scripting (XSS) vulnerabilities in create.php in vCard 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) card_id, (2) uploaded, (3) card_fontsize, or (4) card_color parameter. NOTE: the card_id vector was later reported to affect vCard 2.9, and the uploaded vector for 2.6.20060311 XSS in vCard17073ADV-2006-09452383819216vcard-create-xss(25181)20060527 multiple Xss exploits in : vCard 2.9101618320070304 XSS Remote In vCard 2.6 (c)200222819CAPI4HylaFAX 1.3, when compiled with GENERATE_DEBUGSFFDATAFILE set, allows local users to modify arbitrary files via a symlink attack on the c2faxrecv_dbgdatafile.sff temporary file.20060307 capi4hylafax insecure manipulation with tmp files20060307 capi4hylafax insecure manipulation with tmp files1703420060307 capi4hylafax insecure manipulation with tmp files capi4hylafax-c2faxrecvdbgdatafile-symlink(25262)Multiple SQL injection vulnerabilities in DSDownload 1.0, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) key and (2) category parameters to (a) search.php and (b) downloads.php."magic_quotes_gpc" parameter must be disabled in order for this vulnerability to be exploited. This vulnerability may affect DSPortal, DSDownload versions previous to 1.0 as well.DSDownload Multiple SQL Injection VulnerabilitiesADV-2006-093419202171161015755dsdownload-multiple-sql-injection(25193)20060325 [eVuln] DSDownload Multiple SQL Injection Vulnerabilities2388623887626Multiple cross-site scripting (XSS) vulnerabilities in WMNews allow remote attackers to inject arbitrary web script or HTML via the (1) ArtCat parameter to wmview.php, (2) ctrrowcol parameter to footer.php, or (3) ArtID parameter to wmcomments.php.20060312 WMNews Cross Site Scripting17076ADV-2006-093919204238402384123842wmnews-multiple-scripts-xss(25210)SQL injection vulnerability in index.php in DSCounter 1.2, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For field (HTTP_X_FORWARDED_FOR environment variable) in an HTTP header.ADV-2006-0933101575619206dscounter-index-sql-injection(25190)20060325 [eVuln] DSCounter %27X-Forwarded-For%27 SQL Injection Vulnerability1711223882627Directory traversal vulnerability in admin/deleteuser.php in HitHost 1.0.0 might allow remote attackers to delete directories (possibly only empty directories) via the $deleteuser variable. NOTE: the initial disclosure for this issue indicated that the researcher was unable to prove this issue; however, this might have been due to certain behaviors of rmdir.20060306 histhost v1.0.0 xss and possible rmdir20060314 Re: histhost v1.0.0 xss and possible rmdir19155hithost-deleteuser-directory-deletion(25106)Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.1709319237DSA-100919276ADV-2006-095123904crossfire-setup-bo(25252)Multiple SQL injection vulnerabilities in DSNewsletter 1.0, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the email parameter to (1) include/sub.php, (2) include/confirm.php, or (3) include/unconfirm.php.ADV-2006-093110157571920717111dsnewsletter-email-sql-injection(25188)20060324 [eVuln] DSNewsletter SQL Injection Vulnerability238832388423885623SQL injection vulnerability in DSLogin 1.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the $log_userid variable in (1) index.php and (2) admin/index.php.101575419201ADV-2006-0953dslogin-index-bypass-authentication(25194)20060327 [eVuln] DSLogin Authentication Bypass Vulnerability1726223896637Cross-site scripting (XSS) vulnerability in issue/createissue.aspx in Gemini 2.0 allows remote attackers to inject arbitrary web script or HTML via the rtcDescription$RadEditor1 field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2390719049gemini-createissue-xss(25195)ADV-2006-095417092Buffer overflow in inet_server.cpp in (1) fb_inet_server and (2) fbserver in Firebird 1.5.2.4731 allows local users to gain privileges via a long value of the -p argument.20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.317077 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 firebird-fbinetserver-fbserver-bo(25282)Firebird 1.5.2.4731 installs (1) fb_lock_mgr, (2) gds_drop, and (3) fb_inet_server with setuid firebird permissions, which might allow local users to gain privileges via a buffer overflow as identified by CVE-2006-1240, or possibly other vulnerabilities.The problems are fixed in the current 1.5.3 version of the Firebird binary distribution.20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.317077 20060312 Buffer Overflow and Installation Script Error in Firebird 1.5.3 firebird-fbinetserver-fbserver-bo(25282)The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.20060314 Linux zero IP ID vulnerability?20060315 Re: Linux zero IP ID vulnerability?1710920060316 Re: Linux zero IP ID vulnerability?ADV-2006-114019402USN-281-119955MDKSA-2006:08620157DSA-109720671SUSE-SA:2006:028DSA-1103ADV-2006-255420914RHSA-2006:043721136RHSA-2006:057521465203982198322417 20060323 Re: Linux zero IP ID vulnerability?MDKSA-2006:086Directory traversal vulnerability in install05.php in Simple PHP Blog (SPB) 0.4.7.1 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the blog_language parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included using install05.php.17102ADV-2006-100719270simplephpblog-install05-file-include(25322)[VIM] Vendor ACK for CVE-2006-1243 (older Simple PHP Blog)Unspecified vulnerability in certain versions of xpdf after 3.00, as used in various products including (a) pdfkit.framework, (b) gpdf, (c) pdftohtml, and (d) libextractor, has unknown impact and user-assisted attack vectors, possibly involving errors in (1) gmem.c, (2) SplashXPathScanner.cc, (3) JBIG2Stream.cc, (4) JPXStream.cc, and/or (5) Stream.cc. NOTE: this description is based on Debian advisory DSA 979, which is based on changes that were made after other vulnerabilities such as CVE-2006-0301 and CVE-2005-3624 through CVE-2005-3628 were fixed. Some of these newer fixes appear to be security-relevant, although it is not clear if they fix specific issues or are defensive in nature.DSA-979DSA-982DSA-983DSA-9841674823834DSA-101919364USN-270-119644189481902119091DSA-9981906519164Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."20060316 Remote overflow in MSIE script action handlers (mshtml.dll)1713119269ie-mshtml-bo(25292)20060325 Re: [optimized PoC] Remote overflow in MSIE script action handlers (mshtml.dll)239641015794MS06-013TA06-101AVU#984473ADV-2006-131818957oval:org.mitre.oval:def:1451oval:org.mitre.oval:def:1569oval:org.mitre.oval:def:1599oval:org.mitre.oval:def:1632oval:org.mitre.oval:def:176620061203 MS Internet Explorer 6.0 (mshtml.dll) Denial of Service Exploit20061205 Re: MS Internet Explorer 6.0 (mshtml.dll) Denial of Service ExploitUnspecified vulnerability in mklvcopy in BOS.RTE.LVM in IBM AIX 5.3 allows local users to execute arbitrary commands when mklvcopy calls external commands, possibly due to an untrusted search path vulnerability.IY8273917115ADV-2006-095719235239211015786aix-bosrtelvm-gain-privileges(25299)[VIM] 20060323 IBM changing significant details? aix-mklvcopy-code-execution(25849)rm_mlcache_file in bos.rte.install in AIX 5.1.0 through 5.3.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files.IY8235717576ADV-2006-13891965620060424 NSFOCUS SA2006-02 : IBM AIX mklvcopy Local Privilege Escalation Vulnerability20060424 NSFOCUS SA2006-03 : IBM AIX rm_mlcache_file Local Race Condition Vulnerability247061015952 aix-rm-mlcache-file-overwrite(25848)Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended.HPSBUX021021930517143ADV-2006-099710157821015834HPSBUX02102 hpux-usermod-unauthorized-access(25311)oval:org.mitre.oval:def:1098oval:org.mitre.oval:def:772oval:org.mitre.oval:def:785Integer overflow in Apple QuickTime Player 7.0.3 and 7.0.4 and iTunes 6.0.1 and 6.0.2 allows remote attackers to execute arbitrary code via a FlashPix (FPX) image that contains a field that specifies a large number of blocks.1707420060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1110160672006920060511 [EEYEB-20060307] Apple QuickTime FPX Integer OverflowVU#570689ADV-2006-1778quicktime-flashpix-overflow(26398)TA06-132BUnspecified vulnerability in the Webmail module in Winmail before 4.3 has unknown impact and unknown remote attack vectors.ADV-2006-085817009Argument injection vulnerability in greylistclean.cron in sa-exim 4.2 allows remote attackers to delete arbitrary files via an email with a To field that contains a filename separated by whitespace, which is not quoted when greylistclean.cron provides the argument to the rm command.17110ADV-2006-094119225saexim-greylistclean-file-deletion(25286)Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) 1.0 allows remote attackers to execute arbitrary PHP code via the date parameter to index.php.17059Unspecified vulnerability in glFTPd before 2.01 RC5 allows remote attackers to bypass IP checks via a crafted DNS hostname, possibly a hostname that appears to be an IP address.1922117118Unspecified vulnerability in BorderWare MXtreme 5.0 and 6.0 allows remote attackers to have an unknown impact via unknown attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-097219223171401015787borderware-mxtreme-web-admin(25325)23939Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.20060316 Mercur IMAPD 5.0 SP3 DoS Exploit or more?ADV-2006-09771926717138mercur-imap-bo(25290)23950Cross-site scripting (XSS) vulnerability in guestbook.php in Soren Boysen (SkullSplitter) PHP Guestbook 2.6 allows remote attackers to inject arbitrary web script or HTML via the url parameter.This vulnerability can only be exploited if the "magic_quotes_gpc" parameter is set to 'off'.Skull-Splitter's PHP Guestbook XSS VulnerabilityGuestbook update - v2.7517136ADV-2006-09741926823941skullsplitter-guestbook-xss(25293)20060329 [eVuln] Skull-Splitter%27s PHP Guestbook XSS Vulnerability[VIM] 20060318 Vendor ACK for Skull-Splitter Guestbook XSS650The sample files in the authfiles directory in Microsoft Commerce Server 2002 before SP2 allow remote attackers to bypass authentication by logging in to authfiles/login.asp with a valid username and any password, then going to the main site twice.20060316 Microsoft Commerce Server 2002: Logon as known user with a false password1713424121mscs-authfiles-authentication-bypass(25330)594Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter.1714219277ADV-2006-09911015776phpmyadmin-settheme-xss(25305)23943Multiple SQL injection vulnerabilities in Maian Support 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) email or (2) pass parameter to admin/index.php.Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. This vulnerability may affect earlier versions of Maian, Support as well.Maian Support Authentication Bypass19275ADV-2006-0992maiansupport-adminindex-sql-injection(25300)20060328 [eVuln] Maian Support Authentication Bypass23944645Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.20060315 CodeScan Advisory: Unauthenticated Arbitrary File Read in Horde v3.09 and prior17117ADV-2006-095923918101577119246horde-servicesgo-information-disclosure(25239)20060315 CodeScan Advisory: Unauthenticated Arbitrary File Read in Horde v3.09 and priorGLSA-200604-0219528DSA-103319619SUSE-SR:2006:00919897DSA-103419692590Multiple cross-site scripting (XSS) vulnerabilities in ASPPortal 3.00 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.20060315 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net20060314 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net19247aspportal-multiple-xss(25235)10157721711423920Multiple SQL injection vulnerabilities in ASPPortal 3.00 have unknown impact and attack vectors.20060315 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net20060314 CodeScan Advisory: Multiple Vulnerabilities In ASPPortal.net19247aspportal-multiple-scripts-sql-injection(25234)10157721711423919592Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.2.0.2 Security Release17069Cross-site scripting (XSS) vulnerability in xhawk.net discussion 2.0 beta2 allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in a BBCode img tag.20060315 [eVuln] discussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilitiesdiscussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilities1711923970 discussion-bbcode-xss(25236)SQL injection vulnerability in discussion.class.php in xhawk.net discussion 2.0 beta2 allows remote attackers to execute arbitrary SQL commands via the view parameter.20060315 [eVuln] discussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilitiesdiscussion - xhawk.net BBCode 'img' XSS & SQL Injection Vulnerabilities2397117121 discussion-class-sql-injection(25237)Cross-site scripting (XSS) vulnerability in Service_Requests.asp in VPMi Enterprise 3.3 allows remote attackers to inject arbitrary web script or HTML via the Request_Name_Display parameter.[VIM] 20060314 vendor dispute: VCS239161717219297vpmi-servicerequests-xss(25339)Invision Power Board 2.1.4 allows remote attackers to hijack sessions and possibly gain administrative privileges by obtaining the session ID from the s parameter, then replaying it in another request.20060314 Invision Power Board v2.1.4 - session hijacking20060316 Re: Invision Power Board v2.1.4 - session hijackingThe Internet Key Exchange implementation in Funkwerk X2300 7.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite. NOTE: due to the lack of details in the advisory, it is unclear which of CVE-2005-3666, CVE-2005-3667, and/or CVE-2005-3668 this issue applies to.Readme for System Software 7.2.1: PATCH 9ADV-2006-09581923317124Buffer overflow in the parse function in parse.c in zoo 2.10 might allow local users to execute arbitrary code via long filename command line arguments, which are not properly handled during archive creation. NOTE: since this issue is local and not setuid, the set of attack scenarios is limited, although is reasonable to expect that there are some situations in which the zoo user might automatically list attacker-controlled filenames to add to the zoo archive.Bugzilla Bug 183426GLSA-200603-121925017126ADV-2006-096919254zoo-parse-bo(25264)Multiple cross-site scripting (XSS) vulnerabilities in zones.php in Inprotect 0.21 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Description field. NOTE: the provenance of this information is unknown; the details are obtained from third party information.A remote attacker must have "Manage Zones and Server" permissions on Inprotect to exploit this vulnerability.17141ADV-2006-097019248inprotect-zones-xss(25280)23936SQL injection vulnerability in index.php in OxyNews allows remote attackers to execute arbitrary SQL commands via the oxynews_comment_id parameter.17132ADV-2006-097619255oxynews-index-sql-injection(25301)20060316 Oxynews Sql &#304;njection23940Multiple cross-site scripting (XSS) vulnerabilities in member.php in MyBulletin Board (MyBB) 1.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) aim, (2) yahoo, (3) msn, or (4) website field.20060314 [[KAPDA::#35] MyBB 1.0.3~member.php~XSS Attack in contact details1709723935 mybb-member-xss(25263)** DISPUTED ** Mozilla Firefox 1.0.7 and 1.5.0.1 allows remote attackers to cause a denial of service (crash) via an HTML tag with a large number of script action handlers such as onload and onmouseover, which triggers the crash when the user views the page source. NOTE: Red Hat has disputed this issue, suggesting that "It is likely the reporter was running the IE Tab extension," and Mozilla also confirmed that this is not an issue in Firefox itself.20060317 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll)20060318 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll)593Classic Planer in AntiVir PersonalEdition Classic 7 does not drop privileges before executing external programs, which allows local users to gain privileges via notepad.exe, which is used to display scan reports.20060311 AntiVir PersonalEdition Classic: Local Privilige Escalation20060311 AntiVir PersonalEdition Classic: Local Privilige Escalation17071ADV-2006-09481921723843antivir-notepad-gain-privilege(25244)573GGZ Gaming Zone 0.0.12 allows remote attackers to cause a denial of service (client disconnect) via inputs that produce malformed XML, including (1) trailing ' (apostrophe) character on the ID attribute in a PLAYER XML tag, (2) joining with a long ID attribute or non-trailing ' characters, which causes a <none> name to be assigned, and then disconnecting, or (3) a long CDATA message attribute, which prevents closing tags from being added to the string.ADV-2006-09352384819212ggzgaminzone-xml-dos(25164)17094admin.php in Himpfen Consulting Company PHP SimpleNEWS 1.0.0 allows remote attackers to bypass authentication by setting the admin parameter in a cookie.EV0094ADV-2006-09131919520060322 [eVuln] PHP SimpleNEWS, PHP SimpleNEWS MySQL - Authentication Bypass Vulnerability1718623803 simplenews-admin-bypass-security(25177)613Cross-site scripting (XSS) vulnerability in signup.php in @1 File Store 2006.03.07 allows remote attackers to inject arbitrary web script or HTML via the (1) real_name, (2) email, and (3) login parameters.ADV-2006-0943192242385020060324 [eVuln] @1 File Store Multiple XSS and SQL Injection Vulnerabilities101582617090 filestore-signup-xss(25182)SQL injection vulnerability in @1 File Store 2006.03.07 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) functions.php and (2) user.php in the libs directory, (3) edit.php and (4) delete.php in control/files/, (5) edit.php and (6) delete.php in control/users/, (7) edit.php, (8) access.php, and (9) in control/folders/, (10) access.php and (11) delete.php in control/groups/, (12) confirm.php, and (13) download.php; (14) the email parameter in password.php, and (15) the id parameter in folder.php.Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled.EV0095ADV-2006-094319224238512385223853238542385523856238572385823859238602386123862238632386420060324 [eVuln] @1 File Store Multiple XSS and SQL Injection Vulnerabilities10158261709024106 filestore-multiple-sql-injection(25183)619CGI::Session 4.03-1 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by (1) Driver::File, (2) Driver::db_file, and possibly (3) Driver::sqlite.ADV-2006-0946192111717723865 cgisession-cgisess-information-disclosure(25285)CGI::Session 4.03-1 does not set proper permissions on temporary files created in (1) Driver::File and (2) Driver::db_file, which allows local users to obtain privileged information, such as session keys, by viewing the files.356555ADV-2006-094619211238662386717099 cgisession-driver-files-insecure-permissions(25283)Cross-site scripting (XSS) vulnerability in member.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vulnerability than CVE-2006-1272. NOTE: 1.10 was later reported to be vulnerable.20060314 [KAPDA::#35] - MyBB1.0.4~member.php~XSS after loginMyBB1.0.4MyBB1.0.4~member.php~XSS after loginMyBB 1.1 Released 17097ADV-2006-0971192131749223935mybb-member-url-xss(25266)CRLF injection vulnerability in inc/function.php in MyBulletinBoard (MyBB) 1.04 allows remote attackers to conduct cross-site scripting (XSS), poison caches, or hijack pages via CRLF (%0A%0D) sequences in the Referrer HTTP header field, possibly when redirecting to other web pages.20060314 [KAPDA::#34] - MyBB1.0.4~redirectfunction()~HeaderInjection[KAPDA::#34]MyBB1.0.4MyBB1.0.4~redirectfunction()~HeaderInjectionMyBB 1.1 Released 17097 mybb-crlf-header-injection(25267)opiepasswd in One-Time Passwords in Everything (OPIE) in FreeBSD 4.10-RELEASE-p22 through 6.1-STABLE before 20060322 uses the getlogin function to determine the invoking user account, which might allow local users to configure OPIE access to the root account and possibly gain root privileges if a root shell is permitted by the configuration of the wheel group or sshd.FreeBSD-SA-06:121719424067101581719347bsd-opie-unauthorized-privileges(25397)ADV-2006-1074The installation of SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, includes a default administrator login account and password, which allows local users to gain privileges or modify tasks.19171ADV-2006-08701015733SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, gives read and write permissions to all users for database shared memory sections, which allows local users to access and possibly modify certain information.Update to Symantec Ghost 8.3 that is shipped as a part of Symantec Ghost Solutions Suite 1.1.19171ADV-2006-0870101573317019Buffer overflow in the login dialog in dbisqlc.exe in SQLAnywhere for Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost Solutions Suite (SGSS) 1.0, might allow local users to read certain sensitive information from the database.Update to Symantec Ghost 8.3 that is shipped as a part of Symantec Ghost Solutions Suite 1.1. 19171ADV-2006-08701015733 ghost-dbisqlc-bo(25089)Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) 2.0.4 and 2.1.4 before 20060130 allows remote attackers to steal cookies and probably conduct other activities when the victim is using Internet Explorer.ADV-2006-086119141Multiple SQL injection vulnerabilities in Invision Power Board (IPB) 2.0.4 and 2.1.4 before 20060105 allow remote attackers to execute arbitrary SQL commands via cookies, related to (1) arrays of id/stamp pairs and (2) the keys in arrays of key/value pairs in ipsclass.php; (3) the topics variable in usercp.php; and the topicsread cookie in (4) topics.php, (5) search.php, and (6) forums.php.ADV-2006-086119141 invision-multiple-sql-injection(25100)Multiple SQL injection vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) password, (3) team, (4) level, (5) status, (6) teamname, and (7) teamlead parameters in (a) auth.php; the (8) username, (9) action, and (10) filter parameters in (b) authuser.php; the (11) username parameter in (c) utils.php; the (12) id and (13) date parameters in (d) traffic.php; the (14) username parameter in (e) userstatistics.php; and the (15) USERNAME and (16) PASSWORD parameters in a cookie to (f) chgpwd.php.20060316 Milkeyway Multiple Vulnerabilities17127ADV-2006-0968101577819258milkeyway-admin-sql-injection(25287)milkeyway-multiple-sql-injection(25281)2392523927239282392923931Multiple cross-site scripting (XSS) vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) ipAddress, (2) act, (3) username, and (4) unspecified other parameters in (a) authuser.php; and the (5) username and (6) unspecified other parameters in (b) userstatistics.php.20060316 Milkeyway Multiple Vulnerabilities17127ADV-2006-0968101577819258milkeyway-multiple-xss(25288)2393223933publish.ical.php in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier does not require authentication for write access to the calendars directory, which allows remote attackers to upload and execute arbitrary PHP scripts via a WebDAV PUT request with a filename containing a .php extension and a trailing null character.17129ADV-2006-101919285Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie_language] and phpicalendar[cookie_style] cookies, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by day.php.17125ADV-2006-101919285Cross-site scripting (XSS) vulnerability in index.php in Contrexx CMS 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF).20060318 Contrexx CMS Xss Vuln17128ADV-2006-101319294contrexx-index-xss(25332)599PHP remote file include vulnerability in PageController.php in KnowledgebasePublisher 1.2 allows remote attackers to include and execute arbitrary PHP code via a URL in the dir parameter.17120ADV-2006-102019298knowledgebasepublisher-dir-file-include(25338)24002Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter.17130 spip-research-xss(25389)Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local users to gain privileges via a malicious beagle-info program in the current working directory, or possibly directories specified in the PATH.19278beagle-beagle-status-privilege-escalation(25303)17195FEDORA-2006-1882394219336Unspecified vulnerability in Veritas Backup Exec for Windows Server Remote Agent 9.1 through 10.1, for Netware Servers and Remote Agent 9.1 and 9.2, and Remote Agent for Linux Servers 10.0 and 10.1 allow attackers to cause a denial of service (application crash or unavailability) due to "memory errors."20060317 Symantec Security Advisory SYM06-00417098ADV-2006-0995192421015784backupexec-app-memory-dos(25309)597Format string vulnerability in the Job Engine service (bengine.exe) in the Media Server in Veritas Backup Exec 10d (10.1) for Windows Servers rev. 5629, Backup Exec 10.0 for Windows Servers rev. 5520, Backup Exec 10.0 for Windows Servers rev. 5484, and Backup Exec 9.1 for Windows Servers rev. 4691, when the job log mode is Full Detailed (aka Full Details), allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted filename on a machine that is backed up by Backup Exec.This vulnerability can only be exploited if the 'job log' mode is set to "Full Detailed" (aka Full Details). Other older versions of Windows Server (those that have been End-Of-Life'd) should be upgraded to the latest patch of one of the current versions listed above.Document ID: 282254 1709620060320 Symantec Security Advisory, SYM06-00519242ADV-2006-09961015785backupexec-bengine-format-string(25310)Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to bypass access restrictions via unspecified "URL paths" that can access Application Folder objects "explicitly by name."MS06-03318920ADV-2006-2751101646520999ms-aspnet-appcode-information-disclosure(26802)27153oval:org.mitre.oval:def:419Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted SELECTION record that triggers memory corruption, a different vulnerability than CVE-2006-1302.MS06-03718853ADV-2006-27551016472oval:org.mitre.oval:def:557Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with certain crafted fields in a SELECTION record, which triggers memory corruption, aka "Malformed SELECTION record Vulnerability."20060712 NSFOCUS SA2006-05 : Microsoft Excel SELECTION Record Memory Corruption VulnerabilityMS06-03718885ADV-2006-27551016472oval:org.mitre.oval:def:3791238Multiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.MS06-02118328ADV-2006-231910162912059520060613 ZDI-06-018: Microsoft Internet Explorer DXImageTransform ActiveX Memory Corruption Vulnerabilityoval:org.mitre.oval:def:1135oval:org.mitre.oval:def:1767oval:org.mitre.oval:def:1830oval:org.mitre.oval:def:1928oval:org.mitre.oval:def:1973oval:org.mitre.oval:def:2017 VU#959049 26442 ie-wmm2fxadll-execute-code(26774)Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted COLINFO record, which triggers the overflow during a "data filling operation."20060712 NSFOCUS SA2006-06 : Microsoft Excel COLINFO Record Buffer Overflow VulnerabilityMS06-03718888ADV-2006-27551016472oval:org.mitre.oval:def:545Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to cause a denial of service (memory exhaustion and interrupted mail recovery) via malformed e-mail header information, possibly related to (1) long subject lines or (2) large numbers of recipients in To or CC headers.MS07-003[funsec] 20060308 DOSing Outlook 200321937ADV-2007-0104101748823674TA07-009AVU#617436HPSBST0218431253oval:org.mitre.oval:def:122Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability."20060712 Microsoft Excel Array Index Error Remote Code ExecutionMS06-03718886ADV-2006-27551016472oval:org.mitre.oval:def:950Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted FNGROUPCOUNT value.20060712 Microsoft Excel Could Allow Remote Code Execution by Malformed FNGROUPCOUNT value VulnerabilityMS06-03718890excel-fngroupcount-bo(27464)ADV-2006-27551016472oval:org.mitre.oval:def:243Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption.MS06-03718910ADV-2006-27551016472oval:org.mitre.oval:def:752The RichEdit component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1; Office 2000 SP3, XP SP3, 2003 SP2, and Office 2004 for Mac; and Learning Essentials for Microsoft Office 1.0, 1.1, and 1.5 allows user-assisted remote attackers to execute arbitrary code via a malformed OLE object in an RTF file, which triggers memory corruption.MS07-013 VU#368132 21876 ADV-2007-0582 31886 1017640 1017641 24152 ms-richedit-code-execution(30592)TA07-044Aoval:org.mitre.oval:def:1090Microsoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.MS06-023VU#39004418359ADV-2006-232120620TA06-164A101628326434ms-jscript-code-execution(26805)oval:org.mitre.oval:def:1067oval:org.mitre.oval:def:1644oval:org.mitre.oval:def:1785oval:org.mitre.oval:def:2003Heap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages.MS06-03520060711 TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption VulnerabilityVU#189140win-mailslot-bo(26818)TA06-192A18863ADV-2006-27532100727154oval:org.mitre.oval:def:6001212The Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to obtain sensitive information via crafted requests that leak information in SMB buffers, which are not properly initialized, aka "SMB Information Disclosure Vulnerability."MS06-03518891win-smb-information-disclosure(26820)101646720060711 SMB Information Disclosure VulnerabilityADV-2006-275321007VU#33363627155oval:org.mitre.oval:def:3Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389.MS06-038VU#580036ADV-2006-275621012office-string-parse-bo(27607)TA06-192A189121016469oval:org.mitre.oval:def:918 27148chpst in runit 1.3.3-1 for Debian GNU/Linux, when compiled on little endian i386 machines against dietlibc, does not properly handle when multiple groups are specified in the -u option, which causes chpst to assign permissions for the root group due to inconsistent bit sizes for the gid_t type.This vulnerability may be relevant only to Debian GNU/Linux implementations on little endian i386 machines.#3560161717919323 runit-chpst-gain-privileges(25419)util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block, which causes a check for CVS to always succeed and allows rsync and rdist to bypass intended access restrictions in rssh.conf.debian-rssh-rsync-rdist-bypass-security(25424)DSA-11091899921087Cross-site scripting (XSS) vulnerability in webcheck before 1.9.6 allows remote attackers to inject arbitrary web script or HTML via the (1) url, (2) title, or (3) author name in a crawled page, which is not properly sanitized in the tooltips of a report.Versions before 1.0 are named "linbot" instead of "webcheck".2006-01-30 release 1.9.6 of webcheck 1721219309webcheck-content-xss(25428)Novell Netware NWFTPD 5.06.05 allows remote attackers to cause a denial of service (ABEND) via an MDTM command that uses a long path for the target file, possibly due to a buffer overflow.17137ADV-2006-097523949101578119265netware-nwftpd-mdtm-dos(25289)Directory traversal vulnerability in WinHKI 1.6 and earlier allows user-assisted attackers to overwrite arbitrary files via a (1) RAR, (2) TAR, (3) ZIP, or (4) TAR.GZ archive with a file whose file name contains ".." sequences.ADV-2006-1010192961715320060322 WinHKI 1.6x Archive Extraction Directory traversalwinhki-extract-directory-traversal(25335)Cross-site scripting (XSS) vulnerability in acp/lib/class_db_mysql.php in Woltlab Burning Board (wBB) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the errormsg parameter when a SQL error is generated.20060318 Xss in Wbb 2.3.417147ADV-2006-100319293wbb-classdbmysql-xss(25313)1015789529598Cross-site scripting (XSS) vulnerability in Streber 0.055 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.The vulnerability has been fixed in version 0.055 (development release).ADV-2006-10051926317157streber-xss(25317)Multiple cross-site scripting (XSS) vulnerabilities in Invision Power Board 2.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) result_type, (2) search_in, (3) nav, (4) forums, and (5) s parameters in the Search action to index.php; (6) st parameter to index.php with showtopics set to 1; (7) m, (8) y, and (9) d parameters in a calendar action; (10) t parameter in a Print action; (11) MID parameter in a Mail action; (12) HID parameter in a Help action; (13) active parameter in a search action; (14) sort_order, (15) max_results, or (16) sort_key parameter in a Members action.20060317 XSS IN Invision Power Board17144 25009 25010 25011 25012 25013 25014 25015SQL injection vulnerability in reg.php in SoftBB 0.1 allows remote attackers to execute arbitrary SQL commands via the mail parameter.ADV-2006-10021928317160softbb-reg-sql-injection(25320)23999SQL injection vulnerability in count.php in Skull-Splitter PHP Downloadcounter for Wallpapers 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) count_fieldname, (2) url_fieldname, or (3) url parameter.ADV-2006-1004193141715623972downloadcounter-count-sql-injection(25316)20060329 [eVuln] Skull-Splitter%27s PHP Downloadcounter for Wallpapers SQL Injection649The SASL negotiation in Jabber Studio jabberd before 2.0s11 allows remote attackers to cause a denial of service ("c2s segfault") by sending a "response stanza before an auth stanza".ADV-2006-10091928117155jabberd-sasl-dos(25334)RHSA-2008:0261Multiple SQL injection vulnerabilities in phpWebsite 0.83 and earlier allow remote attackers to execute arbitrary SQL commands via the sid parameter to (1) friend.php or (2) article.php.20060318 phpWebsite <= SQL Injection (friend.php) & (article.php)17150ADV-2006-103919315phpwebsite-multiple-sql-injection(25328)20060413 Re: phpWebsite <= SQL Injection (friend.php) & (article.php)Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) method or (2) list parameter.20060320 Noah's Classifieds Multiple Path Disclosure and Cross Site Scripting Vulnerabilities17151noahs-index-path-disclosure(25331) 20060308 Noah's Classifieds Multiple Cross-Site Scripting Vulnerabilities noahs-index-xss(25099)Noah's Classifieds 1.3 and earlier allows remote attackers to obtain sensitive information via an invalid list parameter in the showdetails method to index.php, which reveals the path in an error message.20060320 Noah's Classifieds Multiple Path Disclosure and Cross Site Scripting Vulnerabilitiesnoahs-index-path-disclosure(25331)471605Multpile SQL injection vulnerabilities in BetaParticle Blog 6.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp or (2) fldGalleryID parameter to template_gallery_detail.asp.Update to version 6.02.20060318 Advisory: BetaParticle Blog <= 6.0 Multiple Remote SQL InjectionVulnerabilities17148ADV-2006-100019292bpblog-multiple-sql-injection(25327)23965239661015788600Multiple SQL injection vulnerabilities in Maian Weblog 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) entry and (2) email parameters to (a) print.php and (b) mail.php.ADV-2006-09942394619273maianweblog-printmail-sql-injection(25295)1715920060327 [eVuln] Maian Weblog Multiple SQL Injection Vulnerabilities17247101581823945638gnome screensaver before 2.14, when running on an X server with AllowDeactivateGrabs and AllowClosedownGrabs enabled, allows attackers with physical access to cause the screensaver to crash and access the session via the Ctl+Alt+Keypad-Multiply keyboard sequence, which removes the grab from gnome.The vulnerability has reportedly been fixed in version 2.14.1928024015gnomescreensaver-security-bypass(25340)Cross-site scripting vulnerability in calendar.php in ExtCalendar 1.0 and possibly other versions before 2.0 allows remote attackers to inject arbitrary web script or HTML via the (1) year, (2) month, (3) next, and (4) prev parameters.This issue is reportedly addressed in ExtCalendar 2.0. Symantec has not confirmed this fix. Affected users are advised to contact the vendor for further information.20060319 ExtCalendar v1.0 Multiple Xss Vuln17146ADV-2006-10122396919321extcalendar-calendar-xss(25350)601Buffer overflow in the POP 3 (POP3) service in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 allows remote attackers to execute arbitrary code via unknown vectors before authentication.ADV-2006-10061928817162mailenable-pop-authentication(25314)101579720060320 [MU-200603-01] MailEnable POP3 Pre-Authentication Buffer Overflow24012Webmail in MailEnable Professional Edition before 1.73 and Enterprise Edition before 1.21 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors involving "incorrectly encoded quoted-printable emails".ADV-2006-1006192881716124014mailenable-webmail-component-dos(25315)Directory traversal vulnerability in inc/functions.inc.php in CuteNews 1.4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the archive parameter in an HTTP POST or COOKIE request, which bypasses a sanity check that is only applied to a GET request.1715219289cutenews-incfunction-directory-traversal(25324)20060322 cutenews 1.4.1 Arbitrary File AccessCuteNews 1.4.1 and possibly other versions allows remote attackers to obtain the installation path via unspecified vectors involving an invalid file path.Successful exploitation requires that the "register_globals" parameter is enabled.cutenews 1.4.1 Arbitrary File Access171521928920060322 cutenews 1.4.1 Arbitrary File AccessSQL injection vulnerability in events.php in Maian Events 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters.ADV-2006-099319274maianevents-events-sql-injection(25298)20060328 [eVuln] Maian Events SQL Injection Vulnerability23947646net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the (1) getsockname, (2) getpeername, and (3) accept functions, which allows local users to obtain portions of potentially sensitive memory.[linux-netdev] 20060304 BUG: Small information leak in SO_ORIGINAL_DST (2.4 and 2.6) and[PATCH] Fix small information leak in SO_ORIGINAL_DST and getname()1935717203SUSE-SA:2006:028RHSA-2006:0579RHSA-2006:0580210352039820061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 420061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-450222875net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.[linux-netdev] 20060304 BUG: Small information leak in SO_ORIGINAL_DST (2.4 and 2.6) and19357linux-sockaddr-memory-leak(25425)17203USN-281-11995520060531 rPSA-2006-0087-1 kernelADV-2006-20712006-0032DSA-109720671RHSA-2006:0579RHSA-2006:0580MDKSA-2006:12321045RHSA-2006:043721136RHSA-2006:057521465MDKSA-2006:15021983DSA-1184220932241720061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 420061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-450222875 29841MDKSA-2006:123MDKSA-2006:150Cross-site scripting (XSS) vulnerability in VeriSign haydn.exe, as used in Managed PKI (MPKI) 6.0, allows remote attackers to inject arbitrary web script or HTML via a javascript URI in the VHTML_FILE parameter.20060320 CORE-2006-0124: Cross-Site Scripting in Verisign?s haydn.exe CGI script17170ADV-2006-10841015813verisign-haydn-xss(25349)614polls.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to obtain sensitive information via a vote action with an "option[]=null" parameter value, which reveals the path in an error message.20060317 MyBB 1.10 Full Path Disclosuremybb-polls-path-disclosure(25337)Directory traversal vulnerability in inc/setLang.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a lang[*][file] parameter, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by index.php.17165ADV-2006-101519322[VIM] 20060414 Provable vendor ACK for gcards issues24016SQL injection vulnerability in loginfunction.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.Vulnerability can only be exploited if the "magic_quotes_gpc" parameter is set to Off.ii) also we have SQL injection...17165ADV-2006-101519322gcards-loginfunction-sql-injection(25344)[VIM] 20060414 Provable vendor ACK for gcards issues24017Cross-site scripting (XSS) vulnerability in index.php in Greg Neustaetter gCards 1.45 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang[*][file] parameter, which is injected into an error message. NOTE: this issue might be resultant from CVE-2006-1346.iii)xss:17165ADV-2006-10152401819322gcards-incsetlang-xss(25343)[VIM] 20060414 Provable vendor ACK for gcards issuesMultiple cross-site scripting (XSS) vulnerabilities in Musicbox 2.3 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) id and (2) type and (3) show parameters in a top action in (a) index.php; and the (4) message1 parameter in (b) cart.php.171492396723968musicbox-index-cart-xss(25525)20060324 XSS & SQL Injection in Music Box v2.320060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerabilitymusicbox-multiple-xss(27925)PHP remote file include vulnerability in index.php in 99Articles.com (aka ArticlesOne.com) Free articles directory allows remote attackers to include and execute arbitrary PHP code via a URL in the page parameter.20060321 Free Articles Directory Remote Command ExucetionADV-2006-10371932017183freearticlesdirectory-index-file-include(25378)[VIM] 20060322 Free Articles Directory - file inclusion, code execution?24024616BEA WebLogic Server 6.1 SP7 and earlier allows remote attackers to read arbitrary files via unknown attack vectors related to a "default internal servlet" accessed through HTTP.(BEA06-120.00)17166ADV-2006-1021193101015792weblogic-server-default-servlet(25347)BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and WebLogic Server 6.1 SP7 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via crafted non-canonicalized XML documents.17167ADV-2006-1021193101015790weblogic-xml-parser-dos(25348)Multiple SQL injection vulnerabilities in ASPPortal 3.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the downloadid parameter in download_click.asp and (2) content_ID parameter in news/News_Item.asp; authenticated administrators can also conduct attacks via (3) user_id parameter to users/add_edit_user.asp, (4) bannerid parameter to banner_adds/banner_add_edit.asp, (5) cat_id parameter to categories/add_edit_cat.asp, (6) Content_ID parameter to News/add_edit_news.asp, (7) download_id parameter to downloads/add_edit_download.asp, (8) Poll_ID parameter to poll/add_edit_poll.asp, (9) contactid parameter to contactus/contactus_add_edit.asp, (10) sortby parameter to poll/poll_list.asp, and (11) unspecified inputs to downloads/add_edit_download.asp.ADV-2006-1014192861717424020240842408524086240872408824089240902409124092aspportal-downloadclick-sql-injection(25346)20060321 ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities20060322 Re: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities - Email has different SMTP TO: and MIME TO: fields in the email addresses20060321 ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities20060322 Re: [SPAM:] - ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities - Email has different SMTP TO: and MIME TO: fields in the email addresses608Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.ADV-2006-101619300MDKSA-2006:060SUSE-SA:2006:019171711015795194052006-0020freeradius-eap-mschapv2-auth-bypass(25352)GLSA-200604-03RHSA-2006:0271195181952720060404-01-U19811DSA-108920461MDKSA-2006:060avast! Antivirus 4.6.763 and earlier sets "BUILTIN\Everyone" permissions to critical system files in the installation folder, which allows local users to gain privileges or disable protection by modifying those files.ADV-2006-10111928417158avast-files-bypass-authorization(25336)Stack-based buffer overflow in the count_vcards function in LibVC 3, as used in Rolo, allows user-assisted attackers to execute arbitrary code via a vCard file (e.g. contacts.vcf) containing a long line.239851723719295libvc-vc-bo(25430)Cross-site scripting (XSS) vulnerability in my.support.php3 in F5 Firepass 4100 SSL VPN 5.4.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter.20060321 XSS in Firepass 4100 SSL VPN v.5.4.2 (and probably others)17175ADV-2006-1036101579819337firepass-mysupport-xss(25393)611Unspecified vulnerability in BEA WebLogic Portal 8.1 up to SP5 causes a JSR-168 Portlet to be retrieved from the cache for the wrong session, which might allow one user to see a Portlet of another user.ADV-2006-102219308171641015791weblogic-portal-portlet-disclosure(25345)Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.20060322 IE crash17196ADV-2006-105018680VU#87667820060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution20060328 EEYE: Temporary workaround for IE createTextRange vulnerability240501015812ie-createtextrange-command-execution(25379)20060323 Secunia Research: Microsoft Internet Explorer "createTextRange()"Code ExecutionMS06-013TA06-101AADV-2006-131820060322 FW: [Full-disclosure] IE crash20060322 IE crash20060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution20060327 Determina Fix for the IE createTextRange() bugQ-154oval:org.mitre.oval:def:1178oval:org.mitre.oval:def:1657oval:org.mitre.oval:def:1678oval:org.mitre.oval:def:1702oval:org.mitre.oval:def:98520060328 Determina Fix for CVE-2006-1359 (Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution)Multiple SQL injection vulnerabilities in MusicBox 2.3 Beta 2 allow remote attckers to execute arbitrary SQL commands via the (1) id, (2) type, or (3) show parameter to (a) index.php; or the (4) message1 or (5) message parameter to (b) cart.php.1714920060324 XSS & SQL Injection in Music Box v2.320060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerabilitymusicbox-multiple-sql-injection(27926)Cross-site scripting (XSS) vulnerability in OSWiki before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the username field to (1) list.rhtml or (2) show.rhtml.This vulnerability is addressed in the following product release: OSWiki, OSWiki, 0.3.1ADV-2006-10351929017189oswiki-username-xss(25410)Multiple SQL injection vulnerabilities in Mini-Nuke CMS System 1.8.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter in (a) members.asp, the (2) catid parameter in (b) articles.asp and (c) programs.asp, and the (3) id parameter in (d) hpages.asp and (e) forum.asp. NOTE: The pages.asp/id vector is already covered by CVE-2006-0870.20060321 Mini-Nuke<=1.8.2 SQL injection18439mininuke-multiple-sql-injection(25372)617images.php in Justin White (aka YTZ) Free Web Publishing System (FreeWPS) 2.11 allows remote attackers to execute arbitrary PHP code by uploading a .php file into the /upload directory as specified in the dirPath parameter, then performing a direct request to that file.freewps 2.11 exploitADV-2006-103819343freewps-images-file-include(25377)Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path.w3wp-dos.c1718820060322 w3wp remote DoS20060322 w3wp remote DoS20060322 w3wp remote DoS due to improper reference of STA COM components in ASP.NET1015825ms-aspnet-w3wp-dos(25392)The Motorola PEBL U6, the Motorola V600, and possibly the Motorola E398 and other Motorola phones allow remote attackers to add an entry for their own Bluetooth device to a target device's list of trusted devices (aka Device History), and possibly obtain AT level access to the target device, by initiating and interrupting an OBEX Push Profile that pretends to send a vCard, aka a "HeloMoto" attack.20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack'Buffer overflow in the Motorola PEBL U6 08.83.76R, and possibly other Motorola P2K-based phones, allows remote attackers to cause a denial of service (device shutdown), and possibly execute arbitrary code, via a long OBEX setpath to the OBEX File Transfer (aka FTP) service on Bluetooth channel 9.Arbitrary code execution may also be possible, but has not been confirmed. This vulnerability may affect other versions of Motorola P2K-based phones.20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack'DMA[2006-0321a]17185ADV-2006-104519319motorola-peblu6-v600-obex-bo(25401)20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack'The Motorola PEBL U6 08.83.76R, the Motorola V600, and possibly the Motorola E398 and other Motorola P2K-based phones does not require pairing for a connection related to the Headset Audio Gateway service, which allows user-assisted remote attackers to obtain AT level access and view phonebook entries and saved SMS messages by connecting on Bluetooth channel 3 and tricking the user into pressing Grant, aka a "Blueline" attack. NOTE: while user-assisted, the attack is made more feasible because of a GUI misrepresentation issue that allows a default message to be replaced by an attacker-specified one.20060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack'17190ADV-2006-10451931920060321 DMA[2006-0321a] - 'Motorola P2K Platform setpath() overflow and Blueline attack'motorola-peblu6-v600-name-spoofing(25402)Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes memory to be allocated for the reply data but not the reply structure.Update to version 2.6.16.19330ADV-2006-1046USN-281-11783119955DSA-109720671DSA-1103ADV-2006-255420914MDKSA-2006:12321045MDKSA-2006:123Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) 2.1.5 and earlier before 20060308 allows remote attackers to inject arbitrary web script or HTML via a Private Message (PM) in certain circumstances.Update to version 2.1.5 (2006-03-08 or later).17187ADV-2006-104419299invision-privatemessage-xss(25384)Buffer overflow in RealNetworks RealPlayer 10.5 6.0.12.1040 through 6.0.12.1348, RealPlayer 10, RealOne Player v2, RealOne Player v1, RealPlayer 8, and RealPlayer Enterprise before 20060322 allows remote attackers to have an unknown impact via a malicious Mimio boardCast (mbc) file.This vulnerability affects all versions of RealNetworks, RealPlayer from 10.5 v6.0.12.1040 through 10.5 v6.0.12.1348. RealNetworks Releases Product Updates.17202ADV-2006-1057193581015810VU#451556realnetworks-mbc-bo(25411)Laurentiu Matei eXpandable Home Page (XHP) CMS 0.5 and earlier allows remote authenticated users to use the HTMLArea FileManager plugin to upload and execute arbitrary PHP files using (1) manager.php, (2) standalonemanager.php, and (3) images.php.Exploit 605ADV-2006-105219353[VIM] 20060324 XHP vendor ack/fix17209xhpcms-filemanager-file-include(25399)2405824059Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm.1WebCalendar v 4.x vuln. ADV-2006-104019329171932402124022240231webcalendar-multiple-sql-injection(25373)Cross-site scripting (XSS) vulnerability in status_image.php in PHP Live! 3.0 allows remote attackers to inject arbitrary web script or HTML via the base_url parameter.20060322 PHP Live! XSS status_image.php17184ADV-2006-105419340phplive-statusimage-xss(25386)SQL injection vulnerability in viewStatement.php in AdMan 1.0.20051221 and earlier allows remote attackers to execute arbitrary SQL commands via the transactions_offset parameter.AdMan v1.0.x SQL vuln ADV-2006-1071193511720824064adman-viewstatement-sql-injection(25403)AdMan 1.0.20051221 and earlier allows remote attackers to obtain the full path via (1) a blank campaignId parameter to editCampaign.php and (2) a blank schemeId parameter to viewPricingScheme.php.ADV-2006-1071193512406524066adman-multiple-path-disclosure(25404)The installation of Debian GNU/Linux 3.1r1 from the network install CD creates /var/log/debian-installer/cdebconf with world writable permissions, which allows local users to cause a denial of service (disk consumption).19331debian-cdebconf-world-writable(25526)Cross-site scripting (XSS) vulnerability in img.php in (1) EasyMoblog 0.5.1 and (2) CoMoblog 1.1 allows remote attackers to inject arbitrary web script or HTML via the i parameter.20060323 [KAPDA::#37] - CoMoblog XSSCoMoblog & EasyMoblog XSS1720117199ADV-2006-1086ADV-2006-108710158241937019379comoblog-img-xss(25416)easymoblog-img-xss(25420)2409324094PasswordSafe 3.0 beta, when running on Windows before XP, uses a weak random number generator (C++ rand function) during generation of the database encryption key, which makes it easier for attackers to decrypt the database and steal passwords by generating keys for all possible rand() seed values and conducting a known plaintext attack.This vulnerability exists only in Windows OS environments before XP. For some reason it would not let me notate that in the "vulnerable software" section.20060323 PasswordSafe 3.0 weak random number generator allows key recovery attack17200passwordsafe-key-brute-force(25429)20060907 Re: PasswordSafe 3.0 weak random number generator allows key recovery attack618Trend Micro PC-cillin Internet Security 2006 14.00.1485 and 14.10.0.1023, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying executable programs such as (1) tmntsrv.exe and (2) tmproxy.exe.vulnerability (privilege escalation) in Trend Micro Officescan/PCCillin and IMSSADV-2006-104219282ISNTSmtp directory in Trend Micro InterScan Messaging Security Suite (IMSS) 5.5 build 1183 and possibly other versions before 5.7.0.1121, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying ISNTSysMonitor.exe.ADV-2006-104119022 imss-isntsmtp-directory-permissions(25415)Trend Micro OfficeScan 5.5, and probably other versions before 6.5, uses insecure DACLs for critical files, which allows local users to gain SYSTEM privileges by modifying tmlisten.exe.ADV-2006-104111576 imss-isntsmtp-directory-permissions(25415)PHP remote file inclusion vulnerability in impex/ImpExData.php in vBulletin ImpEx module 1.74, when register_globals is disabled, allows remote attackers to include arbitrary files via the systempath parameter.20060323 XOR Crew :: vBulletin ImpEx <= 1.74 - Remote Command Execution VulnerabilityADV-2006-10561935217206impex-impexdata-file-include(25391)24070 20070504 Remote File Include In Script impex impex-systempath-file-include(34095)Directory traversal vulnerability in Baby FTP Server (BabyFTP) 1.24 allows remote authenticated users to determine existence of files outside the intended document root via unspecified manipulations, which generate different error messages depending on whether a file exists or not.ADV-2006-1069193381720524057 baby-ftp-information-disclosure(25413)Cross-site scripting (XSS) vulnerability in apwc_win_main.jsp in the web console in IBM Tivoli Business Systems Manager (TBSM) before 3.1.0.1 allows remote attackers to inject arbitrary web script or HTML via the skin parameter.OA14904ADV-2006-10731933217210240691015822tivoli-bsm-skin-xss(25412)Stack-based buffer overflow in the parseTaggedData function in WavePacket.mm in KisMAC R54 through R73p allows remote attackers to execute arbitrary code via multiple SSIDs in a Cisco vendor tag in a 802.11 management frame.Update to version R73p.20060323 Advisory 03/2006: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow17198ADV-2006-10701935424072kismac-80211-gain-access(25422) 20060323 Advisory 03/2006: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow609The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore access control settings, which allows remote attackers to read restricted areas and access restricted content in TWiki topics.17268ADV-2006-1116101584319410twiki-restricted-content-access(25444)TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenticated users with edit rights to cause a denial of service (infinite recursion leading to CPU and memory consumption) via INCLUDE by URL statements that form a loop, such as a page that includes itself.17267ADV-2006-111619410twiki-include-edit-dos(25445)Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.171811015800ie-hta-file-execution(25394)2409519378MS06-013TA06-101AVU#434641ADV-2006-131820060321 IE .hta vulnerability reportedoval:org.mitre.oval:def:1591oval:org.mitre.oval:def:1642oval:org.mitre.oval:def:1676oval:org.mitre.oval:def:1724oval:org.mitre.oval:def:1774Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.HPSBUX0210517215ADV-2006-10891015819193731939524097hpux-swagentd-dos(25421)oval:org.mitre.oval:def:1031oval:org.mitre.oval:def:312oval:org.mitre.oval:def:616The configuration of NetHack 3.4.3-r1 and earlier, Falcon's Eye 1.9.4a and earlier, and Slash'EM 0.0.760 and earlier on Gentoo Linux allows local users in the games group to modify saved games files to execute arbitrary code via buffer overflows and overwrite arbitrary files via symlink attacks.This vulnerability applies only to the following games/versions: 1) NetHack 3.4.3-r1 and previous 2) Falcon's Eye 1.9.4a and previous 3) Slash'EM 0.0.760 and previousBug#: 122376 Bug#: 125902 Bug#: 127167 Bug#: 127319 GLSA-200603-23172171937620060324 Re: [ GLSA 200603-23 ] NetHack, Slash%27EM, Falcon%27s Eye: Local privilege escalation20060324 Re: [ GLSA 200603-23 ] NetHack, Slash%27EM, Falcon%27s Eye: Localprivilege escalationgentoo-multiple-games-privilege-escalation(25528)24104The (a) Quick 'n Easy Web Server before 3.1.1 and (b) Baby ASP Web Server 2.7.2 allows remote attackers to obtain the source code of ASP files via (1) . (dot) and (2) space characters in the extension of a URL.20060324 Secunia Research: Quick 'n Easy/Baby Web Server ASP CodeDisclosure Vulnerability17222ADV-2006-1085ADV-2006-108824100193061931224099baby-web-asp-disclosure(25417)quickneasy-web-asp-disclosure(25418)624Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in the login server in University of Washington Pubcookie 3.0.0, 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified inputs.VU#33758519348pubcookie-login-server-xss(25427)1722124521Multiple cross-site scripting (XSS) vulnerabilities in the mod_pubcookie Apache application server module in University of Washington Pubcookie 1.x, 3.0.0, 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified attack vectors.VU#31454019348pubcookie-appserver-module-xss(25426)1722124103Multiple cross-site scripting (XSS) vulnerabilities in the Microsoft IIS ISAPI filter (aka application server module) in University of Washington Pubcookie 3.1.0, 3.1.1, 3.2 before 3.2.1b, and 3.3 before 3.3.0a allow remote attackers to inject arbitrary web script or HTML via unspecified attack vectors.VU#314540172212452019348SQL injection vulnerability in mb.cgi in Cholod MySQL Based Message Board allows remote attackers to execute arbitrary SQL commands via unspecified vectors in a showmessage action, possibly the username parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.17224ADV-2006-115319439cholod-mb-sql-injection(25520)Multiple cross-site scripting (XSS) vulnerabilities in Cholod MySQL Based Message Board allow remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information.17223ADV-2006-115319439cholod-mb-xss(25518)Multiple cross-site scripting (XSS) vulnerabilities in (a) phpAdsNew and (b) phpPgAds before 2.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) certain parameters to the banner delivery module, which is not properly handled in the administrator interface, or (2) certain parameters to the login form.20060327 [PHPADSNEW-SA-2006-001] phpAdsNew and phpPgAds 2.0.8 fix multiple vulnerabilities17251ADV-2006-110710158291015828193842420524206phpadsnew-login-banner-xss(25458)633Cross-site scripting (XSS) vulnerability in guestbook.php in G-Book 1.0 allows remote attackers to inject arbitrary web script or HTML via the g_message parameter.20060327 HYSA-2006-006 G-Book 1.0 XSS And Other Vulnerabilities17253ADV-2006-110019414241411015830gbook-guestbook-xss(25475)634Cross-site scripting (XSS) vulnerability in searchresult.php in Meeting Reserve 1.0 beta allows remote attackers to inject arbitrary web script or HTML via the search_term parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.17256ADV-2006-111019372meeting-reserve-searchresult-xss(25432)24162Cross-site scripting (XSS) vulnerability in MyTasks/PersonalTaskEdit.asp in Metisware Instructor 1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the Task parameter.17234ADV-2006-11121938524139metisware-instructor-personaltaskcreate-xss(25490)Multiple cross-site scripting (XSS) vulnerabilities in search.php in Calendar Express 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) allwords or (2) oneword parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.17240ADV-2006-11091939324161calendarexpress-search-xss(25467)Buffer overflow in client/server Doom (csDoom) 0.7 and earlier allows remote attackers to (1) cause a denial of service via a long nickname or teamname to the SV_SetupUserInfo function or (2) execute arbitrary code via a long string sent when joining a match or a long chat message to the SV_BroadcastPrintf function.17248ADV-2006-110519389csdoom-sv-broadcastprintf-bo(25448)csdoom-sv-setupuserinfo-bo(25449)Format string vulnerability in the PrintString function in c_console.cpp in client/server Doom (csDoom) 0.7 and earlier allows remote attackers cause a denial of service and possibly execute arbitrary commands via format string specifiers in strings passed to the console.csdoombof-advn/a17248ADV-2006-110519389csdoom-printf-format-string(25450)Multiple cross-site scripting (XSS) vulnerabilities in bol.cgi in BlankOL 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file or (2) function parameter.ADV-2006-1111193871726524124blankol-bol-xss(25488)Cross-site scripting (XSS) vulnerability in search.aspx in SweetSuite.NET Content Management System (ssCMS) 2.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.ADV-2006-1097241201939917254sscms-search-xss(25452)Multiple cross-site scripting (XSS) vulnerabilities in wbadmlog.aspx in uniForum 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) txtuser or (2) txtpassword parameters.17245ADV-2006-11012412319397uniforum-wbadmlog-xss(25433)Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) txtDomainName parameter to domains.asp or (2) SearchText or (3) UserLevel parameters to default.asp.These issues are reportedly fixed by the vendor. Version 3.2.10-stable will contain these fixes when it is released. Contact the vendor for further information on obtaining fixes.17263ADV-2006-109319375[VIM] 20060327 Helm Control Panel followup24125helm-domainsdefault-xss(25470)24126 helm-domainsusersdefaault-xss(30309)Vavoom 1.19.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via (1) a packet with no data or (2) a large packet, which prevents Vavoom from discarding the packet from the socket.17261ADV-2006-110419388vavoom-fionread-dos(25454)Buffer overflow in Vavoom 1.19.1 and earlier allows remote attackers to cause a denial of service (application crash) via an invalid comprLength value in a compressed packet.17261ADV-2006-110419388vavoom-comprlength-bo(25455)Multiple cross-site scripting (XSS) vulnerabilities in XIGLA Absolute Live Support XE 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Screen name or (2) Session Topic field.17258ADV-2006-109919415absolutelivesupport-register-xss(25434) 24131Cross-site scripting (XSS) vulnerability in Absolute Image Gallery XE 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) the shownew parameter in gallery.asp and (2) unspecified search module parameters.ADV-2006-1103absolute-gallery-xss(25466)18712 24214TFT Gallery 0.10 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the admin password file and obtain password hashes via a direct request to admin/passwd.ADV-2006-11151941117250tftgallery-passwd-disclosure(25465)20061204 Multiple bugs in TFT-Gallery20061204 Re: Multiple bugs in TFT-GalleryMultiple cross-site scripting (XSS) vulnerabilities in EZHomepagePro 1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) adid or (2) aname parameter in (a) common/email.asp, (b) users/users_search.asp, or (c) users/users_profiles.asp; (3) page parameter in (d) users/users_calendar.asp; (4) usid parameter in (e) users/users_mgallery.asp; or (5) m parameter in (f) users/users_search.asp.17236ADV-2006-1094241322413324136241352413419386ezhomepagepro-multiple-xss(25468)Multiple cross-site scripting (XSS) vulnerabilities in toast.asp in Toast Forums 1.6 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) author, (2) subject, (3) message, or (4) dayprune parameter.17249ADV-2006-10922411919401toastforums-toast-xss(25440)Cross-site scripting (XSS) vulnerability in iforget.aspx in dotNetBB 2.42EC SP 3 and earlier allows remote attackers to inject arbitrary web script or HTML via the em parameter.17246ADV-2006-10982412219398dotnetbb-iforget-xss(25462)Cross-site scripting (XSS) vulnerability in afmsearch.aspx in Absolute FAQ Manager .NET 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search module parameters, possibly the question parameter.ADV-2006-1096193961724224127absolutefaqmanager-search-xss(25463)Multiple cross-site scripting (XSS) vulnerabilities in Caloris Planitia Online Quiz System (aka Web Quiz pro), possibly 1.0, allow remote attackers to inject arbitrary web script or HTML via the (1) exam parameter in prequiz.asp or (2) msg parameter in student.asp.Web Quiz pro XSS vuln.ADV-2006-109119416172552412924130webquiz-multiple-xss(25431)Cross-site scripting (XSS) vulnerability in default.asp in Caloris Planitia E-School Management System 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.A new version of School Management System was released on May 28, 2006.E-School Management System XSS vuln.ADV-2006-10951938117257eschoolmanagementsystem-default-xss(25469)24128SQL injection vulnerability in the Calendar module in nuked-klan 1.7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the m parameter to index.php.20060326 nuked-klan<=1.7.5 SQL Injection17233ADV-2006-113419382nuked-klan-calendar-sql-injection(25446)24204632SQL injection vulnerability in print.php in SaphpLesson 2.0 allows remote attackers to execute arbitrary SQL commands via the lessid parameter.20060325 SQL Injection in SaphpLesson2.017239saphplesson-print-sql-injection(25453)24254629Multiple SQL injection vulnerabilities in akocomment.php in AkoComment 2.0 module for Mambo, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) acname or (2) contentid parameter.20060326 AkoComment SQL injection vulnerability17241ADV-2006-113619392akocomment-akocomment-sql-injection(25451)24209631SQL injection vulnerability in details_view.php in PHP Booking Calendar 1.0c and earlier allows remote attackers to execute arbitrary SQL commands via the event_id parameter.exploit 161017230phpbookingcal-detailsview-sql-injection(25580)SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 br5, 6.0.1, 6.0.2, and earlier, allows remote attackers to execute arbitrary SQL commands via the Number parameter.20060325 UBBThreads<=5.5.1+6.0.2+6.0 br5+6.0.1 SQL injection628** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1482. Reason: This candidate is a duplicate of CVE-2006-1482. Notes: All CVE users should reference CVE-2006-1482 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Cross-site scripting (XSS) vulnerability in track.php in phpmyfamily 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the name parameter.20060327 HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection & XSS20060327 HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection &17278ADV-2006-11302416619409phpmyfamily-track-xss(25476)636Multiple SQL injection vulnerabilities in Pixel Motion Blog allow remote attackers to execute arbitrary SQL commands via the (1) date parameter in index.php or bypass authentication via the (2) password parameter in admin/index.php.20060327 Blog Pixel Motion<=1.xx Authentication Bypass Vulnerability & SQL injection17260ADV-2006-1135194212416824169pixelmotionblog-adminindex-security-bypass(25478)pixelmotionblog-index-sql-injection(25481)Multiple cross-site scripting (XSS) vulnerabilities in WebAPP 0.9.9.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) action, (2) id, (3) num, (4) board, (5) cat, (6) real, (7) viewcat, (8) img, or (9) curcatname parameter in cgi-bin/index.cgi, or (10) vsSD parameter in /mods/calendar/index.cgi.ADV-2006-11022427824279webapp-index-xss(25435)1735919506Multiple cross-site scripting (XSS) vulnerabilities in phpCOIN 1.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the fs parameter to (1) mod.php or (2) mod_print.php.ADV-2006-112919419172792418824189phpcoin-multiple-xss(25492)Cross-site scripting (XSS) vulnerability in accountlogon.cfm in classifiedZONE 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rtn parameter.17273ADV-2006-11321942724187classifiedzone-accountlogon-xss(25494)Multiple cross-site scripting (XSS) vulnerabilities in CONTROLzx HMS (formerly DRZES) 3.3.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dedicatedPlanID parameter to dedicated_order.php, (2) sharedPlanID parameter to shared_order.php, (3) plan_id parameter to customers/server_management.php, and (4) email field to customers/forgotpass.php.17282ADV-2006-11312417524174241762417319432controlzshms-multiple-scripts-xss(25491)Cross-site scripting (XSS) vulnerability in local.cfm in fusionZONE couponZONE 4.2 allows remote attackers to inject arbitrary web script or HTML via URL-encoded (1) srchfor and (2) srchby parameters.17272ADV-2006-11271943024180couponzone-local-xss(25484)fusionZONE couponZONE 4.2 allows remote attackers to obtain the full path of the web server, and other sensitive information, via invalid values, as demonstrated using manipulations associated with SQL.couponzone-local-path-disclosure(25486)Annuaire (Directory) 1.0 allows remote attackers to obtain sensitive information via a direct request to include/lang-en.php, which reveals the full installation path.2430219548annuaire-includelangen-path-disclosure(25668)Cross-site scripting (XSS) vulnerability in inscription.php in Annuaire (Directory) 1.0 allows remote attackers to inject arbitrary web script or HTML via the Comment Field (COMMENTAIRE parameter).243031954817393annuaire-inscription-xss(25669)Cross-site scripting (XSS) vulnerability in genmessage.php in Accounting Receiving and Inventory Administration (ARIA) 0.99-6 allows remote attackers to inject arbitrary web script or HTML via the Message Field (message parameter).242551955117411aria-genmessage-xss(25688)Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event Publisher allow remote attackers to inject arbitrary web script or HTML via the (1) Event, (2) Description, (3) Time, (4) Website, and (5) Public Remarks fields to (a) eventpublisher_admin.htm and (b) eventpublisher_usersubmit.htm.24235242361764619727UPOINT @1 Event Publisher stores sensitive information under the web document root with insufifcient access control, which allows remote attackers to read private comments via a direct request to eventpublisher.txt.242371764719727Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (aphpkb) 0.57 allow remote attackers to inject arbitrary web script or HTML via the (1) keyword_list parameter to (a) index.php; (2) title, (3) article, (4) author, and (5) keywords parameters to (b) submit_article.php; and (6) Question, (7) Name, and (8) Email parameters to (c) submit_question.php.2431024311243121737719554aphpkb-multiple-scripts-xss(25666)NSSecureTextField in AppKit in Apple Mac OS X 10.4.6 does not re-enable secure event input under certain circumstances, which could allow other applications in the window session to monitor input characters and keyboard events.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-177925583macos-appkit-nssecuretext-weak-security(26404)BOM in Apple Mac OS X 10.3.9 and 10.4.6 allows attackers to overwrite arbitrary files via an archive that contains symbolic links.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016082ADV-2006-177925584 macos-bom-archive-file-overwrite(26405)Integer overflow in CFNetwork in Apple Mac OS X 10.4.6 allows remote attackers to execute arbitrary code via crafted chunked transfer encoding.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016082ADV-2006-177925585 macos-cfnetwork-chunked-overlow(26406)The bundle API in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 loads dynamic libraries even if the client application has not directly requested it, which allows attackers to execute arbitrary code from an untrusted bundle.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016080ADV-2006-177925586 macos-corefoundation-bundle-code-execution(26407)Integer underflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving conversions from string to file system representation within (1) CFStringGetFileSystemRepresentation or (2) getFileSystemRepresentation:maxLength:withPath in NSFileManager, and possibly other similar API functions.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016080ADV-2006-177925587 macos-corefoundation-integer-underflow(26408)CoreGraphics in Apple Mac OS X 10.4.6, when "Enable access for assistive devices" is on, allows an application to bypass restrictions for secure event input and read certain events from other applications in the same window session by using Quartz Event Services.Successful exploitation requires that "Enable access for assistive devices" is on. This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A10160792007717951ADV-2006-177925588 macos-coregraphics-quartz-security-bypass(26409)Buffer overflow in the FTP server (FTPServer) in Apple Mac OS X 10.3.9 and 10.4.6 allows remote authenticated users to execute arbitrary code via vectors related to "FTP server path name handling."This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016084ADV-2006-1779macos-ftpserver-code-execution(26411)25589Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an application to bypass a locked Keychain by first obtaining a reference to the Keychain when it is unlocked, then reusing that reference after the Keychain has been locked.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016072ADV-2006-1779macos-keychain-security-bypass(26413)25590LaunchServices in Apple Mac OS X 10.4.6 allows remote attackers to cause Safari to launch unsafe content via long file name extensions, which prevents Download Validation from determining which application will be used to open the file.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016081ADV-2006-1779macos-launchservices-security-bypass(26416)25591Finder in Apple Mac OS X 10.3.9 and 10.4.6 allows user-assisted attackers to execute arbitrary code by tricking a user into launching an Internet Location item that appears to use a safe URL scheme, but which actually has a different and more risky scheme.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016082ADV-2006-177925592 macos-finder-url-type-spoofing(26410)Integer overflow in Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted MacMIME encapsulated attachment.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016078ADV-2006-1779macos-mail-macmime-bo(26417)25593Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via an enriched text e-mail message with "invalid color information" that causes Mail to allocate and initialize arbitrary classes.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A20077179511016078ADV-2006-1779macos-mail-color-code-execution(26419)25594MySQL Manager in Apple Mac OS X 10.3.9 and 10.4.6, when setting up a new MySQL database server, does not use the "New MySQL root password" that is provided, which causes the MySQL root password to be blank and allows local users to gain full privileges to that database.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A10160772007717951ADV-2006-1779macos-mysql-manager-blank-password(26420)25595Stack-based buffer overflow in Preview in Apple Mac OS 10.4 up to 10.4.6 allows local users to execute arbitrary code via a deep directory hierarchy.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.6 (2006-003)APPLE-SA-2006-05-11TA06-132A10160762007717951ADV-2006-1779macos-preview-directory-bo(26422)25596Stack-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file containing malformed font information.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-11APPLE-SA-2006-05-11TA06-132A179531016067200692007717951ADV-2006-17781016075ADV-2006-1779 quicktime-pict-font-bo(26400)TA06-132B887Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickDraw PICT image format file with malformed image data.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-11APPLE-SA-2006-05-11TA06-132A179531016067200692007717951ADV-2006-17781016075ADV-2006-1779 quicktime-pict-image-bo(26401)TA06-132B887QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to cause a denial of service (crash and connection interruption) via a QuickTime movie with a missing track, which triggers a null dereference.APPLE-SA-2006-05-11TA06-132A20077179511016070ADV-2006-1779quicktime-missing-track-dos(26423)25599Buffer overflow in QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to execute arbitrary code via a crafted RTSP request, which is not properly handled during message logging.APPLE-SA-2006-05-11TA06-132A20077179511016070ADV-2006-1779quicktime-rtsp-bo(26424)25600Safari on Apple Mac OS X 10.4.6, when "Open `safe' files after downloading" is enabled, will automatically expand archives, which could allow remote attackers to overwrite arbitrary files via an archive that contains a symlink.APPLE-SA-2006-05-11TA06-132AVU#51947310160692007717951ADV-2006-1779safari-archive-code-execution(26427)25598Integer overflow in Apple QuickTime Player before 7.1 allows remote attackers to execute arbitrary code via a crafted JPEG image.APPLE-SA-2006-05-11VU#28970517953101606720069ADV-2006-1778 quicktime-jpeg-overflow(26391)TA06-132BMultiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to cause a denial of service or execute arbitrary code via a crafted QuickTime movie (.MOV).20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778 quicktime-mov-overflow(26392)TA06-132B887Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime movie (.MOV), as demonstrated via a large size for a udta Atom.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-111795310160672006920060512 Apple QuickTime udta ATOM Heap OverflowADV-2006-1778 20060512 Apple QuickTime udta ATOM Heap Overflow quicktime-mov-bo(26393)TA06-132B887Multiple buffer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime Flash (SWF) file.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778 quicktime-flash-bo(26394)TA06-132B887Multiple integer overflows in Apple QuickTime before 7.1 allow remote attackers to execute arbitrary code via a crafted QuickTime H.264 (M4V) video format file.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778 quicktime-h264-overflow(26395)TA06-132B887Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a H.264 (M4V) video format file with a certain modified size value.20060511 ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow VulnerabilityAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778 quicktime-h264-bo(26396)TA06-132B888Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime MPEG4 (M4P) video format file.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778VU#587937 quicktime-mpeg4-bo(26397)TA06-132B887Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime AVI video format file.20060512 Apple QuickDraw/QuickTime Multiple VulnerabilitiesAPPLE-SA-2006-05-1117953101606720069ADV-2006-1778 quicktime-avi-bo(26399)TA06-132B887Xcode Tools before 2.3 for Mac OS X 10.4, when running the WebObjects plugin, allows remote attackers to access or modify WebObjects projects through a network service.APPLE-SA-2006-05-2318091ADV-2006-1950101614320267xcode-webobjects-unauth-access(26634)25889Integer overflow in the AAC file parsing code in Apple iTunes before 6.0.5 on Mac OS X 10.2.8 or later, and Windows XP and 2000, allows remote user-assisted attackers to execute arbitrary code via an AAC (M4P, M4A, or M4B) file with a sample table size (STSZ) atom with a "malformed" sample_size_table value.APPLE-SA-2006-06-2920060630 ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow VulnerabilityVU#9078362089118730ADV-2006-26011016413itunes-aac-file-overflow(27481)Unspecified vulnerability in Apple File Protocol (AFP) server in Apple Mac OS X 10.4 up to 10.4.6 includes the names of restricted files and folders within search results, which might allow remote attackers to obtain sensitive information.This vulnerability is addressed in the following product release: Apple, Mac OS X, 10.4.7APPLE-SA-2006-06-27ADV-2006-25661868618733101639520877macosx-afp-information-disclosure(27477)26930Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.6 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image.APPLE-SA-2006-06-27ADV-2006-2566186861016394VU#9883561873120877macosx-imageio-tiff-bo(27478)26931OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers to cause a denial of service (crash) via an invalid LDAP request that triggers an assert error.APPLE-SA-2006-06-27ADV-2006-2566VU#6521961868618728101639620877macosx-openldap-directory-dos(27480)26932Format string vulnerability in the CF_syslog function launchd in Apple Mac OS X 10.4 up to 10.4.6 allows local users to execute arbitrary code via format string specifiers that are not properly handled in a syslog call in the logging facility, as demonstrated by using a crafted plist file.APPLE-SA-2006-06-27ADV-2006-256620060629 DMA[2006-0628a] - 'Apple OSX launchd unformatted syslog() vulnerability'1868610163971872420877macosx-launchd-format-string(27479)26933Unspecified vulnerability in AFP Server in Apple Mac OS X 10.3.9 allows remote attackers to determing names of unauthorized files and folders via unknown vectors related to the search results.APPLE-SA-2006-08-01212531016620ADV-2006-3101macosx-afp-file-disclosure(28134)19289 TA06-214AInteger overflow in AFP Server for Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors.APPLE-SA-2006-08-0121253VU#5753721016620ADV-2006-310127731macosx-afp-overflow(28135)19289 TA06-214ACross-site scripting (XSS) vulnerability in the "failed" functionality in Raindance Web Conferencing Pro allows remote attackers to inject arbitrary web script or HTML via the browser parameter.20060324 [DDSi-SA] XSS in Raindance Communications Web Conferencing ProWindows Firewall in Microsoft Windows XP SP2 does not produce application alerts when an application is executed using the NTFS Alternate Data Streams (ADS) filename:stream syntax, which might allow local users to launch a Trojan horse attack in which the victim does not obtain the alert that Windows Firewall would have produced for a non-ADS file.20060324 Microsoft Windows XP SP2 Firewall issue20060327 Re: Microsoft Windows XP SP2 Firewall issue winxp-firewall-ads-bypass(25597)Windows Firewall in Microsoft Windows XP SP2 produces incorrect application block alerts when the application filename is ".exe" (with no characters before the "."), which might allow local user-assisted users to trick a user into unblocking a Trojan horse program, as demonstrated by a malicious ".exe" program in a folder named "Internet Explorer," which triggers a question about whether to unblock the "Internet Explorer" program.20060324 Microsoft Windows XP SP2 Firewall issue20060327 Re: Microsoft Windows XP SP2 Firewall issue winxp-firewall-exe-bypass(25598)Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools PHP Live Helper 1.8 allow remote attackers to include and execute arbitrary PHP code via the abs_path parameter in (1) initiate.php, (2) waiting.php, (3) welcome.php, (4) admin/index.php, (5) javascript.php, (6) checkchat.php, and (7) blank.php.This vulnerability may affect all versions prior to 1.8 as well.20060327 PHPLiveHelper 1.8 remote command execution (include) Xploit (perl)initiate.php is exploitable? PHPLiveHelper 1.8 remote command execution XploitADV-2006-11371942824193241942419524196241972419824199phplivehelper-abspath-file-include(25489)20060619 PHP Live Helper <=([abs_path]) Remote File Include Vulnerabilities20060619 Re: PHP Live Helper <=([abs_path]) Remote File Include Vulnerabilities 18509Directory traversal vulnerability in (1) initiate.php and (2) possibly other PHP scripts in Turnkey Web Tools PHP Live Helper 1.8, and possibly later versions, allows remote authenticated users to include and execute arbitrary local files via directory traversal sequences in the language cookie, as demonstrated by uploading PHP code in a gl_session cookie to users.php, which causes the code to be stored in error.log, which is then included by initiate.php.This vulnerability may affect all other versions of Turnkey Web Tools, PHP Live Helper.20060327 PHPLiveHelper 1.8 remote command execution (include) Xploit (perl)initiate.php is exploitable? PHPLiveHelper 1.8 remote command execution Xploit19428phplivehelper-abspath-file-include(25489)641Multiple cross-site scripting (XSS) vulnerabilities in Serge Rey gtd-php (aka Getting Things Done) 0.5 allow remote attackers to inject arbitrary web script or HTML via the Description field in (1) newProject.php, (2) newList.php, and (3) newWaitingOn.php; the Title field in (4) newProject.php, (5) newList.php, (6) newWaitingOn.php, (7) newChecklist.php, (8) newContext.php, and (9) newGoal.php; the (10) Category Name field in newCategory.php; the (11) listTitle field in listReport.php; the (12) projectName field in projectReport.php; and the (13) checklistTitle field in checklistReport.php.Subject: gtd input sanitization (XSS) vulnerabilities24149241502415124152241532415424155241562415724158gtdphp-multiple-scripts-xss(25553)17366ADV-2006-120319512Directory traversal vulnerability in start.php in WebAlbum 2.02 allows remote attackers to include arbitrary files and execute commands by (1) injecting code into local log files via GET commands, then (2) accessing that log via a .. (dot dot) sequence and a trailing null (%00) byte in the skin2 COOKIE parameter.Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled. exploit 160817228ADV-2006-110819400webalbum-skin2-parameter-file-include(25443)24160SQL injection vulnerability in search.php in PHP Ticket 0.71 allows remote authenticated users to execute arbitrary SQL commands and obtain usernames and passwords via the frm_search_in parameter.exploit 160917229ADV-2006-110619412phpticket-search-sql-injection(25436)Cross-site scripting (XSS) vulnerability in index.php in ConfTool 1.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060327 CanfTool v1.1 Cross Site Scripting Attack[VIM] 20060328 Conftool, not Canftool; appears to be distributable2426417231canftool-index-xss(25437)635Blazix Web Server before 1.2.6, when running on Windows, allows remote attackers to obtain the source code of JSP files via (1) . (dot), (2) space, and (3) slash characters in the extension of a URL.20060328 Secunia Research: Blazix Web Server JSP Source Code DisclosureVulnerabilityBlazix Web Server JSP Source Code Disclosure Vulnerability17270ADV-2006-113319341241781015837blazix-jsp-source-disclosure(25485)643Genius VideoCAM NB Driver does not drop privileges when saving files, which allows local users to gain privileges by opening arbitrary files via the "save as" dialog.20060328 Genius VideoCAM NB Local Privilege Escalation17284101583919437genius-videocam-saveas-gain-privileges(25501)gm-upload.cgi in Greymatter 1.3.1 allows remote authenticated users with upload privileges to execute arbitrary programs by uploading files to locations within the web root. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17271ADV-2006-11381942324210greymatter-gmupload-file-upload(25496)Multiple cross-site scripting (XSS) vulnerabilities in index.cfm in realestateZONE 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) bamin, (2) bemin, (3) pmin, and (4) state parameters.realestateZONE 4.2 Multiple XSS vuln. 17277ADV-2006-11281942924186realestatezone-index-xss(25487)Cross-site scripting (XSS) vulnerability in ActiveCampaign SupportTrio 2.50.2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the KnowledgeBase search module.17276ADV-2006-11261943124192supporttrio-search-xss(25495)ActiveCampaign SupportTrio 2.5 allows remote attackers to obtain the full path of the server via invalid (1) article or (2) print parameters in a kb action to index.php, or (3) an invalid category parameter to modules/KB/pdf.php, which leaks the path in an error message.ADV-2006-1126194312419024191supporttrio-index-pdf-path-disclosure(25517)Multiple SQL injection vulnerabilities in FusionZONE CouponZONE local.cfm in 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) companyid, (2) scat, and (3) coid parameters.1727424179couponzone-local-sql-injection(25576)PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.20060328 Critical PHP bug - act ASAP if you are running web with sensitive data20060328 Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data17296ADV-2006-114919383php-htmlentitydecode-information-disclosure(25508)MDKSA-2006:063194992006-002019570RHSA-2006:027619832SUSE-SA:2006:024GLSA-200605-08ADV-2006-268520951USN-320-1APPLE-SA-2006-11-28TA06-333AADV-2006-475023155 20060501-01-U 19979 20052 20210 21125MDKSA-2006:063Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer.17292ADV-2006-11541015841horde-help-viewer-command-execution(25516)GLSA-200604-02SUSE-SR:2006:0071952819504[VIM] 20060330 Recent unspecified Horde vuln is eval injection19485DSA-103319619DSA-103419692Directory traversal vulnerability in dir.php in Explorer XP allows remote attackers to read arbitrary files via the chemin parameter.17303ADV-2006-116524259101584019460explorerxp-dir-directory-traversal(25523)20060329 ExplorerXP : Directory Traversal and Cross Site ScriptingCross-site scripting (XSS) vulnerability in dir.php in Explorer XP allows remote attackers to inject arbitrary web script or HTML via the chemin parameter. NOTE: it is possible that this issue is resultant from CVE-2006-1492.17303ADV-2006-116524260101584019460explorerxp-dir-xss(25524)20060329 ExplorerXP : Directory Traversal and Cross Site ScriptingDirectory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.SecurityAlert Id : 361959920060409 tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2ADV-2006-12901015881MDKSA-2006:074SUSE-SA:2006:024RHSA-2006:0568USN-320-121031RHSA-2006:056720060701-01-U211352120221252RHSA-2006:0549217232222517439 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql 20060408 tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2 19775 19979 21125 php-tempnam-directory-traversal(25705)MDKSA-2006:074677SQL injection vulnerability in general/sendpassword.php in (1) PHPCollab 2.4 and 2.5.rc3, and (2) NetOffice 2.5.3-pl1 and 2.6.0b2 allows remote attackers to execute arbitrary SQL commands via the loginForm parameter in the "forgotten password" option.17283ADV-2006-11421944917286ADV-2006-114119452netoffice-sendpassword-bypass-security(25503)phpcollab-sendpassword-sql-injection(25505)2422624230Multiple cross-site scripting (XSS) vulnerabilities in index.php in ViHor Design allow remote attackers to inject arbitrary web script or HTML via (1) a remote URL in the page parameter, which is processed by an fopen call, or (2) HTML or script in the page parameter, which is returned to the client in an error message for the failed fopen call.20060324 VihorDesing Script Remote Command Exucetion And Cross Scripting Attack[VIM] 20060326 clarification of 'VihorDesign' (not VihorDesing) issues[VIM] 20060326 clarification of 'VihorDesign' (not VihorDesing) issues1722619403vihordesign-index-xss(25483)Directory traversal vulnerability in index.php in ViHor Design allows remote attackers to read arbitrary files via the page parameter.20060324 VihorDesing Script Remote Command Exucetion And Cross Scripting Attack[VIM] 20060327 clarification of 'VihorDesign' (not VihorDesing) issues1722619403ADV-2006-1114[VIM] 20060326 clarification of "VihorDesign" (not VihorDesing) issues17227625Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and 1.4.15 allows remote attackers to inject arbitrary web script or HTML via crafted encoded links.[MediaWiki-announce] 20060327 MediaWiki 1.5.8, 1.4.15 released [SECURITY]17269GLSA-200604-01SUSE-SR:2006:00719504ADV-2006-11941950819517 mediawiki-unspecified-xss(25588)SQL injection vulnerability in vCounter.php in vCounter 1.0 allows remote attackers to execute arbitrary SQL commands via the URI (_SERVER[REQUEST_URI] variable).ADV-2006-11471942217302vcounter-url-sql-injection(25500)2423420060407 [eVuln] vCounter - sourceworkshop SQL Injection VulnerabilitySQL injection vulnerability in index.php in Tilde CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2006-11451944717299tildecms-index-sql-injection(25510)24233SQL injection vulnerability in index.php in OneOrZero 1.6.3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in the kans action.ADV-2006-11461944617298oneorzero-helpdesk-index-sql-injection(25511)24228Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c.20060329 [xfocus-SD-060329]MPlayer: Multiple integer overflows20060329 [xfocus-SD-060329]MPlayer: Multiple integer overflows[xfocus-SD-060329]17295ADV-2006-11561941824246242471015842mplayer-asfheader-integer-overflow(25513)mplayer-aviheader-integer-overflow(25514)MDKSA-2006:06819565GLSA-200605-0119919MDKSA-2006:068532647PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.0 R11 and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1636.Successful exploitation requires that the "register_globals" parameter is enabled.20060328 VWar <= 1.5.0 R11 Remote Code Execution ExploitADV-2006-1144194381729024239virtual-war-functionsinstall-file-include(25497)[VIM] 20060403 Vendor ACK for VWar issue - VWar used by PhpNuke ClanMultiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0 (aka Arab Dynamic Portal or ADP) stable allow remote attackers to inject arbitrary web script or HTML via the title parameter in (1) online.php and (2) download.php.Successful exploitation requires that the "register_globals" parameter is enabled.20060328 ArabPortal 2.0 Stable CrossSiteScriptingADV-2006-115019445arabportal-online-download-xss(25515)172852422024221673base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes".Succesful exploitation requires that the product is running in standalone mode.changelog2410117354ADV-2006-119219510Unspecified vulnerability in rsh in Sun Microsystems Sun Grid Engine 5.3 before 20060327 and N1 Grid Engine 6.0 before 20060327 allows local users to gain root privileges.This vulnerability affects Sun Microsystems, Sun Grid Engine 5.3 before 20060327 & N1 Grid Engine 6.0 before 20060327.1022681015835ADV-2006-1155Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the error parameter to include.php, possibly due to a problem in login/login.php.20060328 XSS in PHPKIT Version 1.6.0317291 phpkit-error-xss(25594)Multiple cross-site scripting (XSS) vulnerabilities in MH Software Connect Daily Web Calendar Software 3.2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) calendar_id, (2) style_sheet, and (3) start parameters in (a) ViewDay.html; the (4) txtSearch and (5) opgSearch parameters in (b) ViewSearch.html; the (6) calendar_id and (7) approved parameters in (c) ViewYear.html; the (8) item_type_id parameter in (d) ViewCal.html; and the (9) week parameter in (e) ViewWeek.html.Connect Daily Multiple XSS vuln. 17287ADV-2006-1125194342418124182241832418424185connectdailywebcalendar-multiple-xss(25474)/sbin/passwd in HP-UX B.11.00, B.11.11, and B.11.23 before 20060326 "does not recover gracefully from some error conditions," which allows local users to cause a denial of service.This vulnerability affects all versions of HP-UX B.11.00, B.11.11, and B.11.23 before 20060326.HPSBUX0210317280ADV-2006-120819490 hpux-passwd-dos(25596)oval:org.mitre.oval:def:1412oval:org.mitre.oval:def:1660oval:org.mitre.oval:def:1690Buffer overflow in calloc.c in the Microsoft Windows XP SP2 ntdll.dll system library, when used by the ILDASM disassembler in the Microsoft .NET 1.0 and 1.1 SDK, might allow user-assisted attackers to execute arbitrary code via a crafted .dll file with a large static method.Succesful exploitation can only occur when ntdll.dll system library is used by the ILDASM disassembler in the Microsoft .NET 1.0 and 1.1 SDK packages.20060327 Buffer OverFlow in ILASM and ILDASMILDASM Exception CreatorTo MSRC: Buffer OverFlow in ILASM and ILDASM17243ADV-2006-111319406ms-dotnet-ildasm-bo(25439)Buffer overflow in the ILASM assembler in the Microsoft .NET 1.0 and 1.1 Framework might allow user-assisted attackers to execute arbitrary code via a .il file that calls a function with a long name.20060327 Buffer OverFlow in ILASM and ILDASM17243ADV-2006-111319406ms-dotnet-ilasm-bo(25438)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-1712. Reason: This candidate is a reservation duplicate of CVE-2006-1712. Notes: All CVE users should reference CVE-2006-1712 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Multiple buffer overflows in abc2ps before 1.3.3 allow user-assisted attackers to execute arbitrary code via crafted ABC music files.DSA-104117689ADV-2006-15111978719807 abc2ps-abc-bo(26043)Multiple buffer overflows in the abcmidi-yaps translator in abcmidi 20050101, and other versions, allow remote attackers to execute arbitrary code via crafted ABC music files that trigger the overflows during translation into PostScript.DSA-104317704ADV-2006-1531249741982919826Buffer overflow in the addnewword function in typespeed 0.4.4 and earlier might allow remote attackers to execute arbitrary code via unknown vectors.DSA-108418194ADV-2006-20872037920393GLSA-200606-2020708The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.20060502 MySQL Anonymous Login Handshake - Information Leakage.ADV-2006-1633101601719929USN-283-11778020002GLSA-200605-13MDKSA-2006:084200732007620060516 UPDATE: [ GLSA 200605-13 ] MySQL: Information leakageDSA-10712006-002820223DSA-10732024120253DSA-107920333SSA:2006-155-01SUSE-SR:2006:0122042420457RHSA-2006:054420625SUSE-SA:2006:03620762 ADV-2007-0930 24479 mysql-login-packet-info-disclosure(26236)APPLE-SA-2007-03-13TA07-072A840236703ADV-2008-132629847sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to obtain sensitive information via a COM_TABLE_DUMP request with an incorrect packet length, which includes portions of memory in an error message.20060502 MySQL COM_TABLE_DUMP Information Leakage and Arbitrary commandexecution.ADV-2006-1633101601619929USN-283-11778020002GLSA-200605-13MDKSA-2006:08425228200732007620060516 UPDATE: [ GLSA 200605-13 ] MySQL: Information leakageDSA-10712006-002820223DSA-10732024120253DSA-107920333SSA:2006-155-01SUSE-SR:2006:0122042420457RHSA-2006:054420625SUSE-SA:2006:03620762 ADV-2007-0930 24479 mysql-sqlparcecc-information-disclosure(26228)APPLE-SA-2007-03-13TA07-072A839236703ADV-2008-132629847Buffer overflow in the open_table function in sql_base.cc in MySQL 5.0.x up to 5.0.20 might allow remote attackers to execute arbitrary code via crafted COM_TABLE_DUMP packets with invalid length values.20060502 MySQL COM_TABLE_DUMP Information Leakage and Arbitrary commandexecution.ADV-2006-1633101601619929VU#602457DSA-1071DSA-10732024120253DSA-107920333SUSE-SR:2006:01220457SUSE-SA:2006:03620762 17780 mysql-comtabledump-bo(26232)839** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-2224. Reason: This candidate is a duplicate of CVE-2006-2224. Notes: All CVE users should reference CVE-2006-2224 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Format string vulnerability in ANSI C Sender Policy Framework library (libspf) before 1.0.0-p5, when debugging is enabled, allows remote attackers to execute arbitrary code via format string specifiers, possibly in an e-mail address.ADV-2006-1846libspf-debugging-format-string(26535)The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 and 2.6.17-rc1, and possibly earlier versions, allows local users to cause a denial of service (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, which causes an invalid dereference in the __keyring_search_one function.Bugzilla Bug 188466 1745119573ADV-2006-1307MDKSA-2006:08620157RHSA-2006:049320237USN-302-12071621745 FEDORA-2006-423 ADV-2006-1475 24507 19735 linux-keyringsearchone-dos(25722)MDKSA-2006:086The __group_complete_signal function in the RCU signal handling (signal.c) in Linux kernel 2.6.16, and possibly other versions, has unknown impact and attack vectors related to improper use of BUG_ON.[linux-kernel] 20060411 [PATCH] __group_complete_signal: remove bogus BUG_ON17640SUSE-SA:2006:028DSA-1103ADV-2006-25542091420398madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability. NOTE: this description was originally written in a way that combined two separate issues. The mprotect issue now has a separate name, CVE-2006-2071.175871966419657DSA-109720671SUSE-SA:2006:028DSA-1103ADV-2006-2554247142091420398 FEDORA-2006-423 ADV-2006-1391 ADV-2006-1475 19735 linux-madvise-security-bypass(25870)ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference.17593ADV-2006-13991970924715linux-ip-route-input-dos(25872)USN-281-119955MDKSA-2006:08620157RHSA-2006:049320237DSA-109720671SUSE-SA:2006:028DSA-1103ADV-2006-2554209142174520398 FEDORA-2006-423 ADV-2006-1475 19735 21476MDKSA-2006:086Buffer overflow in the X render (Xrender) extension in X.org X server 6.8.0 up to allows attackers to cause a denial of service (crash), as demonstrated by the (1) XRenderCompositeTriStrip and (2) XRenderCompositeTriFan requests in the rendertest from XCB xcb/xcb-demo, which leads to an incorrect memory allocation due to a typo in an expression that uses a "&" instead of a "*" operator. NOTE: the subject line of the original announcement used an incorrect CVE number for this issue.[xorg] 20060502 [CVE-2006-1525] X.Org security advisory: Buffer overflow in the Xrender extensionGLSA-200605-02MDKSA-2006:081[3.8] 007: SECURITY FIX: May 2, 2006RHSA-2006:0451SUSE-SA:2006:023USN-280-1ADV-2006-16171016018199151992119943199001991619951199561023392006-00241779519983FLSA:190777VU#633257xorg-xrender-bo(26200)MDKSA-2006:081The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the for_each_sctp_chunk function.Upgrade to Linux Kernel version 2.6.16.13 : http://www.kernel.org/ADV-2006-16322006-0024178062522919926MDKSA-2006:08620157RHSA-2006:049320237SUSE-SA:2006:028USN-302-1207162174520398 linux-sctp-netfilter-dos(26194)MDKSA-2006:086Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space.RHSA-2006:04932023718101USN-302-120716MDKSA-2006:1232104521179SUSE-SA:2006:047ADV-2006-333021555kernel-sg-dos(28510)21745DSA-1183DSA-1184220822209321498MDKSA-2006:123Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 Security Advisory 2006-20VU#35026217516ADV-2006-13561015919101592110159201963119649DSA-104619863DSA-105119941SCOSA-2006.2621033HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1947ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.This vulnerability is addresses in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 Security Advisory 2006-20VU#35026217516ADV-2006-13561015919101592110159201963119649DSA-104619863DSA-105119941SCOSA-2006.2621033HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1903ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.VU#350262175161015919101592110159201963119649DSA-104619863DSA-105119941SCOSA-2006.2621033HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:2023ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Cross-site scripting (XSS) vulnerability in search.php in PHP Classifieds 6.18, 6.20, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the searchword parameter.ADV-2006-1143194401730524232phpclassifieds-search-xss(25507)SQL injection vulnerability in newsletter.php in Sourceworkshop newsletter 1.0 allows remote attackers to execute arbitrary SQL commands via the newsletteremail parameter.ADV-2006-11481942517304newsletter-script-sql-injection(25498)20060407 [eVuln] newsletter - sourceworkshop SQL Injection Vulnerability24229Multiple SQL injection vulnerabilities in Null news allow remote attackers to execute arbitrary SQL commands via (1) the user_email parameter in (a) lostpass.php, and the (2) user_email and (3) user_username parameters in (b) sub.php and (c) unsub.php.Succesful exploitation of this vulnerability requires the "magic_quotes_gpc" parameter to be disabled.EV0109ADV-2006-11511941317300242402424124242nullnews-multiple-sql-injection(25502)20060408 [eVuln] Null news SQL Injection Vulnerability682Cross-site scripting (XSS) vulnerability in login.php in Phoetux.net PhxContacts 0.93.1 beta and earlier allows remote attackers to inject arbitrary web script or HTML via the m parameter.20060328 PhxContacts <= 0.93.1 beta Multiple SQL injection & xss17307Multiple SQL injection vulnerabilities in Phoetux.net PhxContacts 0.93.1 beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) motclef and (2) nbr_line_view parameters in (a) carnet.php, and the (3) id_contact parameter in (b) contact_view.php.20060328 PhxContacts <= 0.93.1 beta Multiple SQL injection & xss17306Craig Knudsen WebCalendar 1.1.0-CVS allows remote attackers to obtain sensitive information via a direct request to (1) includes/index.php, (2) tests/add_duration_test.php, (3) tests/all_tests.php, (4) groups.php, (5) nonusers.php, (6) includes/settings.php, (7) includes/init.php, (8) includes/settings.php.orig, (9) includes/js/admin.php, (10) includes/js/edit_entry.php, (11) includes/js/edit_layer.php, (12) includes/js/export_import.php, (13) includes/js/popups.php, (14) includes/js/pref.php, or (15) includes/menu/index.php, which reveal the path in various error messages.20060329 Full path disclosure in Webcalendar 1.1.0-CVS245222452324524245252452624527245282452924530245312453224533245342453524536 webcalendar-multiple-path-disclosure(25539)651The Enova X-Wall ASIC encrypts with a key obtained via Microwire from a serial EEPROM that stores the key in cleartext, which allows local users with physical access to obtain the key by reading and duplicating an EEPROM that is located on a hardware token, or by sniffing the Microwire bus.Physical access to the device or hardware token is required to perform the attack.20060329 [HV-INFO] Enova hardware encryption: false sense of securityEnova hardware encryption: False sense of securityenova-xwall-insecure-encryption-key(25527)648Multiple buffer overflows in the checkscores function in scores.c in tetris-bsd in bsd-games before 2.17-r1 in Gentoo Linux might allow local users with games group membership to gain privileges by modifying tetris-bsd.scores to contain crafted executable content, which is executed when another user launches tetris-bsd.GLSA-200603-26Bug#: 122399 173081944224261bsdgames-tetrisbsd-checkscores-bo(25611)MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.172521015855MS06-038ADV-2006-275621012office-property-string-bo(27609)office-string-parse-bo(27607)20060710 SYMSA-2006-007: Microsoft Office Malformed String Parsing VulnerabilityTA06-192AVU#6098681888927150oval:org.mitre.oval:def:639SQL injection vulnerability in Default.asp in EzASPSite 2.0 RC3 and earlier allows remote attackers to execute arbitrary SQL commands and obtain the SHA1 hash of the admin password via the Scheme parameter.exploit 1623Advisory: EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability.17309ADV-2006-11642425619441ezaspsite-default-sql-injection(25544)20060329 EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability.20060329 EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability.Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function. NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.Successful exploitation requires that the Python is running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5exploit 1591Python <= 2.4.2 realpath() Local Stack OverflowMultiple SQL injection vulnerabilities in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) loginvar parameter in (a) admin/admin.php, and the (2) news and (3) nom parameters in (b) news.php.2427324274vnews-adminnews-sql-injection(25529)17316ADV-2006-11731943520060411 [eVuln] VNews Multiple VulnerabilitiesMultiple cross-site scripting (XSS) vulnerabilities in news.php in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) autorkomentarza and (2) tresckomentarza parameters.24275vnews-news-xss(25530)17317ADV-2006-11731943520060411 [eVuln] VNews Multiple VulnerabilitiesDirect static code injection vulnerability in admin/config.php in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allows remote authenticated administrators to execute code by inserting the code into variables that are stored in admin/config.php.24276vnews-config-file-include(25531)ADV-2006-11731943520060411 [eVuln] VNews Multiple VulnerabilitiesApache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.[struts-user] 20060121 Validation Security Hole?[struts-devel] 20060122 Re: Validation Security Hole?17342ADV-2006-1205101585619493SUSE-SR:2006:01020117 struts-iscancelled-security-bypass(25612)ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.Bug 38534Bug 38534 17342ADV-2006-1205101585619493SUSE-SR:2006:01020117 struts-actionform-dos(25613)Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.17342ADV-2006-1205101585619493SUSE-SR:2006:01020117 struts-lookupmap-xss(25614)PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation fault) by defining and executing a recursive function. NOTE: it has been reported by a reliable third party that some later versions are also affected.Upgrade to PHP 5.1.3-RC320060409 function *() php/apache Crash PHP 4.4.2 and 5.1.2ADV-2006-1290101588020060410 Re: function *() php/apache Crash PHP 4.4.2 and 5.1.220060412 Re: function *() php/apache Crash PHP 4.4.2 and 5.1.220060414 Re: Re: function *() php/apache Crash PHP 4.4.2 and 5.1.220060408 function *() php/apache Crash PHP 4.4.2 and 5.1.2php-function-dos(25704)244852312676Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87 and later before 0.95-pre6 allow user-assisted attackers to have an unknown impact via a crafted xfig file, possibly involving an invalid (1) color index, (2) number of points, or (3) depth.20060329 Buffer overflows in Dia XFig import[dia-list] 20060329 Vulnerability in xfig import code17310101585319469MDKSA-2006:06219505DSA-1025FEDORA-2006-261USN-266-1195071954319546GLSA-200604-1419765SUSE-SR:2006:00919897RHSA-2006:028019959 diaxfig-xfig-import-bo(25566)MDKSA-2006:062Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to execute arbitrary code via the (1) $method and (2) $args parameters.20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability17519ADV-2006-13532461819653 20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability pajax-pajaxcalldispatcher-code-execution(25859)Integer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to cause a denial of service (crash) via a crafted JPEG image with malformed JPEG metadata, as demonstrated using Safari, aka "Deja-Doom".17321APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-1779macos-imageio-jpeg-bo(26412)25597SQL injection vulnerability in functions/final_functions.php in VSNS Lemon 3.2.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.EV01061728119420101583620060406 [eVuln] VSNS Lemon Multiple Vulnerabilities24211vsns-lemon-finalfunctions-sql-injection(25456)Cross-site scripting (XSS) vulnerability in VSNS Lemon 3.2.0 allows remote attackers to inject arbitrary web script or HTML via the name parameter while adding a comment.Successful exploitation requires that the "magic_quotes_gpc" parameter is disabled.EV010619420101583620060406 [eVuln] VSNS Lemon Multiple Vulnerabilities1739524212vsns-lemon-name-xss(25457)VSNS Lemon 3.2.0 allows remote attackers to bypass authentication and access password-protected articles by setting the vsns[topic_id] cookie to the targeted topic.EV010619420101583620060406 [eVuln] VSNS Lemon Multiple Vulnerabilities1739624213vsns-lemon-cookie-auth-bypass(25459)Multiple cross-site scripting (XSS) vulnerabilities in view_caricatier.php in AL-Caricatier 2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) CatName, (2) CaricatierID, or (3) CatID parameter.20060328 XSS in AL-Caricatier1728917292 alcaricatier-viewcaricatier-xss(25493)Multiple SQL injection vulnerabilities in X-Changer 0.2 allow remote attackers to execute arbitrary SQL commands via the (1) from and (2) into parameters in a calculate action, and the (3) id parameter in an edit action to index.php.20060330 X-Changer <=v0.2 Demo SQL injection17322ADV-2006-118819459xchanger-index-sql-injection(25549)24288654Cross-site scripting (XSS) vulnerability in search.php in PHP Script Index allows remote attackers to inject arbitrary web script or HTML via the search parameter.[OSVDB Mods] PHP Script Index - Cross Site Scripting17297ADV-2006-11582424319443SQL injection vulnerability in PHP Script Index allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-1158Multiple SQL injection vulnerabilities in SkinTech phpNewsManager 1.48 allow remote attackers to execute arbitrary SQL commands via unspecified parameters, possibly (1) id and (2) topicid, in (a) browse.php, (b) category.php, (c) gallery.php, (d) poll.php, and (e) possibly other unspecified scripts. NOTE: portions of the description details are obtained from third party information.EV011017301ADV-2006-1152phpnewsmanager-multiple-sql-injection(25512)242652426624267242681939120060408 [eVuln] phpNewsManager Multiple SQL Injections20060410 [eVuln] phpNewsManager Multiple SQL Injections680SQL injection vulnerability in index.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allows remote attackers to execute arbitrary SQL commands via the x parameter.Successful exploitation requires that "magic_quotes_gpc" is set to off.EV011117320ADV-2006-11742427019448vbook-index-sql-injection(25519)20060411 [eVuln] [V]Book Multiple Vulnerabilities696Multiple cross-site scripting (XSS) vulnerabilities in index.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) autor, (2) www, (3) temat, and (4) tresc parameters.EV011117319ADV-2006-11742427119448vbook-index-xss(25521)20060411 [eVuln] [V]Book Multiple VulnerabilitiesDirect static code injection vulnerability in config.php in vscripts (aka Kuba Kunkiewicz) [V]Book (aka VBook) 2.0 allows remote administrators to execute arbitrary PHP code into the config file, which is included other [V]Book scripts.Successful exploitation requires that "magic_quotes_gpc" is set to off.EV0111ADV-2006-11742427219448vbook-config-file-include(25522)20060411 [eVuln] [V]Book Multiple VulnerabilitiesUntrusted search path vulnerability in libapache2-svn 1.3.0-4 for Subversion in Debian GNU/Linux includes RPATH values under the /tmp/svn directory for the (1) mod_authz_svn.so and (2) mod_dav_svn.so modules, which might allow local users to gain privileges by installing malicious libraries in that directory.Debian Bug report logs - #35923417288 libapache2-svn-file-upload(25680)Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the LinuxGpib.so module, which might allow local users to gain privileges by installing malicious libraries in that directory.#35923917288 libgpib-perl-buildd-file-upload(25681)Untrusted search path vulnerability in libtunepimp-perl 0.4.2-1 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the tunepimp.so module, which might allow local users to gain privileges by installing malicious libraries in that directory.#35924117288 libtunepimp-perl-buildd-file-upload(25682)Cross-site scripting (XSS) vulnerability in searchresults.asp in SiteSearch Indexer 3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchField parameter.SiteSearch Indexer 3.5 XSS vuln. ADV-2006-1185194671733224289sitesearch-indexer-searchfield-xss(25564)Multiple cross-site scripting (XSS) vulnerabilities in register.php in RedCMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) email, (2) location, or (3) website parameters.Successful exploitation requires that "magic_quotes_gpc" is disabled.EV0115ADV-2006-1186194751733624296redcms-register-xss(25577)20060413 [eVuln] RedCMS Multiple XSS and SQL Injection Vulnerabilities708Multiple SQL injection vulnerabilities in RedCMS 0.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters to (a) login.php or (b) register.php; or (3) u parameter to (c) profile.php.Successful exploitation requires that "magic_quotes_gpc" is disabled.EV0115ADV-2006-11861947517336242972429824299redcms-multiple-sql-injection(25578)20060413 [eVuln] RedCMS Multiple XSS and SQL Injection VulnerabilitiesCross-site scripting (XSS) vulnerability in Esqlanelapse 2.0 and 2.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.Release Name: Esqlanelapse 2.5ADV-2006-11831947417331esqlanelapse-xss(25568)24300Multiple SQL injection vulnerabilities in loginprocess.php in qliteNews 2005.07.01 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.Successful exploitation requires "magic_quotes_gpc" to be disabled.EV0114ADV-2006-11821947617333qlitenews-loginprocess-sql-injection(25565)2430120060413 [eVuln] qliteNews SQL Injection Vulnerability701SQL injection vulnerability in post.php in Oxygen 1.1.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter in a newthread action.20060330 Oxygen<=1.x.x SQL injection17324ADV-2006-118119481oxygen-post-sql-injection(25570)24287658PHP remote file inclusion vulnerability in index.php in MediaSlash Gallery allows remote attackers to execute arbitrary PHP code via a URL in the rub parameter (part of the $page_menu variable).20060330 MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability17323mediaslash-index-file-include(25583)2431320060516 Re: MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability657Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web, World Wide Web Desktop, World Wide Web for Scheduler, and Desktop for Scheduler, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.Apply patch : http://www.hitachi-support.com/security_e/vuls_e/HS06-005_e/index-e.htmlADV-2006-11801948317337groupmax-www-xss(25574)24295Multiple cross-site scripting (XSS) vulnerabilities in news.php in QLnews 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) autorx and (2) newsx parameters.1733519479qlnews-news-xss(25546)2429020060412 [eVuln] QLnews XSS and PHP Code Insertion Vulnerabilities699Direct static code injection vulnerability in QLnews 1.2 allows remote authenticated administrators to execute arbitrary PHP code by modifying config.php.1733519479qlnews-config-file-include(25548)2429120060412 [eVuln] QLnews XSS and PHP Code Insertion VulnerabilitiesMultiple cross-site scripting (XSS) vulnerabilities in view_all_set.php in Mantis 1.0.1, 1.0.0rc5, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) start_day, (2) start_year, and (3) start_month parameters.17326ADV-2006-11841947124292mantis-viewallset-script-xss(25579)DSA-113321400Multiple SQL injection vulnerabilities in Keystone Digital Library Suite (DLS) 1.5.4 and earlier allow remote attackers to execute arbitrary SQL commands via the subject_type_id parameter in (1) the index page and (2) the search module.keystonedls-subjecttypeid-sql-injection(25571)SQL injection vulnerability in topics.php in Dynamic Bulletin Board System (DbbS) 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the limite parameter.20060331 DbbS<=2.0-alpha SQL injection17338dbbs-topics-sql-injection(25584)Multiple cross-site scripting (XSS) vulnerabilities in Bugzero 4.3.1 and other versions allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in query.jsp and (2) entryId parameter in edit.jsp.17351ADV-2006-119519492bugzero-query-edit-xss(25601) 24328 24329Directory traversal vulnerability in index.php in Blank'N'Berg 0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the _path parameter.1734510158542437319520 blanknberg-index-directory-traversal(25617)Cross-site scripting (XSS) vulnerability in index.php in Blank'N'Berg 0.2 allows remote attackers to inject arbitrary web script or HTML via the _path parameter. NOTE: this might be resultant from the directory traversal issue.1734610158542437419520 blanknberg-index-xss(25618)Cross-site scripting (XSS) vulnerability in index.php in Warcraft III Replay Parser for PHP 1.8c allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: post-disclosure analysis by CVE suggests that the "page" parameter is not used in this product, and "id" might be the affected parameter.20060331 Warcraft III Replay Parser Script Remote Command Exucetion Vulnerability And Cross-Site Scripting Attacking17334 warcraft3-replay-parser-index-xss(25685)Unspecified vulnerability in index.php in Warcraft III Replay Parser for PHP 1.8c allows remote attackers to inject arbitrary web script or HTML via the page parameter, possibly related to fopen function calls or file uploads. NOTE: post-disclosure analysis by CVE suggests that the "page" parameter is not used in this product, and "id" might be the affected parameter.20060331 Warcraft III Replay Parser Script Remote Command Exucetion Vulnerability And Cross-Site Scripting Attacking17334 warcraft3-replay-parser-index-file-include(25686)Multiple SQL injection vulnerabilities in MonAlbum 0.8.7 allow remote attackers to execute arbitrary SQL commands via (1) the pc parameter in (a) index.php and (2) pnom, (3) pcourriel, and (4) pcommentaire parameters in (b) image_agrandir.php.20060330 MonAlbum 0.8.7 SQL Injectionmonalbum-image-imageagrandir-sql-injection(25572)17327ADV-2006-120619503660SQL injection vulnerability in admin_login.asp in ISP of Egypt SiteMan allows remote attackers to execute arbitrary SQL commands via the pass parameter.20060401 SiteMan <= All version SQL injection in admin_login.asp17347ADV-2006-11901950024362siteman-adminlogin-sql-injection(25595)NetBSD 1.6 up to 3.0, when a user has "set record" in .mailrc with the default umask set, creates the record file with 0644 permissions, which allows local users to read the record file.10158471946524258bsd-mailrc-insecure-permissions(25581)The bridge ioctl (if_bridge code) in NetBSD 1.6 through 3.0 does not clear sensitive memory before copying ioctl results to the requesting process, which allows local users to obtain portions of kernel memory.NetBSD-SA2006-0051731210158461946424262bsd-ifbridge-information-disclosure(25582)The elf_load_file function in NetBSD 2.0 through 3.0 allows local users to cause a denial of service (kernel crash) via an ELF interpreter that does not have a PT_LOAD section in its header, which triggers a null dereference.The NetBSD 2.x versions are only affected if the kernel is compiled with the USE_TOPDOWN_VM option (not default in generic kernels).NetBSD-SA2006-0081015848netbsd-elfloadfile-dos(25690)24576Cross-site scripting (XSS) vulnerability in the PrintFreshPage function in (1) Basic Analysis and Security Engine (BASE) 1.2.4 and (2) Analysis Console for Intrusion Databases (ACID) 0.9.6b23 allows remote attackers to inject arbitrary web script or HTML via the (a) back parameter to base_graph_main.php, (b) netmask parameter to base_stat_ipaddr.php, or (c) submit parameter to base_qry_alert.php within BASE, or (d) query string to acid_main.php in ACID, which causes the request URI ($_SERVER['REQUEST_URI']) to be inserted into a refresh operation.Analysis Console for Intrusion Databases - The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. Basic Analysis and Security Engine - Upgrade to cvs version or version 1.2.5 (daiga) or higher, as it has been reported to fix this vulnerability. [secureideas-base-devel] 20060328 3 XSS in BASE 1.2.4243072083517391ADV-2006-126419544base-multiple-scripts-xss(25671)Heap-based buffer overflow in Microsoft Windows Help winhlp32.exe allows user-assisted attackers to execute arbitrary code via crafted embedded image data in a .hlp file.20060331 Windows Help Heap Overflowadvisory #15 - Windows Help Heap Overflow17325win-winhlp32-hlp-bo(25573)20060413 Windows Help Heap Overflow700Buffer overflow in the is_client_wad_ok function in w_wad.cpp for (1) Zdaemon 1.08.01 and (2) X-Doom allows remote attackers to execute arbitrary code via a long filename argument.20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01ADV-2006-11991950917340ADV-2006-11981949620060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01zdaemon-isclientwadok-bo(25592)The (1) ZD_MissingPlayer, (2) ZD_UseItem, and (3) ZD_LoadNewClientLevel functions in sv_main.cpp for (a) Zdaemon 1.08.01 and (b) X-Doom allows remote attackers to cause a denial of service (crash) via an invalid player slot or item number, which causes an invalid memory access, possibly due to an invalid array index.20060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01ADV-2006-11991950917340ADV-2006-11981949620060331 Buffer-overflow and in-game crash in Zdaemon 1.08.01zdaemon-memory-access-dos(25593)662Multiple directory traversal vulnerabilities in document/rqmkhtml.php in Claroline 1.7.4 and earlier allow remote attackers to use ".." (dot dot) sequences to (1) read arbitrary files via the file parameter in a rqEditHtml command to document/rqmkhtml.php or (2) execute arbitrary code via the includePath parameter to learnPath/include/scormExport.inc.php.Successful exploitation requires that "register_globals" is enabled.exploit 1627ADV-2006-11871946117343claroline-rqmkhtml-directory-traversal(25561)Cross-site scripting (XSS) vulnerability in document/rqmkhtml.php in Claroline 1.7.4 and earlier allows remote attackers to read arbitrary files via ".." sequences in the file parameter in a rqEditHtml command.Successful exploitation requires that "register_globals" is enabled.exploit 162720060331 Re: [Full-disclosure] Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod17344ADV-2006-11872428519461claroline-rqmkhtml-xss(25562)24284 1627PHP remote file inclusion vulnerability in learnPath/include/scormExport.inc.php in Claroline 1.7.4 and earlier allows remote attackers to execute arbitrary PHP code via the includePath parameter.20060331 Claroline <= 1.7.4 (scormExport.inc.php) Remote Code Execution Exploit by rgod17341ADV-2006-118719461claroline-scormexportinc-file-include(25563)24286 1627AN HTTPD 1.42n, and possibly other versions before 1.42p, allows remote attackers to obtain source code of scripts via crafted requests with (1) dot and (2) space characters in the file extension.20060403 Secunia Research: AN HTTPD Script Source Disclosure VulnerabilityAN HTTPD Script Source Disclosure Vulnerability 17350ADV-2006-120019326243231015858anhttpd-script-source-disclosure(25591)Unspecified vulnerability in VCEngine.php in v-creator before 1.3-pre3, when the VC_CRYPTO_METHOD option is OPENSSL, allows remote attackers to execute arbitrary commands, possibly due to problems in the (1) enrypt and (2) decrypt functions.17328ADV-2006-118919453vcreator-vcengine-command-execution(25560)24304SQL injection vulnerability in category.php in PhpWebGallery 1.4.1 allows remote attackers to execute arbitrary SQL commands via the search parameter.20060403 Phpwebgallery <= 1.4.1 SQL injection Vulnerability669Unspecified vulnerability in SunPlex Manager in Sun Cluster 3.1 4/04 allows local users with solaris.cluster.gui authorization to view arbitrary files via unspecified vectors.10227817313ADV-2006-1175101584919444suncluster-sunplex-information-disclosure(25543)PHP remote file inclusion vulnerability in includes/functions_common.php in the VWar Account module (vWar_Account) in PHPNuke Clan 3.0.1 allows remote attackers to include arbitrary files via a URL in the vwar_root2 parameter. NOTE: it is possible that this issue stems from a problem in VWar itself, but this is not clear.20060401 PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit17356ADV-2006-120219501phpnukeclan-functionscommon-file-include(25609) 24481Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.19 allows remote attackers to inject arbitrary web script or HTML via the cur_password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17355ADV-2006-11911949424353phpbb-profile-script-xss(25599)Unspecified vulnerability in Exponent CMS before 0.96.5 RC 1 has unknown impact and remote attack vectors related to variables that are not "typecasted."17357ADV-2006-120119498Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows remote attackers to execute arbitrary code via unknown vectors involving "parsed PHP."17357ADV-2006-12011949824358Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows "directory disclosure" with unknown attack vectors.17357ADV-2006-120119498Unspecified vulnerability in the banner module in Exponent CMS before 0.96.5 RC 1 allows "php injection" via unknown attack vectors.17357ADV-2006-12011949824358exponent-banner-php-command-execution(25610)The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.SecurityAlert Id : 371959920060409 copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2ADV-2006-12901015882MDKSA-2006:074USN-320-11743920060718 new shell bypass safe mode20060723 Re: new shell bypass safe mode 20060408 copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2 19775 21125 php-copy-safemode-bypass(25706)MDKSA-2006:07424487678Unspecified vulnerability in Hitachi XFIT/S, XFIT/S/JCA, XFIT/S/ZGN, and XFIT/S ZENGIN TCP/IP Procedure allows remote attackers to cause a denial of service (server process and transfer control process stop) when the products "receive data unexpectedly".173291947224309xfits-data-dos(25567)PHP remote file inclusion vulnerability in lib/armygame.php in SQuery 4.5 and earlier, as used in products such as Autonomous LAN party (ALP), allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. NOTE: this only occurs when register_globals is disabled.20060401 SQuery <= 4.5 Remote File Inclusion ExploitADV-2006-1204194822440017434squery-file-include(25605)Directory traversal vulnerability in KGB Archiver before 1.1.5.22 allows remote attackers to overwrite arbitrary files wile decompressing an archive, possibly due to directory traversal sequences in a filename.This vulnerability affects all versions of KGB, Archiver before 1.1.5.22Release Name: v1.1.5.22ADV-2006-12071951117363kgb-archiver-archive-directory-traversal(25606)Multiple cross-site scripting (XSS) vulnerabilities in visview.php in aWebNews 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) yname, (2) emailadd, (3) subject, and (4) comment parameters.Successful exploitation requires that "magic_quotes_gpc" is disabled. EV0116ADV-2006-11961948724333awebnews-visview-xss(25589)20060414 [eVuln] aWebNews Multiple XSS and SQL Injection Vulnerabilities707Multiple SQL injection vulnerabilities in aWebNews 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user123 variable in (a) login.php or (b) fpass.php; or (2) cid parameter to (c) visview.php.Condition: magic_quotes_gpc = off EV0116ADV-2006-119619487243342433524336awebnews-multiple-sql-injection(25590)20060414 [eVuln] aWebNews Multiple XSS and SQL Injection VulnerabilitiesInteger overflow in the cli_scanpe function in the PE header parser (libclamav/pe.c) in Clam AntiVirus (ClamAV) before 0.88.1, when ArchiveMaxFileSize is disabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code.DSA-102417388ADV-2006-1258195341953620060406 [Overflow.pl] Clam AntiVirus Win32-UPX Heap Overflow (not default configuration)GLSA-200604-06MDKSA-2006:0672006-002019570SUSE-SA:2006:020196081956419567244571015887APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-177923719 clamav-pe-overflow(25660)MDKSA-2006:067Multiple format string vulnerabilities in the logging code in Clam AntiVirus (ClamAV) before 0.88.1 might allow remote attackers to execute arbitrary code. NOTE: as of 20060410, it is unclear whether this is a vulnerability, as there is some evidence that the arguments are actually being sanitized properly.Release Name: 0.88.1DSA-102417388ADV-2006-12581953419536GLSA-200604-06MDKSA-2006:0672006-002019570SUSE-SA:2006:02019608195641956724458APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-177923719 clamav-output-format-string(25661)MDKSA-2006:067Multiple SQL injection vulnerabilities in Advanced Poll 2.02 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to comments.php or (2) poll_id parameter to page.php.advancedpoll-comments-page-sql-injection(25676)Multiple cross-site scripting (XSS) vulnerabilities in Advanced Poll 2.02 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to comments.php or (2) poll_id parameter to page.php. NOTE: it is possible that this issue is resultant from CVE-2006-1616.advancedpoll-comments-page-xss(25677)Format string vulnerability in the (1) Con_message and (2) conPrintf functions in con_main.c in Doomsday engine 1.8.6 allows remote attackers to execute arbitrary code via format string specifiers in an argument to the JOIN command, and possibly other command arguments.ADV-2006-12211951520060403 Format string in Doomsday 1.8.6GLSA-200604-051736910158601951920060403 Format string in Doomsday 1.8.6doomsday-conmessage-conprintf-format-string(25622)IBM WebSphere Application Server 4.0.1 through 4.0.3 allows remote attackers to cause a denial of service (application crash) via an HTTP request with a large header.PQ62144ADV-2006-12141015857websphere-http-header-dos(25619)admin/accounts/AccountActions.asp in Hosting Controller 2002 RC 1 allows remote attackers to modify passwords of other users, probably via an "Update User" ActionType with a modified UserName parameter and the PassCheck parameter set to TRUE. It was later reported that the vulnerability is present in 6.1 Hotfix 3.3 and earlier.20060402 Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)hosting-controller-accountactions-password(25673)2477320071213 Hosting Controller - Multiple Security Bugs (Extremely Critical)473026862hostingcontroller-multiple-security-bypass(39038)28973Directory traversal vulnerability in admin/folders/saveuploadfiles.asp in Hosting Controller 2002 RC 1 allows remote authenticated users to overwrite arbitrary files via an absolute path in the OpenPath parameter.20060402 Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)hosting-controller-Saveupload-file-upload(25675)24772Cross-site scripting (XSS) vulnerability in PHPSelect linksubmit allows remote attackers to inject arbitrary web script or HTML via (1) the description parameter to linklist.php and possibly other vectors involving (2) index.php and (3) linksubmit.php.20060401 linksubmit <= All version Html Tag Injector in index.phplinksubmit-linksubmit-xss(25607)Unspecified vulnerability in main.php in an unspecified "file created by Andries Bruinsma," possibly a FleXiBle Development (FXB) application, allows remote attackers to include and execute arbitrary PHP code. NOTE: this disclosure is extremely vague and has very little information about the specific vulnerability type. In addition, there is little public information on the named product. Finally, an XSS vector is implied in the subject line, but because there is no other information and evidence of a cut-and-paste error, it will not be assigned a separate CVE identifier unless additional information is provided.20060401 FleXiBle Development Script Remote Command Exucetion And XSS Attacking[VIM] 20060404 FleXiBle Development Script Remote Command Exucetion And XSS Attacking20060405 Re: FleXiBle Development Script Remote Command Exucetion And XSS Attackingflexible-development-main-command-execution(25600)flexible-development-main-xss(25603)The default configuration of syslogd in the Linux sysklogd package does not enable the -x (disable name lookups) option, which allows remote attackers to cause a denial of service (traffic amplification) via messages with spoofed source IP addresses.20060331 DoS-ing sysklogd?20060402 RE: DoS-ing sysklogd? sysklogd-sourceip-dos(25672)Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode email tag, as demonstrated using the onmousemove event.20060402 MyBB 1.10 New CrossSiteScripting17368ADV-2006-12161951624375mybb-email-img-bbcode-xss(25615)Internet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.This vulnerability affects any version of Windows OS previous to XP SP2 that is using Internet Explorer 6.020060403 Another Internet Explorer Address Bar Spoofing Vulnerability20060404 Another way to spoof Internet Explorer Address Bar17404ADV-2006-121819521MS06-021ADV-2006-2319101629120060721 about bid 17404oval:org.mitre.oval:def:1600oval:org.mitre.oval:def:1604oval:org.mitre.oval:def:1806oval:org.mitre.oval:def:1842oval:org.mitre.oval:def:1881oval:org.mitre.oval:def:1918 ie-swf-addressbar-spoofing(25634)Adobe Document Server for Reader Extensions 6.0 does not provide proper access control, which allows remote authenticated users to perform privileged actions by modifying the (1) actionID and (2) pageID parameters. NOTE: due to an error during reservation, this identifier was inadvertently associated with multiple issues. Other CVE identifiers have been assigned to handle other problems that are covered by the same disclosure.ADV-2006-13421592420060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities175001015905 adobe-access-control-bypass(25769)Adobe LiveCycle Workflow 7.01 and LiveCycle Forum Manager 7.01 allows users to authenticate and perform privileged actions when their account is marked "OBSOLETE" but the account is also active, within the authentication system.1962017511ADV-2006-13431015906 adobe-livecycle-information-disclosure(25779)OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.OpenVPN version 2.0.6 fixes this vulnerability. Virtual Private Networks Made EasyOpenVPN 2.0.x Change LogEmail Archive17392ADV-2006-126119531MDKSA-2006:0692444419598DSA-1045SUSE-SR:2006:0091983719897openvpn-ldpreload-code-execution(25667)MDKSA-2006:069The cli_bitset_set function in libclamav/others.c in Clam AntiVirus (ClamAV) before 0.88.1 allows remote attackers to cause a denial of service via unspecified vectors that trigger an "invalid memory access."DSA-102417388ADV-2006-12581953419536GLSA-200604-06MDKSA-2006:0672006-002019570SUSE-SA:2006:02019608195641956724459APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-177923719 clamav-others-dos(25662)MDKSA-2006:067Unspecified vulnerability in the HTTP compression functionality in Cisco CSS 11500 Series Content Services switches allows remote attackers to cause a denial of service (device reload) via (1) "valid, but obsolete" or (2) "specially crafted" HTTP requests.20060405 Cisco 11500 Content Services Switch HTTP Request Vulnerability17383ADV-2006-125710158701955224433cisco-css-http-comp-dos(25642)Cross-site scripting (XSS) vulnerability in index.php in LucidCMS 2.0.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the command parameter.20060402 Multiple Vulnerabilities in LucidCMS17360 lucidcms-index-login-panel-xss(25632)LucidCMS 2.0.0 RC4 allows remote attackers to obtain sensitive information via a direct request to /lucid_phplib/translator.php, which reveals the path in an error message.20060402 Multiple Vulnerabilities in LucidCMS lucidcms-translator-path-disclosure(25633)PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1503.1735820060402 VWar <= 1.5.0 R12 Remote File Inclusion ExploitADV-2006-122819524 24480Multiple cross-site scripting (XSS) vulnerabilities in aWebBB 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) tname or (2) fpost parameters to (a) post.php; (3) fullname, (4) emailadd, (5) country, (6) sig, or (7) otherav parameters to (b) editac.php; or (8) fullname, (9) emailadd, or (10) country parameters to (c) register.php.1948617352ADV-2006-1197243372433824339awebbb-multiple-xss(25585)20060415 [eVuln] aWebBB Multiple XSS and SQL Injection VulnerabilitiesMultiple SQL injection vulnerabilities in aWebBB 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) Username parameter to (a) accounts.php, (b) changep.php, (c) editac.php, (d) feedback.php, (e) fpass.php, (f) login.php, (g) post.php, (h) reply.php, or (i) reply_log.php; (2) p parameter to (j) dpost.php; (3) c parameter to (k) list.php or (l) ndis.php; or (12) q parameter to (m) search.php.Successful exploitation requires "magic_quotes_gpc" to be disabled.EV01171948617352ADV-2006-119724340243412434224343243442434524346243472434824349243502435124352awebbb-multiple-sql-injection(25587)20060415 [eVuln] aWebBB Multiple XSS and SQL Injection VulnerabilitiesSQL injection vulnerability in index.php in wpBlog 0.4 allows remote attackers to execute arbitrary SQL commands via the postid parameter.Successful exploitation requires that "magic_quotes_gpc" is disabled. This vulnerability may affect all previous versions of Wire Plastik Design, wpBlog before 0.4EV0119ADV-2006-1238195381738124385wpblog-index-sql-injection(25628)20060417 [eVuln] Wire Plastik wpBlog SQL Injection Vulnerability1015951734Cross-site scripting (XSS) vulnerability in news.php in CzarNews 1.14 allows remote attackers to inject arbitrary web script or HTML via the email parameter.ADV-2006-123719541173802438120060417 [eVuln] CzarNews XSS and Multiple SQL Injection Vulnerabilities1015957 czarnews-news-xss(25623)732Multiple SQL injection vulnerabilities in CzarNews 1.14 allow remote attackers to execute arbitrary SQL commands via the (1) usern or (2) passw parameters to (a) cn_auth.php, (3) s parameter to (b) news.php, or (4) a parameter to (c) dpost.php.Successful exploitation requires that "magic_quotes_gpc" is disabled.EV0118ADV-2006-1237195411738024382243832438420060417 [eVuln] CzarNews XSS and Multiple SQL Injection Vulnerabilities1015957 czarnews-multiple-sql-injection(25624)Cross-site scripting (XSS) vulnerability in Interact 2.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) the search_terms parameter to (a) search.php, and (2) the first_name, (3) last_name, (4) email, (5) password, and (6) confirm_password parameters to (b) userinput.php. NOTE: the provenance of this information is unknown; the details are obtained from third party. In addition, the lack of precision in the third party descriptions makes it unclear whether the named vectors are correct.ADV-2006-1244194882438924461interact-search-xss(25652)SQL injection vulnerability in login.php in Interact 2.1.1 allows remote attackers to execute arbitrary SQL commands via the user_name parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party.ADV-2006-1244194881738524390interact-login-sql-injection(25653)login.php in Interact 2.1.1 generates different responses depending on whether or not a username is valid, which allows remote attackers to determine valid usernames. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-12441948824388interact-login-error-info-disclosure(25651)Cross-site scripting (XSS) vulnerability in Anton Vlasov and Rostislav Gaitkuloff ReloadCMS 1.2.5 and earlier allows remote attackers to inject arbitrary web script or HTML and gain leverage to execute arbitrary PHP code via the User-Agent HTTP header, which is displayed by admin/modules/general/statistic.php in the administration panel.20060402 ReloadCMS <= 1.2.5stable Cross site scripting / remote command execution17353ADV-2006-11931947024327 reloadcms-useragent-xss(25604)The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in the Shoichi Sakane KAME Project racoon, as used by NetBSD 1.6, 2.x before 20060119, certain FreeBSD releases, and possibly other distributions of BSD or Linux operating systems, when running in aggressive mode, allows remote attackers to cause a denial of service (daemon crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1.19463An unspecified "logical programming mistake" in SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versions, allows remote attackers to cause a denial of service via a large packet to the Teacher discovery port (UDP port 5496), which causes a thread to terminate and prevents communications on that port.20060404 SMART Technologies SynchronEyes Remote Denial of Services17373ADV-2006-1241101586919535 synchroneyes-datagram-dos(25659)SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versions, allows remote attackers to cause a denial of service (memory consumption) via a certain packet to the Teacher discovery port that causes SynchronEyes to connect to the attacker's machine and read a value that is used as a parameter to malloc.20060404 SMART Technologies SynchronEyes Remote Denial of Services17373ADV-2006-124110158691953524392 synchroneyes-packet-dos(25663)The "restore to" selection in the "quarantine a file" capability of ESET NOD32 before 2.51.26 allows a restore to any directory that permits read access by the invoking user, which allows local users to create new files despite write-access directory permissions.ESET NOD32 Antivirus version 2.51.26 fixes this vulnerability. All versions of this product prior to 2.51.26 are vulnerable.20060404 NOD32 local privilege escalation vulnerability1737419054ADV-2006-1242101586724393nod32-restoreto-file-upload(25640)672Firefox 1.5.0.1 allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: a followup was unable to replicate this issue.20060404 Re: Another Internet Explorer Address Bar Spoofing Vulnerability20060406 Re: Re: Another Internet Explorer Address Bar Spoofing Vulnerabilityie-swf-addressbar-spoofing(25634)** DISPUTED ** Microsoft ISA Server 2004 allows remote attackers to bypass certain filtering rules, including ones for (1) ICMP and (2) TCP, via IPv6 packets. NOTE: An established researcher has disputed this issue, saying that "Neither ISA Server 2004 nor Windows 2003 Basic Firewall support IPv6 filtering ... This is different network protocol."This vulnerability has been disputed.20060403 Bypassing ISA Server 2004 with IPv620060404 Re: Bypassing ISA Server 2004 with IPv620060405 Re: Re: Bypassing ISA Server 2004 with IPv620060410 Re: Bypassing ISA Server 2004 with IPv6Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and earlier and (b) tabbed_viewer 1.29 (1) allow user-assisted remote attackers to execute arbitrary code via a malicious server that sends a long string to a client that connects on TCP port 5900, which triggers an overflow in Log::ReallyPrint; and (2) allow remote attackers to cause a denial of service (server crash) via a long HTTP GET request to TCP port 5800, which triggers an overflow in VNCLog::ReallyPrint.There are two seperate vulnerabilities here; One allows escalated priveleges to authenticated users, the other allows remote unauthenticated users to cause a Denial of Service (DoS).20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and serverexploit 1642exploit 16431737820060405 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer and serverADV-2006-12401951320060411 Re: Buffer-overflow in Ultr@VNC 1.0.1 viewer POC 20060404 Buffer-overflow in Ultr@VNC 1.0.1 viewer and server ultr@vnc-vnclogreallyprint-bo(25650) untr@vnc-error-bo(25648)674PHP remote file inclusion vulnerability in loadkernel.php in AngelineCMS 0.8.1 allows remote attackers to execute arbitrary PHP code via a URL in the installPath parameter.1737120060404 [ECHO_ADV_27$2006] AngelineCMS 0.8.1 Installpath Remote File Inclusion24610 angelinecms-loadkernel-file-include(25658)Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbox and Color LaserJet 4600 Toolbox on Microsoft Windows before 20060402 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 5225.20060404 [SEC-1 LTD] HP Colour LaserJet 2500 and 4600 Toolbox Directory Traversal VulnerabilityHPSBPI210917367ADV-2006-12301015862HPSBPI210920060404 [SEC-1 LTD] HP Colour LaserJet 2500 and 4600 Toolbox Directory Traversal Vulnerability1952924396hp-laserjet-toolbox-directory-traversal(25627)Multiple buffer overflows in mpg123 0.59r allow user-assisted attackers to trigger a segmentation fault and possibly have other impacts via a certain MP3 file, as demonstrated by mpg1DoS3. NOTE: this issue might be related to CVE-2004-0991, but it is not clear.mpg123 DoS Proof of Concept17365DSA-10742024020275MDKSA-2006:09220281MDKSA-2006:092vserver in util-vserver 0.30.209 executes a command as root when the suexec userid parameter is invalid and non-numeric, which might cause local users to inadvertently execute dangerous commands as root.#36043817361Cross-site scripting (XSS) vulnerability in index.php in Chucky A. Ivey N.T. 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not filtered when the administrator views the "Login Log" page.ADV-2006-12431952620060419 [eVuln] N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities1738724397 nt-index-xss(25638)741Direct static code injection vulnerability in ticker.db.php in Chucky A. Ivey N.T. 1.1.0 allows remote administrators to insert arbitrary PHP code into the config file, which is included other N.T. scripts.ADV-2006-12431952620060419 [eVuln] N.T. Version 1.1.0 XSS and PHP Code Insertion Vulnerabilities1738724398 nt-ticker-file-include(25639)Multiple SQL injection vulnerabilities in Softbiz Image Gallery allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in image_desc.php, (2) provided parameter in template.php, (3) cid parameter in suggest_image.php, (4) img_id parameter in insert_rating.php, and (5) cid parameter in images.php.This vulnerability most likely affects all versions of Softbiz, Image Gallery.20060331 SQL Injection in Softbiz Image Gallery17339ADV-2006-1217195232436824369243702437124372 softbizimagegallery-multiple-sql-injection(25616)Cross-site scripting (XSS) vulnerability in image_desc.php in Softbiz Image Gallery allows remote attackers to inject arbitrary web script or HTML via msg parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.This vulnerability most likely affects all versions of Softbiz, Image Gallery.ADV-2006-121719523Multiple cross-site scripting (XSS) vulnerabilities in SKForum 1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) areaID parameter in area.View.action, (2) time parameter in planning.View.action, and (3) userID parameter in user.View.action.SKForum XSS vuln. 17389ADV-2006-126024430244312443219484skforum-multiple-xss(25641)The frontpage option in Limbo CMS 1.0.4.2 and 1.0.4.1 allows remote attackers to execute arbitrary PHP commands via the Itemid parameter in index.php.20060228 Limbo CMS code execution20060404 Re: Limbo CMS code execution16902 20060228 Limbo CMS code execution limbocms-index-code-execution(24992)519** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0996. Reason: This candidate is a reservation duplicate of CVE-2006-0996. Notes: All CVE users should reference CVE-2006-0996 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in xine_list_delete_current in libxine 1.14 and earlier, as distributed in xine-lib 1.1.1 and earlier, allows remote attackers to execute arbitrary code via a crafted MPEG stream.173701015868GLSA-200604-161985319856 xinelib-mpeg-bo(25670)FEDORA-2008-1043FEDORA-2008-104728666Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0.1 stable allow remote attackers to inject arbitrary web script or HTML via the (1) adminJump and (2) forum_middle parameters in (a) forum.php, and the (3) form parameter in (b) members.php, (c) pm.php, and (d) mail.php.20060404 ArabPortal 2.0.1 Stable [ 9 CrossSiteScripting & 1 SQL Injection ] MultBugz17375 arabportal-multiple-xss(25657)SQL injection vulnerability in forum.php in Arab Portal 2.0.1 stable allows remote attackers to execute arbitrary SQL commands via the mineID parameter.20060404 ArabPortal 2.0.1 Stable [ 9 CrossSiteScripting & 1 SQL Injection ] MultBugz17375 arabportal-forum-sql-injection(25656)644SQL injection vulnerability in slides.php in Eric Gerdes Crafty Syntax Image Gallery (CSIG) (aka PHP thumbnail Photo Gallery) 3.1g and earlier allows remote authenticated users to execute arbitrary SQL commands via the limitquery_s parameter when the $projectid variable is less than 1, which prevents the $limitquery_s from being set within slides.php.17379ADV-2006-12391947824386crafty-slides-sql-injection(25654)newimage.php in Eric Gerdes Crafty Syntax Image Gallery (CSIG) (aka PHP thumbnail Photo Gallery) 3.1g and earlier allows remote authenticated users to upload and execute arbitrary PHP code via a multipart/form-data POST with a .jpg filename in the fullimage parameter and the ext parameter set to .php.Successful exploitation requires privileges to upload images. This product is also known as PHP thumbnail Photo Gallery.exploit 164517379ADV-2006-12391947824387crafty-http-post-code-execution(25655)SQL injection vulnerability in chat/messagesL.php3 in phpHeaven Team PHPMyChat 0.14.5 and earlier allows remote attackers to execute arbitrary SQL commands via the T parameter. NOTE: this issue can be leveraged to execute arbitrary shell commands since the username is later processed in an eval() call, but since the username originated from the SQL injection, it could be a resultant issue.exploit 16461738220060405 PHPMyChat <= 0.14.5 remote commands execution1015873 phpmychat-messagesl-sql-injection(25687)Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910.20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities17384ADV-2006-125610158721955324434 cisco-ons-iplan-ack-dos(25643)Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (card reset) via (1) a "crafted" IP packet to a device with secure mode EMS-to-network-element access, aka bug ID CSCsc51390; (2) a "crafted" IP packet to a device with IP on the LAN interface, aka bug ID CSCsd04168; and (3) a "malformed" OSPF packet, aka bug ID CSCsc54558.The vendor has released fixes to address these issues.20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities17384ADV-2006-1256101587219553244352443624437 cisco-ons-ospf-dos(25646) cisco-ons-cc-ems-dos(25644) cisco-ons-cc-ip-dos(25645)The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a wildcard that grants the java.security.AllPermission permission to any http URL containing "fs/LAUNCHER.jar", which allows remote attackers to execute arbitrary code on a CTC workstation, aka bug ID CSCea25049.20060405 Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities17384ADV-2006-125610158711955324438cisco-ons-ctc-code-execution(25647)Cross-site scripting (XSS) vulnerability in vbugs.php in Dark_Wizard vBug Tracker 3.5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the sortorder parameter.17407ADV-2006-12671956224448 vbulletin-vbugtracker-vbugs-xss(25649)Cross-site scripting (XSS) vulnerability in search.php in PHPWebGallery 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vulnerability than CVE-2006-1675.Multiple cross-site scripting (XSS) vulnerabilities in PHPWebGallery 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) num, and (3) search parameters to (a) category.php, and the (4) slideshow, (5) show_metadata, and (6) start parameters to (b) picture.php, a different vulnerability than CVE-2006-1674.1742120060410 PHPWebGallery Multiple Cross Site Scripting VulnerabilitiesADV-2006-130119610 phpwebgallery-category-picture-xss(25733)SQL injection vulnerability in the display function in the Topics module for MAXdev MDPro (MD-Pro) 1.0.73 and 1.0.72, and possibly other versions before 1.076, allows remote attackers to execute arbitrary SQL commands via the topicid parameter in a display action, which is not properly handled in PNuserapi.PHP.20060406 MAXDEV CMS Multiple vulnerabilities17399ADV-2006-12821957820060620 Re: MAXDEV CMS Multiple vulnerabilitiesmdpro-index-sql-injection(25710)MAXdev MDPro 1.0.73 and 1.0.72, and possibly other versions before 1.076, allows remote attackers to obtain the full path of the server via a direct request to includes/legacy.php.20060406 MAXDEV CMS Multiple vulnerabilitiesADV-2006-12821957820060620 Re: MAXDEV CMS Multiple vulnerabilities mdpro-legacy-path-disclosure(25714)Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.8.0.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in unspecified scripts in the themes directory.17390ADV-2006-12631955624450phpmyadmin-themes-xss(25689)SUSE-SR:2006:00919897DSA-120722781Cross-site scripting (XSS) vulnerability in modules/online.php in Jupiter CMS 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the layout parameter to index.php.20060407 Multiple vulnerability in jupiter CMS17405ADV-2006-130219582 jupitercm-index-xss(25700)Jupiter CMS 1.1.5, when display_errors is enabled, allows remote attackers to obtain the full server path via a direct request to modules/online.php.20060407 Multiple vulnerability in jupiter CMSADV-2006-130219582 jupitercm-online-path-disclosure(25703)Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.20060406 XSS Bug in Cherokee Webserver1740819587ADV-2006-129224469 cherokee-handlererror-xss(25698)Cross-site scripting (XSS) vulnerability in webplus.exe in TalentSoft Web+Shop 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the deptname parameter, possibly involving the webpshop/ department.wml script.17418ADV-2006-128919594 webshop-deptname-xss(25721)SQL injection vulnerability in admin/login.php in Chipmunk Guestbook allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the User name.20060407 SQL Injection in Chipmunk Guestbook17483ADV-2006-132319584 chipmunk-guestbook-login-sql-injection(25695)Unspecified vulnerability in ecotwo Shopsystem 1.0-192 and earlier allows remote attackers to include arbitrary local files via (1) the lang parameter in news.php and (2) other unspecified vectors.Multiple SQL injection vulnerabilities in modules.php in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allow remote attackers to execute arbitrary SQL commands via the (1) group, (2) seite, and (3) id parameter, possibly involving the artikel functionality. NOTE: this vulnerability also allows resultant path disclosure when the SQL queries are invalid.ADV-2006-12931959217425 apt-webshop-sql-injection(25731)Unspecified vulnerability in modules.php in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allows remote attackers to access unspecified files via a modified warp parameter.Cross-site scripting (XSS) vulnerability in APT-webshop-system 4.0 PRO, 3.0 BASIC, and 3.0 LIGHT allows remote attackers to inject arbitrary web script or HTML via the message parameter, probably involving the basket functionality.ADV-2006-129319592Multiple PHP remote file inclusion vulnerabilities in SQuery 4.5 and earlier, as used in products such as Autonomous LAN party (ALP), allow remote attackers to execute arbitrary PHP code via a URL in the libpath parameter to scripts in the lib directory including (1) ase.php, (2) devi.php, (3) doom3.php, (4) et.php, (5) flashpoint.php, (6) gameSpy.php, (7) gameSpy2.php, (8) gore.php, (9) gsvari.php, (10) halo.php, (11) hlife.php, (12) hlife2.php, (13) igi2.php, (14) main.lib.php, (15) netpanzer.php, (16) old_hlife.php, (17) pkill.php, (18) q2a.php, (19) q3a.php, (20) qworld.php, (21) rene.php, (22) rvbshld.php, (23) savage.php, (24) simracer.php, (25) sof1.php, (26) sof2.php, (27) unreal.php, (28) ut2004.php, and (29) vietcong.php. NOTE: the lib/armygame.php vector is already covered by CVE-2006-1610. The provenance of most of these additional vectors is unknown, although likely from post-disclosure analysis. NOTE: this only occurs when register_globals is disabled.2440124402244032440424405244062440724408244211948220060408 Autonomous LAN party File iNclusionADV-2006-128419588174342440924410244112441224413244142441524416244172441824419244202442224423244242442524426244272442824429101588420060710 SQuery <= 4.5(libpath) Remote File Inclusion Exploit20060724 SQuery v.x (devi.php) (armygame.php) Remote File Inclusion679Unspecified vulnerability in su in HP HP-UX B.11.11, when using the LDAP netgroup feature, allows local users to gain unspecified access.HP-UX B.11.11: Install PHCO_34545 or later.HPSBUX02111ADV-2006-12722444910158741956017400 hpux-su-ldap-privilege-escalation(25691)oval:org.mitre.oval:def:1754Cross-site scripting (XSS) vulnerability in subscribe.php in MWNewsletter 1.0.0b allows remote attackers to inject arbitrary web script or HTML via the user_name parameter.ADV-2006-12701956817412 20060421 [eVuln] MWNewsletter SQL Injection and XSS Vulnerabilities 24446 mwnewsletter-subscribe-xss(25684)752SQL injection vulnerability in MWNewsletter 1.0.0b allows remote attackers to execute arbitrary SQL commands via the user_name parameter to unsubscribe.php.ADV-2006-12701956817412 20060421 [eVuln] MWNewsletter SQL Injection and XSS Vulnerabilities 24905 24445 mwnewsletter-unsubscribe-sql-injection(25683)Multiple SQL injection vulnerabilities in MWNewsletter 1.0.0b allow remote attackers to execute arbitrary SQL commands via the (1) user_email parameter to (a) unsubscribe.php or (b) subscribe.php; or the (2) user_name parameter to subscribe.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that this was discovered during post-disclosure analysis.ADV-2006-127019568 24905 24445Unspecified vulnerability in GlobalSCAPE Secure FTP Server before 3.1.4 Build 01.10.2006 allows attackers to cause a denial of service (application crash) via a "custom command" with a long argument.This issue is addressed in Secure FTP Server 3.1.4 Build 01.10.2006.173981954724451globalscape-custom-commands-dos(25665)SQL injection vulnerability in members.php in XBrite Members 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.17424ADV-2006-128319602 xbritemembers-id-sql-injection(25708)The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment variable is not defined, allows local users to overwrite arbitrary files via a symlink attack on temporary files in /var/tmp/fbps-[PID].ADV-2006-12811955917436GLSA-200604-1319766DSA-106820166SUSE-SR:2006:019 21459 fbida-fbgs-tmpdir-symlink(25729)Cross-site scripting (XSS) vulnerability in Gallery before 1.5.3 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.ADV-2006-12851958017437 24466 gallery-unspecified-xss(25707)Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) Your Name, (2) E-Mail, or (3) Comments fields when posting a message.20060408 Matt Wright Guestbook Xss Script InjectionADV-2006-1287195861743824479 guestbook-guestbook-parameters-xss(25697)681Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) url, (2) city, (3) state, or (4) country parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that they are the result of post-disclosure analysis.ADV-2006-128719586 guestbook-guestbook-parameters-xss(25697)Cross-site scripting (XSS) vulnerability in index.php in Aweb Banner Generator 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the banner parameter in view mode.174161015877ADV-2006-134819621 awebbannergenerator-index-xss(25782)Buy.php in Aweb Scripts Seller uses predictable cookies for authentication based on the time and the script number, which allows remote attackers to bypass authentication.17417101587819626Cross-site scripting (XSS) vulnerability in the Pages module in Shadowed Portal allows remote attackers to inject arbitrary web script or HTML via the page parameter to load.php.20060408 Shadowed Portal Cross Site ScriptingADV-2006-12861959517430 shadowedportal-load-xss(25716)685PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8.3 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter.20060409 Vulnerabilities in SPIP17423 spip-spiplogin-file-include(25711)PHP remote file inclusion vulnerability in lire.php in Sire 2.0 nws allows remote attackers to execute arbitrary PHP code via a URL in the rub parameter.20060407 Sire 2.0 Nws Remote File inclusion & Arbitary Files Upload174281015885 sire-lire-file-include(25726)Sire 2.0 nws allows remote attackers to upload arbitrary image files without authentication via a direct request to upload.php.20060407 Sire 2.0 Nws Remote File inclusion & Arbitary Files Upload174311015885 sire-upload-auth-bypass(25727)Oracle Database 9.2.0.0 to 10.2.0.3 allows local users with "SELECT" privileges for a base table to insert, update, or delete data by creating a crafted view then performing the operations on that view.17426ADV-2006-129710158861957420060410 Oracle read-only user can insert/update/delete data via specially crafted viewsVU#805737 20060410 Oracle read-only user can insert/update/delete data via specially crafted views oracle-base-table-data-manipulation(25696)Multiple SQL injection vulnerabilities in Shopweezle 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) itemID parameter to (a) login.php and (b) memo.php; and the (2) itemgr, (3) brandID, and (4) album parameters to (c) index.php. NOTE: this issue also produces resultant full path disclosure from invalid SQL queries.17441ADV-2006-12911959324470244712447224473shopweezle-multiple-path-disclosure(25724)shopweezle-multiple-sql-injection(25723)index.php in Shopweezle 2.0 allows remote attackers to include arbitrary local files via the url parameter.24474 shopweezle-index-file-include(25725)SQL injection vulnerability in member.php in Clansys 1.1 allows remote attackers to execute arbitrary SQL commands via the showid parameter in the member page to index.php.ADV-2006-129519609174561015935 1662 clansys-index-sql-injection(25746)Cross-site scripting (XSS) vulnerability in shop_main.cgi in interaktiv.shop 5 allows remote attackers to inject arbitrary web script or HTML via the (1) pn and (2) sbeg parameters.interaktiv.shop v.5 XSS vuln. 17485ADV-2006-13262455719622 interaktiv-shopmain-xss(25739)SQL injection vulnerability in admin.php in Design Nation DNGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) email and (2) id parameters.Successful exploitation requires that "magic_quotes_gpc" is disabled.exploit 165317435ADV-2006-129919601dnguestbook-admin-sql-injection(25699)Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.DSA-103217484ADV-2006-13401963319640 plone-memberid-data-manipulation(25781)Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to inject arbitrary web script or HTML via the action argument.[Mailman-Announce] 20060407 Released: Mailman 2.1.8 release candidate17403ADV-2006-126924442101587619558Cross-site scripting (XSS) vulnerability in index.php in Christoph Roeder phpMyForum 4.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060410 phpMyForum Cross Site Scripting & CRLF injection1742020060425 Re: phpMyForum Cross Site Scripting & CRLF injection phpmyforum-index-xss(25742)CRLF injection vulnerability in index.php in Christoph Roeder phpMyForum 4.0 allows remote attackers to inject HTTP headers via hex-encoded CRLF sequences in the type parameter.20060410 phpMyForum Cross Site Scripting & CRLF injection1742020060425 Re: phpMyForum Cross Site Scripting & CRLF injection phpmyforum-index-crlf-injection(25750)Multiple directory traversal vulnerabilities in Christian Kindahl TUGZip 3.4.0.0, 3.3.0.0, and 3.1.0.2 allow user-assisted attackers to create files in arbitrary directories via a .. (dot dot) in an archive pack with a crafted (1) .gz, (2) .jar, (3) .rar, or (4) .zip file.20060410 TUGZip Archive Extraction Directory traversal17432tugzip-archive-directory-traversal(25713)686Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode img tag. NOTE: the email vector is already covered by CVE-2006-1625, although it might stem from the same core issue.Successful exploitation requires that unauthenticated users are allowed to post new threads (not the default setting).20060407 [KAPDA::#38] - MyBB 1.1.0~functions_post.php~XSS AttackMyBB 1.1.0~XSS Vulnerability174132437519516mybb-email-img-bbcode-xss(25615)Cross-site scripting (XSS) vulnerability in newthread.php in MyBB (aka MyBulletinBoard) 1.10, when configured to permit new threads by unregistered users, allows remote attackers to inject arbitrary web script or HTML via the username.Successful exploitation requires that unauthenticated users are allowed to post new threads (not the default setting).20060409 MyBB 1.10 'newthread.php' < CrossSiteScripting >1742719516 mybb-newthread-xss(25730)Magus Perde Clever Copy 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to view the database username and password via a direct request for connect.inc.20060407 [ECHO_ADV_28$2006] Clever Copy <= 3.0 Connect.inc Critical Information Disclosure17461ADV-2006-131619579 clevercopy-connect-disclose-information(25720)Internet Explorer 6 allows remote attackers to cause a denial of service (application crash) via any scrollbar Cascading Style Sheets (CSS) property.20060410 Re: IE6 Crash 20060407 IE6 Crash ie-css-scrollbar-dos(25852)Cross-site scripting (XSS) vulnerability in search.php in SaphpLesson 3.0 allows remote attackers to inject arbitrary web script or HTML via the Word parameter. NOTE: it is possible that this issue is resultant from SQL injection.20060407 Xss In SaphpLesson3.01015883ADV-2006-131717414 saphplesson-search-xss(25719)683digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation.17446ADV-2006-130619618DSA-1042USN-272-11980919825GLSA-200604-0919753MDKSA-2006:0732006-002419964SUSE-SA:2006:025APPLE-SA-2006-09-29ADV-2006-3852221871016960 20060410 [MU-200604-01] Cyrus SASL DIGEST-MD5 Pre-Authentication Denial of Service 20014 cyrus-sasl-digest-dos(25738)MDKSA-2006:073RHSA-2007:0795RHSA-2007:087820070901-01-P26708268572723720080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issuesADV-2008-174430535Cross-site scripting (XSS) vulnerability in suche.htm in ShopXS 4.0 allows remote attackers to inject arbitrary web script or HTML via the Suchstring1 (aka search) parameter.shopxs-search-xss(25715)Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1 Security Advisory 2006-20VU#35026217516ADV-2006-13561015919101592110159201963119649DSA-104619863DSA-105119941SCOSA-2006.2621033HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1574ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to DHTML.Fixed in: Firefox 1.5.0.2 Thunderbird 1.5.0.2 SeaMonkey 1.0.1RHSA-2006:0328VU#35026217516ADV-2006-13561015919101592110159201963119649TA06-107ADSA-104619863DSA-105119941FEDORA-2006-410FEDORA-2006-41119714HPSBTU02118RHSA-2006:0330FLSA:189137-2SCOSA-2006.262103310255021622HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1901 19696 19780ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Mozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes certain windows to become translucent due to an interaction between XUL content windows and the history mechanism, which might allow user-assisted remote attackers to trick users into executing arbitrary code.Fixed in: Firefox 1.5.0.2 SeaMonkey 1.0.117516ADV-2006-13561963119649HPSBUX02153oval:org.mitre.oval:def:1471 mozilla-xul-window-spoofing(25827)ADV-2006-374822066ADV-2008-0083Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method.This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5.0.2 Mozilla, Thunderbird, 1.5.0.2 Mozilla, SeaMonkey, 1.0.1Security Advisory 2006-28VU#96881417516ADV-2006-13561963119649TA06-107A101593110159321015933HPSBTU02118HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1968mozilla-valuetofunctionobject-sec-bypass(25825)ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to gain chrome privileges via multiple attack vectors related to the use of XBL scripts with "Print Preview".Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13RHSA-2006:032817516ADV-2006-135610159261015927101592810159291963119649DSA-1044GLSA-200604-12MDKSA-2006:076MDKSA-2006:0781975919821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1649 19696 19729 19780 20051 mozilla-printpreview-privilege-escalation(25824)MDKSA-2006:076MDKSA-2006:078ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via unknown vectors related to the crypto.generateCRMFRequest method.Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.1321033102550ADV-2006-339121622HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1698102763ADV-2007-0058 19696 19729 19780 20051 mozilla-generatecrmfrequest-code-execution(25812)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078ADV-2006-3748ADV-2006-37492206522066ADV-2008-0083RHSA-2006:0328VU#93273417516ADV-2006-135610159221015923101592410159251963119649TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.26Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of the input control that is associated with an event handler.Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13RHSA-2006:032817516ADV-2006-13561963119649DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:0761975919794DSA-1046GLSA-200604-18USN-275-120060404-01-U1981119852198621986319902DSA-105119941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746RHSA-2006:0329FLSA:189137-1FLSA:189137-2SUSE-SA:2006:035SCOSA-2006.2621033102550ADV-2006-339121622HPSBUX02153oval:org.mitre.oval:def:19291969619729mozilla-textbox-file-access(25823)MDKSA-2006:075MDKSA-2006:076ADV-2006-374822066ADV-2008-0083Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via a large number in the CSS letter-spacing property that leads to a heap-based buffer overflow.Fixed in: Firefox 1.5.0.2 Firefox 1.0.8 Thunderbird 1.5.0.2 Thunderbird 1.0.8 SeaMonkey 1.0.1 Mozilla Suite 1.7.13HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622HPSBUX02153HPSBUX02156oval:org.mitre.oval:def:1614 19696 19729 19780 20051 mozilla-css-letterspacing-overflow(25826)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078ADV-2006-3748ADV-2006-37492206522066720ADV-2008-008320060415 ZDI-06-010: Mozilla Firefox CSS Letter-Spacing Heap Overflow VulnerabilityRHSA-2006:0328VU#17901417516ADV-2006-135610159151015916101591710159181963119649TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks.Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622oval:org.mitre.oval:def:1955 19696 19729 19780 20051 mozilla-valueof-xss(25820)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078RHSA-2006:032817516ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to bypass same-origin protections and conduct cross-site scripting (XSS) attacks via unspecified vectors involving the window.controllers array.This vulnerability also affects Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 This vulnerability is addressed in the following product releases: Mozilla, Firefox, 1.5 Mozilla, Firefox, 1.0.8 Mozilla, Thunderbird, 1.5 Mozilla, Thunderbird, 1.0.8 Mozilla, SeaMonkey, 1.0 Mozilla, Suite, 1.7.13 Security Advisory 2006-17RHSA-2006:032817516ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:0221981119823198521986219902USN-276-119950FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.2621033102550ADV-2006-339121622oval:org.mitre.oval:def:1887 19696 19729 19780 20051 mozilla-windows-controllers-xss(25818)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain."This vulnerability also affects Mozilla, SeaMonkey, 1.0 and Mozilla, Suite, 1.7.13 This vulnerabiloity is addressed in the following product releases: Mozilla, Firefox, 1.5 Mozilla, Firefox, 1.0.8 Mozilla, Thunderbird, 1.5 Mozilla, Thunderbird, 1.0.8 Mozilla, SeaMonkey, 1.0 Mozilla, Suite, 1.7.13 19696 19729 19780 20051 mozilla-valueof-code-execution(25817)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078Security Advisory 2006-16RHSA-2006:0328VU#48877417516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746GLSA-200605-09HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:2020Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using the Object.watch method to access the "clone parent" internal function.Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 19696 19729 19780 20051 mozilla-cloneparent-code-execution(25816)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078RHSA-2006:0328VU#84209417516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1247GLSA-200605-09Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using an eval in an XBL method binding (XBL.method.eval) to create Javascript functions that are compiled with extra privileges.Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 19696 19729 19780 20051 mozilla-xbl-code-execution(25815)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078RHSA-2006:0328VU#81323017516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1037GLSA-200605-09Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes the executable to be saved when the user clicks the "Save image as..." option. NOTE: this attack is made easier due to a GUI truncation issue that prevents the user from seeing the malicious extension when there is extra whitespace in the filename.Fixed in: Firefox 1.5 Firefox 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.1317516ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:0761975919794DSA-1046GLSA-200604-18USN-275-119852198621986319902DSA-105119941SUSE-SA:2006:021USN-271-11972119746HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1548 mozilla-saveimageas-ext-spoofing(25814)MDKSA-2006:075MDKSA-2006:076Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary bytecode via JavaScript with a large regular expression.RHSA-2006:0328VU#32950017516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1829 GLSA-200605-09 19696 19729 19780 20051 mozilla-javascript-regexpr-memory-corruption(25808)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) by changing the (1) -moz-grid and (2) -moz-grid-group display styles.RHSA-2006:0328VU#25232417516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-U1981119852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1687 GLSA-200605-09 19696 19729 19780 20051 mozilla-mozgrid-memory-corruption(25811)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078The CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow.Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13 GLSA-200605-09 19696 19729 19780 20051 mozilla-css-memory-corruption(25810)MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078RHSA-2006:0328VU#93555617516ADV-2006-135619631TA06-107ADSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076MDKSA-2006:078197591979419821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746HPSBTU02118RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1667Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to spoof secure site indicators such as the locked icon by opening the trusted site in a popup window, then changing the location to a malicious site.Fixed in: Firefox 1.5 Firefox 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13RHSA-2006:032817516ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:0761975919794DSA-1046GLSA-200604-18USN-275-120060404-01-U1981119852198621986319902DSA-105119941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746RHSA-2006:0329FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1811 19696 19729 mozilla-secure-site-spoofing(25813)MDKSA-2006:075MDKSA-2006:076Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection".Fixed in: Firefox 1.5 Firefox 1.0.8 Mozilla Suite 1.7.13 SeaMonkey 1.0MDKSA-2006:078RHSA-2006:0328ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:076MDKSA-2006:0781975919821DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1855GLSA-200605-0919696197291978020051mozilla-eventhandler-xss(25806)MDKSA-2006:076The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly handle temporary variables that are not garbage collected, which might allow remote attackers to trigger operations on freed memory and cause memory corruption.Fixed in: Firefox 1.5 Firefox 1.0.8 Thunderbird 1.5 Thunderbird 1.0.8 SeaMonkey 1.0 Mozilla Suite 1.7.13MDKSA-2006:075MDKSA-2006:0761975919794DSA-1046GLSA-200604-18USN-275-120060404-01-USUSE-SA:2006:022198111982319852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1087 GLSA-200605-09 19696 19729 19780 20051 mozilla-garbage-memory-corruption(25807)RHSA-2006:0328VU#492382ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:076Multiple SQL injection vulnerabilities in form.php in JBook 1.4 allow remote attackers to execute arbitrary SQL commands via the (1) nom or (2) mail parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17458ADV-2006-131519613 jbook-form-sql-injection(25735)Buffer overflow in pl_main.c in sail in BSDgames before 2.17-7 allows local users to execute arbitrary code via a long player name that is used in a scanf function call.17401DSA-10362463419687736Cross-site scripting (XSS) vulnerability in login.php in Bitweaver 1.3 allows remote attackers to inject arbitrary web script or HTML via the error parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17406ADV-2006-137019673Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers include arbitrary local files via the (1) GLOBALS[database_module] or (2) GLOBALS[language_module] parameters, which overwrite the underlying $GLOBALS variable.20060410 PHPList <= 2.10.2 remote commands execution20060411 Re: PHPList <= 2.10.2 remote commands execution17429ADV-2006-1296101588920061012 new version of phplist fix XSS vulnerability phplist-index-file-include(25701)PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOTE: these are different attack vectors than CVE-2006-1636 and CVE-2006-1503.1744320060408 Virtual War File &#304;nclusion20060807 Virtual War v1.5.0 Remote File Include (vwar_root)19387virtualwar-member-file-include(28265) 1658Cross-site scripting (XSS) vulnerability in XMB Forum 1.9.5 allows remote attackers to inject arbitrary web script or HTML by uploading a Flash (.SWF) video that contains a getURL function call, which causes the video to be rendered without disabling ActionScript.1744520060409 XMB Forum 1.9.5-Final XSS xmb-swf-geturl-xss(25737)PHP remote file inclusion vulnerability in config.php in phpListPro 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the returnpath parameter. NOTE: this issue was later reported to affect 2.01 as well.20060411 phpListPro <= 2.0 - Remote File Include Vulnerability17448ADV-2006-13251962524540phplistpro-config-file-include(25760)20060508 PhpListPro 2.01 Remote File Include VulnerabilityMultiple cross-site scripting (XSS) vulnerabilities in index.php in Autogallery 0.41 allow remote attackers to inject arbitrary web script or HTML via the (1) pic or (2) show parameters.ADV-2006-1328196291748020060411 Autogallery Multiple Cross-Site Scripting Vulnerabilitieautogallery-index-xss(25756)Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remote attackers to execute arbitrary SQL commands via unknown vectors.17481ADV-2006-133019634mvblog-multiple-sql-injection(25765)Multiple cross-site scripting (XSS) vulnerabilities in the backend in MvBlog before 1.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) body fields in a comment.17481ADV-2006-133019634 mvblog-comment-xss(25767)A cron job in fcheck before 2.7.59 allows local users to overwrite arbitrary files via a symlink attack on a temporary file.This vulnerability is addressed in the following product releases: Fcheck, 2.7.59-7sarge1 Fcheck, 2.7.59-8 DSA-10351752419675 fcheck-tmpfile-symlink(25830)SQL injection vulnerability in index.php in SWSoft Confixx 3.0.6, 3.0.8, and 3.1.2 allows remote attackers to execute arbitrary SQL commands via the SID parameter.20060411 Confixx 3.1.2 <= SQL Injection17476ADV-2006-13311961120060413 Re: Confixx 3.1.2 <= SQL Injection20060419 Confixx SQL Injection exploit (confixx_exploit.pl) confixx-index-sql-injection(25749)SQL injection vulnerability in admin.php in MD News 1 allows remote attackers to execute arbitrary SQL commands via the id parameter.17394ADV-2006-12591953020060418 [eVuln] MD News Authentication Bypass and SQL Injection Vulnerabilities24454 mdnews-admin-sql-injection(25635)MD News 1 allows remote attackers to bypass authentication via a direct request to a script in the Administration Area.17394ADV-2006-12591953020060418 [eVuln] MD News Authentication Bypass and SQL Injection Vulnerabilities24455 mdnews-admin-security-bypass(25636)Cross-site scripting (XSS) vulnerability in index.php in Vegadns 0.99 allows remote attackers to inject arbitrary web script or HTML via the message parameter.20060410 Vegadns blind sql injection and cross site scripting17433SQL injection vulnerability in index.php in Vegadns 0.99 allows remote attackers to execute arbitrary SQL commands via the cid parameter.20060410 Vegadns blind sql injection and cross site scripting17433ADV-2006-129819614 vegadns-index-sql-injection(25741)Cross-site scripting (XSS) vulnerability in allgemein_transfer.php in SWSoft Confixx 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the jahr parameter.20060410 Confixx 3.1.2 <= Cross Site Scripting Vuln17466ADV-2006-1331196111015890 confixx-transfer-xss(25748)Multiple cross-site scripting (XSS) vulnerabilities in JetPhoto allow remote attackers to inject arbitrary web script or HTML via the page parameter in (1) Classic.view/thumbnail.php, (2) Classic.view/gallery.php, (3) Classic.view/detail.php, or (4) Orange.view/detail.php; or (5) the name parameter in Orange.view/slideshow.php.20060411 JetPhoto Multiple Cross-Site Scripting17449ADV-2006-13001960324491244922449424493 jetphoto-name-page-xss(25745)Cross-site scripting vulnerability in index.php in blur6ex 0.3.452 allows remote attackers to inject arbitrary web script or HTML via the errormsg parameter, which is not sanitized in the error message. NOTE: the vector in the shard parameter is not XSS and has been assigned a separate name.20060411 Multiple vulnerabilities in Blur6ex[VIM] 20060412 Multiple vulnerabilities in Blur6ex (fwd)1746520060413 Re: Multiple vulnerabilities in Blur6ex blur6ex-index-xss(25757)Directory traversal vulnerability in index.php in blur6ex 0.3.452 allows remote attackers to include arbitrary files via the shard parameter. NOTE: this issue can be exploited to produce resultant XSS when the parameter has XSS manipulations, and path disclosure with other invalid values.20060411 Multiple vulnerabilities in Blur6ex[VIM] 20060412 Multiple vulnerabilities in Blur6ex (fwd)1746520060413 Re: Multiple vulnerabilities in Blur6ex blur6ex-index-path-disclosure(25758)Multiple SQL injection vulnerabilities in index.php in blur6ex 0.3.452 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a (1) g_reply or (2) g_permaPost action to the blog shard (engine/shards/blog.php), or a (3) g_viewContent action to the content shard (engine/shards/content.php).20060411 Multiple vulnerabilities in Blur6ex17465 blur6ex-index-sql-injection(25759)689Hosting Controller 6.1 stores forum/db/forum.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as user name and password credentials. NOTE: the provenance of this information is unknown; the details are obtained from third party information.ADV-2006-12682444719569Cross-site scripting (XSS) vulnerability in index.php in JBook 1.3 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060410 Jbook Cross Site Scripting17419 19613 jbook-index-xss(25734)Multiple SQL injection vulnerabilities in Papoo 2.1.5, and 3 beta1 and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) getlang and (2) reporeid parameter in (a) index.php, (3) menuid parameter in (b) plugin.php and (c) forumthread.php, and (4) msgid parameter in forumthread.php.Papoo Multiple SQL vuln. papoo-multiple-scripts-sql-injection(25728)Multiple PHP remote file inclusion vulnerabilities in nicecoder.com INDEXU 5.0.0 and 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the theme_path parameter in (1) index.php, (2) become_editor.php, (3) add.php, (4) bad_link.php, (5) browse.php, (6) detail.php, (7) fav.php, (8) get_rated.php, (9) login.php, (10) mailing_list.php, (11) new.php, (12) modify.php, (13) pick.php, (14) power_search.php, (15) rating.php, (16) register.php, (17) review.php, (18) rss.php, (19) search.php, (20) send_pwd.php, (21) sendmail.php, (22) tell_friend.php, (23) top_rated.php, (24) user_detail.php, and (25) user_search.php; and the (26) base_path parameter in invoice.php.20060411 INDEXU <= 5.0.1 (theme_path)and (base_path) Remote File Inclusion Exploit17470101589124596245971016331 28406 28409 28410 28412 28413 28415 28416 28417 28419 28422 28425 28426 28427Multiple cross-site scripting (XSS) vulnerabilities in register.php in Tritanium Bulletin Board (TBB) 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) newuser_name, (2) newuser_email, and (3) newuser_hp parameters in the faction=register mode in index.php.Succesful exploitation requires that "register_globals" is enabled.20060411 Tritanium Bulletin Board 1.2.3 - XSS17473ADV-2006-13292455619635 tritaniumbb-register-xss(25751)Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila 9.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the mode parameter in msgReader$1 and (2) the end of the URI in viewDepartment$.20060411 Manila <= 9.5 - XSS Vulnerabilities174752455419636manila-multiple-xss(25753)692Multiple PHP remote file inclusion vulnerabilities in Azerbaijan Design & Development Group (AZDG) AzDGVote allow remote attackers to execute arbitrary PHP code via a URL in the int_path parameter in (1) vote.php, (2) view.php, (3) admin.php, and (4) admin/index.php.20060411 AzDGVote File inclusionADV-2006-13241963017447 azdgvote-intpath-file-inclusion(25762)695Directory traversal vulnerability in misc in pbcs.dll in SAXoTECH SAXoPRESS, aka Saxotech Online (formerly Publicus) allows remote attackers to read arbitrary files and possibly execute arbitrary programs via a .. (dot dot) in the url parameter.20060411 SAXoPRESS - directory traversal17474ADV-2006-13271956620060412 Re: SAXoPRESS - directory traversal aka Saxotech Onlinesaxopress-pbcs-directory-traversal(25768)debconf in Debian GNU/Linux, when configuring mnogosearch in the mnogosearch-common 3.2.31-1 package, uses the world-readable config.dat file instead of the restricted passwords.dat for storing the cleartext database administrator password in the mnogosearch-common/database_admin_pass record, which allows local users to view the password.#3617751747719589SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to execute arbitrary SQL commands via the contentid parameter, possibly involving content/news.php.174671015888 phpkit-contentid-sql-injection(25743)HP System Management Homepage (SMH) 2.1.3.132, when running on CompaqHTTPServer/9.9 on Windows, Linux, or Tru64 UNIX, and when "Trust by Certificates" is not enabled, allows remote attackers to bypass authentication via a crafted URL.The only way to prevent this is to set the Trust level to "Trust by Certificates"20060411 [SRC-Telindus advisory] - HP System Management Homepage Remote Unauthorized Access1015901 hp-smh-auth-bypass(25761)Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c) groupcp.php, the (4) Theme Name field in (d) admin_styles.php, and the (5) Rank Title field in (e) admin_ranks.php. NOTE: the profile.php/Current password vector is already covered by CVE-2006-1603.24354243552435624357PHP remote file inclusion vulnerability in doc/index.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the s parameter.20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-13321962817490245591015904 simplog-index-file-include(25775)Directory traversal vulnerability in doc/index.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the s parameter, as demonstrated by injecting PHP sequences into an Apache error_log file, which is then included by doc/index.php.20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-13321962817490245591015904 simplog-index-file-include(25775)Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) blogid parameter in (a) index.php and (b) archive.php, the (2) m and (3) y parameters in archive.php, and the (4) sql parameter in (c) server.php.20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-1332196281749124560245611015904 simplog-index-archive-sql-injection(25776)702Cross-site scripting (XSS) vulnerability in login.php in Jeremy Ashcraft Simplog 0.9.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the btag parameter.20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-13321962817493245621015904 simplog-login-xss(25778)The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files.Apply patches.102282ADV-2006-13331962717478101590221493oval:org.mitre.oval:def:881 solaris-sh-dos(25744)PHP remote file inclusion vulnerability in functions.php in Circle R Monster Top List (MTL) 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter. NOTE: It was later reported that 1.4.2 and earlier are affected.ADV-2006-1350175462465019688monstertoplist-functions-file-include(25774)353023074Unspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch.10211319638ADV-2006-133424563245642456524566245672456810159031747921493oval:org.mitre.oval:def:1840 solaris-ldap2-password-disclosure(25747)Cross-site scripting (XSS) vulnerability in PatroNet CMS allows remote attackers to inject arbitrary web script or HTML via the URI.1749520060412 PatroNet CMS Xss VulnPHP remote file inclusion vulnerability in admin/configset.php in Sphider 1.3 and earlier, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the settings_dir parameter.ADV-2006-13411964217514 sphider-configset-file-inclusion(25780)Adobe Document Server for Reader Extensions 6.0 allows remote authenticated users to inject arbitrary web script via a leading (1) ftp or (2) http URI in the ReaderURL variable in the "Update Download Site" section of ads-readerext. NOTE: it is not clear whether the vendor advisory addresses this issue. In addition, since the issue requires administrative privileges to exploit, it is not clear whether this crosses security boundaries.Adobe Document Server for Reader Extensions Multiple VulnerabilitiesSecurity Advisory: Adobe Document Server for Reader Extensions authentication vulnerabilityADV-2006-13421592420060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities17500 24588 adobe-readerurl-xss(25770)Cross-site scripting (XSS) vulnerability in Adobe Document Server for Reader Extensions 6.0 allows remote attackers to inject arbitrary web script or HTML via (1) the actionID parameter in ads-readerext and (2) the op paremeter in AlterCast. NOTE: it is not clear whether the vendor advisory addresses this issue.Adobe Document Server for Reader Extensions Multiple VulnerabilitiesSecurity Advisory: Adobe Document Server for Reader Extensions authentication vulnerabilityADV-2006-13421592420060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities17500 24590 24589 adobe-actionid-op-xss(25771)Adobe Document Server for Reader Extensions 6.0 includes a user's session (jsession) ID in the HTTP Referer header, which allows remote attackers to gain access to PDF files that are being processed within that session.Adobe Document Server for Reader Extensions Multiple VulnerabilitiesSecurity Advisory: Adobe Document Server for Reader Extensions authentication vulnerabilityAdobe Document Server for Reader Extensions 6.0 session ID parameter is exposedADV-2006-13421592420060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities17500 adobe-jsessionid-information-disclosure(25773)Adobe Document Server for Reader Extensions 6.0, during log on, provides different error messages depending on whether the user ID is valid or invalid, which allows remote attackers to more easily identify valid user IDs via brute force attacks.Adobe Document Server for Reader Extensions Multiple VulnerabilitiesUser authentication changes for Adobe Document Server for Reader Extensions 6.0ADV-2006-13421592420060413 Secunia Research: Adobe Document Server for Reader ExtensionsMultiple Vulnerabilities17500 adobe-error-account-enumeration(25772)Directory traversal vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to read arbitrary files via the $className variable.Users of PAJAX should upgrade to the latest version pajax-0.5.2 [1].20060413 PAJAX Remote Code Injection and File Inclusion Vulnerability17519ADV-2006-135324618196532486220060413 PAJAX Remote Code Injection and File Inclusion Vulnerability pajax-pajaxcalldispatcher-dir-traversal(25860)A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the InstallTrigger.install method, which leads to memory corruption.RHSA-2006:032817516ADV-2006-135619631DSA-1044GLSA-200604-12MDKSA-2006:075MDKSA-2006:0761975919794DSA-1046GLSA-200604-18USN-275-120060404-01-U1981119852198621986319902DSA-1051USN-276-11995019941FEDORA-2006-410FEDORA-2006-411SUSE-SA:2006:021USN-271-1197141972119746RHSA-2006:0329RHSA-2006:0330FLSA:189137-1FLSA:189137-2HPSBUX02122SCOSA-2006.262103310255021622oval:org.mitre.oval:def:1266GLSA-200605-09197291978020051mozilla-installtrigger-memory-corruption(25809)MDKSA-2006:075MDKSA-2006:076Directory traversal vulnerability in acc.php in QuickBlogger 1.4 allows remote attackers to read or include arbitrary local files via the request parameter. NOTE: this issue can also produce resultant XSS when the associated include statement fails.20060412 QuickBlogger v1.4 Cross-Site Scripting1594220060414 Re: QuickBlogger v1.4 Cross-Site Scripting quickblogger-acc-xss(25795)Unspecified vulnerability in the POP service in MailEnable Standard Edition before 1.94, Professional Edition before 1.74, and Enterprise Edition before 1.22 has unknown attack vectors and impact related to "authentication exploits". NOTE: this is a different set of affected versions, and probably a different vulnerability than CVE-2006-1337.Directory traversal vulnerability in runCMS 1.2 and earlier allows remote attackers to read arbitrary files via the bbPath[path] parameter to (1) class.forumposts.php and (2) forumpollrenderer.php. NOTE: this issue is closely related to CVE-2006-0659.Succesful exploitation requires that register_globals = On & allow_url_fopen = On20060209 runCMS <= 1.3a2 possible remote code execution through the integrated FCKEditor package16578SQL injection vulnerability in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via (1) the $username variable in the mosGetParam function and (2) the $task parameter in the mosMenuCheck function in (a) includes/mambo.php; and (3) the $filter variable to the showCategory function in the com_content component (content.php).Successful exploitation requires that "magic_quotes_gpc" is disabled.20060224 Mambo Multiple VulnerabilitiesMambo Multiple VulnerabilitiesSecurity Patch Released 16775ADV-2006-0719234022350318935 mambo-index2-sql-injection(24951)Cross-site scripting (XSS) vulnerability in tablepublisher.cgi in UPDI Network Enterprise @1 Table Publisher 2006-03-23 allows remote attackers to inject arbitrary web script or HTML via the Title of Table field.1764219723Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']).The vulnerability manifests itself only when viewed by IE. This vulnerability is addressed in the following product release: Wordpress 2.0.1-1#328909Ticket #1686The kernel in NetBSD-current before September 28, 2005 allows local users to cause a denial of service (system crash) by using the SIOCGIFALIAS ioctl to gather information on a non-existent alias of a network interface, which causes a NULL pointer dereference.NetBSD-SA2006-0121749710159081961524578 bsd-siocgifalias-ioctl-dos(25766)SQL injection vulnerability in rateit.php in RateIt 2.2 allows remote attackers to execute arbitrary SQL commands via the rateit_id parameter.ADV-2006-13581963720060424 [eVuln] RateIt SQL Injection Vulnerability17518246221015983rateit-rateit-sql-injection(25801)censtore.cgi in Censtore 7.3.002 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter.exploit 166917515ADV-2006-135219666 1669 censtore-page-command-execution(25905)Directory traversal vulnerability in posts.php in SimpleBBS 1.0.6 through 1.1 allows remote attackers to include and execute arbitrary files via ".." sequences in the language cookie, as demonstrated by by injecting the code into the gl_session cookie of users.php, which is stored in error.log.20060412 SimpleBBS v1.1(posts.php) remote command executionSimpleBBS v1.1(posts.php) remote command execution XploitSimpleBBS v1.1(posts.php) remote command execution Xploit17501 simplebbs-posts-command-execution(25788)Cross-site scripting (XSS) vulnerability in planetsearchplus.php in planetSearch+ allows remote attackers to inject arbitrary web script or HTML via the search_exp parameter.20060413 planetSearch+ - XSS VulnerabilitiesplanetSearch+ - XSS VulnerabilitiesADV-2006-13681968117527 planetsearchplus-script-xss(25832)Cross-site scripting (XSS) vulnerability in index.php in TinyWebGallery 1.3 and 1.4 allows remote attackers to inject arbitrary web script or HTML via the twg_album parameter.20060415 Tiny Web Gallery <= 1.4 XSS17536ADV-2006-136919660 20060606 Re: Tiny Web Gallery <= 1.4 XSS tinywebgallery-index-xss(25831)717Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter.20060412 phpMyAdmin 2.7.0-pl120060414 Re: phpMyAdmin 2.7.0-pl117487ADV-2006-137219659SUSE-SR:2006:00919897 phpmyadmin-sql-xss(25796)SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to execute arbitrary SQL commands via the sql_query parameter.This vulnerbability may affect earlier versions of phpMyAdmin as well.20060412 phpMyAdmin 2.7.0-pl1ADV-2006-137219659SUSE-SR:2006:00919897 phpmyadmin-sql-sql-injection(25858)SQL injection vulnerability in member.php in PowerClan 1.14 allows remote attackers to execute arbitrary SQL commands via the memberid parameter.20060413 PowerClan 1.14 - SQL InjectionADV-2006-13711968917528 powerclan-member-sql-injection(25876)706Cross-site scripting (XSS) vulnerability in index.php in Musicbox 2.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the term parameter in a search action.ADV-2006-1373196721754520060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerabilitymusicbox-multiple-xss(27925) musicbox-index-xss(25835)Multiple SQL injection vulnerabilities in index.php in Musicbox 2.3.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) start parameter in a search action or (2) type parameter in a top action.ADV-2006-1373196721754520060724 MusicBox <= 2.3.4 XSS SQL injection Vulnerabilitymusicbox-multiple-sql-injection(27926) musicbox-index-sql-injection(25836)Cross-site scripting (XSS) vulnerability in index.php in Lifetype 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the show parameter in a Template operation.20060414 Vulnerabilities in lifetypeADV-2006-136710159411964617529 lifetype-index-xss(25899)index.php in Lifetype 1.0.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which reveals the path in an error message.20060414 Vulnerabilities in lifetype1015941 lifetype-index-path-disclosure(25903)711Multiple cross-site scripting (XSS) vulnerabilities in FlexBB 0.5.5 BETA allow remote attackers to inject arbitrary web script or HTML via the (1) ICQ, (2) AIM, (3) MSN, (4) Google Talk, (5) Website Name, (6) Website Address, (7) Email Address, (8) Location, (9) Signature, and (10) Sub-Titles fields in the user profile.20060416 FlexBB v0.5.5 BETA [SQL Inj] [XSS] [Login bypass]17539Multiple SQL injection vulnerabilities in FlexBB 0.5.5 BETA allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) forumid, or (3) threadid parameter to index.php; the (4) ICQ, (5) AIM, (6) MSN, (7) Google Talk, (8) Website Name, (9) Website Address, (10) Email Address, (11) Location, (12) Signature, and (13) Sub-Titles fields in the user profile; or (14) flexbb_password field in a cookie.20060416 FlexBB v0.5.5 BETA [SQL Inj] [XSS] [Login bypass]17574phpWebFTP 3.2 and earlier stores script.js under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information.20060417 PhpWebFTP 3.2 Login Script1755719706 phpwebftp-scriptjs-obtain-information(25921)Directory traversal vulnerability in index.php in phpWebFTP 3.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the language parameter.20060417 PhpWebFTP 3.2 Login Script17557ADV-2006-138819706 phpwebftp-index-directory-traversal(25920)723NetBSD 1.6, 2.0, 2.1 and 3.0 allows local users to cause a denial of service (memory exhaustion) by using the sysctl system call to lock a large buffer into physical memory.1749810159091961624579bsd-sysctl-dos(25764)Multiple cross-site scripting (XSS) vulnerabilities in register.php in Tritanium Bulletin Board (TBB) 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) newuser_realname and (2) newuser_icq parameters, a different vector than CVE-2006-1768. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-13292455619635 tritaniumbb-register-xss(25751)693PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php.20060412 Remote File Inclusion in VBulletin ImpEx24690246912469219352 impex-multiple-file-inclusion(25789) 20070504 Remote File Include In Script impex impex-systempath-file-include(34095)SQL injection vulnerability in authcheck.php in warforge.NEWS 1.0, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the (1) authusername and possibly the (2) authpassword cookie.ADV-2006-135920060426 [eVuln] warforge.NEWS SQL Injection and Multiple XSS Vulnerabilities17520 17705 warforgenews-authcheck-sql-injection(25900)Multiple cross-site scripting (XSS) vulnerabilities in warforge.NEWS 1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly including the (1) first_name and (2) last_name parameter in myaccounts.php. NOTE: portions of these details were obtained from third party sources instead of the original disclosure.ADV-2006-135920060426 [eVuln] warforge.NEWS SQL Injection and Multiple XSS Vulnerabilities17520Directory traversal vulnerability in the loadConfig function in index.php in phpWebSite 0.10.2 and earlier allows remote attackers to include arbitrary local files and execute arbitrary PHP code via the hub_dir parameter, as demonstrated by including access_log. NOTE: in some cases, arbitrary remote file inclusion could be performed under PHP 5 using an SMB share argument such as "\\systemname\sharename".17521ADV-2006-1361101594219647GLSA-200605-0419914 1673 phpwebsite-index-hubdir-file-include(25867)Cross-site scripting (XSS) vulnerability in index.php in ModX 0.9.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this might be resultant from the directory traversal vulnerability.20060414 Vulnerabilities in MODx175331015940ADV-2006-138319645 modx-index-xss(25894)Directory traversal vulnerability in index.php in ModX 0.9.1 allows remote attackers to read arbitrary files via a .. (dot dot) sequence and trailing NULL (%00) byte in the id parameter.To address this issue, the vendor has released a patch available at the following location: http://modxcms.com/forums/index.php/topic,3982.0.html20060414 Vulnerabilities in MODx175331015940ADV-2006-138319645 modx-index-directory-traversal(25895)Cross-site scripting (XSS) vulnerability in search.php in FarsiNews 2.5.3 Pro and earlier allows remote attackers to inject arbitrary web script or HTML via the selected_search_arch parameter.20060414 Farsinews Cross-Site Scripting & Path disclosure vulnerability175341015943ADV-2006-141119648 farsinews-search-xss(25833)710Directory traversal vulnerability in FarsiNews 2.5.3 Pro and earlier allows remote attackers to obtain the installation path via ".." sequences in the archive parameter to index.php, which leaks the full pathname in an error message.20060414 Farsinews Cross-Site Scripting & Path disclosure vulnerability1015943ADV-2006-141119648710Multiple cross-site scripting (XSS) vulnerabilities in PhpGuestbook.php in PhpGuestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Website, and (3) Comment parameter.17594ADV-2006-14221966920060415 PhpGuestbook <= 1.0 XSS17537 phpguestbook-script-xss(25850)Cross-site scripting (XSS) vulnerability in index.php in phpLinks 2.1.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the term parameter.phpLinks <= 2.1.3.1 XSS vuln. 17586ADV-2006-1378 phplinks-index-xss(25890)Multiple cross-site scripting (XSS) vulnerabilities in Snipe Gallery 3.1.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gallery_id parameter in view.php, (2) keyword parameter in search.php, and (3) image_id parameter in image.php. NOTE: it is possible that vectors 1 and 3 are resultant from SQL injection.SQL Injection may occur if the magic quotes parameter is off.20060415 Snipe Gallery <= 3.1.4 Multiple XSS20060416 Re: Snipe Gallery <= 3.1.4 Multiple XSS175431015947 snipe-view-image-xss(25803)Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlier allows remote attackers to execute arbitrary code via a length value that passes a length check as a negative number, but triggers a buffer overflow when it is used as an unsigned length.Bug: JPEG Reader (IOF)asterisk-1.2.7-patchADV-2006-147819800DSA-10481756119872SUSE-SR:2006:00919897SQL injection vulnerability in php121language.php in PHP121 1.4 allows remote attackers to execute arbitrary SQL commands and execute arbitrary code via the sess_username variable, as set by the php121un HTTP COOKIE parameter, which is used in multiple files including php121login.php. NOTE: the code execution occurs because the SQL query results are used in an include statement.Successful exploitation requires that "magic_quotes_gpc" is disabled.exploit 1666ADV-2006-134919643101593617509 php121-php121login-sql-injection(25785)EAServer Manager in Sybase EAServer 5.2 and 5.3 allows remote authenticated users, possibly guests, to obtain password credentials of abitrary users via unspecified vectors involving (1) connection caches, (2) open password prompts, and (3) stored custom connection profiles.17508ADV-2006-1344101591319605 easerver-password-disclosure(25777)Sun Java Studio Enterprise 8, when installed as root, creates certain files with world-writable permissions, which allows local users to execute arbitrary commands via unspecified vectors.10229217517ADV-2006-1357196321015930 sun-javastudio-insecure-permissions(25822)Direct static code injection vulnerability in sysinfo.cgi in sysinfo 1.21 and possibly other versions before 2.25 allows remote attackers to execute arbitrary commands via a leading ; (semicolon) in the name parameter in a systemdoc action, which is injected into phpinfo.php.17523ADV-2006-1360196901677sysinfo-sysinfo-command-execution(25906)sysinfo.cgi in sysinfo 1.21 allows remote attackers to obtain the installation path via the debugger action.17523ADV-2006-136019690 1677 sysinfo-debugger-information-disclosure(25909)Intel RNG Driver in NetBSD 1.6 through 3.0 may incorrectly detect the presence of the pchb interface, which will cause it to always generate the same random number, which allows remote attackers to more easily crack encryption keys generated from the interface.NetBSD-SA2006-0092457710159071958517496 netbsd-intel-rng-security-bypass(25786)Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings.20060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow17513ADV-2006-1354101591220060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer OverflowSUSE-SR:2006:01020117GLSA-200606-01 opera-wcsncpy-css-bo(25829)Cross-site scripting (XSS) vulnerability in yearcal.php in Calendarix allows remote attackers to inject arbitrary web script or HTML via the ycyear parameter.20060416 Calendarix 17562ADV-2006-1376101595419710 calendarix-yearcal-xss(25874)727Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program.17571ADV-2006-13861968220060418 [Symantec Security Advisory] LiveUpdate for Macintosh Local Privilege Escalation1015953 liveupdate-exepath-env-privilege-escalation(25839)100SQL injection vulnerability in archiv2.php in Fuju News 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.17572ADV-2006-137419677 fujunews-archiv2-sql-injection(25897)edit_kategorie.php in Fuju News 1.0 allows remote attackers to bypass authentication by setting the authorized cookie.17572ADV-2006-137419677PHP remote file inclusion vulnerability in language.php in PHP Album 0.3.2.3, when register_globals is enabled, allows remote attackers to execute arbitrary code via an FTP URL in the data_dir parameter, which satisfies the file_exists function call.20060415 PHP Album <= 0.3.2.3 remote commnads executionADV-2006-1382196611752624741phpalbum-language-file-include(25846)Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of servicr (crash) via the (1) load, (2) spy and (3) bomb functions.ADV-2006-1380196741758524700empireserver-unspecified(25863)Cross-site scripting (XSS) vulnerability in search.php in boastMachine (bMachine) 2.7, and possibly other versions before 2.9b, allows remote attackers to inject arbitrary web script or HTML via the key parameter, as used by the search field.20060416 Xss In bMachine 2?7ADV-2006-13751971117550 boastmachine-search-xss(25914)Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) NAME and (2) COMMENTS parameters.20060417 ShoutBOOK <= 1.1 XSS17548ADV-2006-1385197041015958 shoutbook-global-xss(25862)Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) LOCATION and (2) URL parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-138519704 shoutbook-global-xss(25862)The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.2392219170** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0537. Reason: This candidate is a duplicate of CVE-2006-0537. Notes: All CVE users should reference CVE-2006-0537 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Cross-site scripting (XSS) vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to inject arbitrary HTML and web script via the ublock parameter, which is saved in the user's personal menu. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, it is unclear whether this issue is a vulnerability, since it is related to the user's personal menu, which presumably is not modifiable by others.167742343118972 ADV-2006-0687SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.167742343218972 ADV-2006-0687Multiple cross-site scripting (XSS) vulnerabilities in stats_view.php in LinPHA 1.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, and (3) date parameter.20060417 Linpha 1.1.0 - XSS Vulnerabilities17581ADV-2006-139619679 linpha-statsview-xss(25916)Multiple SQL injection vulnerabilities in members_only/index.cgi in xFlow 5.46.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) position and (2) id parameter.ADV-2006-14121970717614 xflow-index-sql-injection(25853)Multiple cross-site scripting (XSS) vulnerabilities in xFlow 5.46.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) level, (2) position, (3) id, and (4) action parameters to members_only/index.cgi, and the (5) page parameter to customer_area/index.cgi.ADV-2006-14121970717614 xflow-index-xss(25854)xFlow 5.46.11 and earlier allows remote attackers to determine the installation path of the application via the (1) action parameter to members_only/index.cgi and (2) page parameter customer_area/index.cgi, probably due to invalid values.17614 xflow-index-path-disclosure(25855)SQL injection vulnerability in category.php in Article Publisher Pro 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cname parameter.24730articlepublisher-category-sql-injection(25898)Multiple SQL injection vulnerabilities in ModernBill 4.3.2 and earlier allow remote attackers or administrators to execute arbitrary SQL commands via the (1) id parameter in (a) user.php, or (2) where and (3) order parameters to (b) admin.php.17596ADV-2006-141519641 modernbill-user-sql-injection(25926)** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BluePay Manager 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML during a login action via the (1) Account Name and (2) Username field. NOTE: the vendor has disputed this vulnerability, saying that "it does not exist currently in the Bluepay 2.0 product," and older versions might not have been affected either. As of 20060512, CVE has not formally investigated this dispute.choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process.RHSA-2006:04932023718099USN-302-1207162117921745DSA-118422093Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.[linux-security-module] 20050928 readv/writev syscalls are not checked by lsm[linux-kernel] 20060426 [PATCH] LSM: add missing hook to do_compat_readv_writev()RHSA-2006:04932023718105USN-302-120716MDKSA-2006:123257472104521745DSA-118422093MDKSA-2006:123Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.ADV-2006-1893201851808525695linux-sctp-hback-dos(26584)DSA-109720671USN-302-120716DSA-1103ADV-2006-255420914MDKSA-2006:1232104521179RHSA-2006:0575SUSE-SA:2006:04721465MDKSA-2006:15022417 21476 21498MDKSA-2006:123MDKSA-2006:150SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters.ADV-2006-1893201851808525696linux-sctp-parameter-dos(26585)DSA-109720671USN-302-120716DSA-1103ADV-2006-255420914MDKSA-2006:1232104521179SUSE-SA:2006:047RHSA-2006:061721605MDKSA-2006:15022174 21476 21498MDKSA-2006:123MDKSA-2006:150Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialised return value," aka "slab leak."ADV-2006-1767200832006-002818033linux-locks-setlease-dos(26438)USN-302-120716MDKSA-2006:1232104521179MDKSA-2006:123lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.17943ADV-2006-176720083254252006-0028linux-locks-lease-init-dos(26437)USN-302-120716MDKSA-2006:1232104521179MDKSA-2006:123Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.18034ADV-2006-186820100freetype-lwfn-overflow(26553)20060612 rPSA-2006-0100-1 freetypeDSA-1095MDKSA-2006:099USN-291-1205252059120638SUSE-SA:2006:03720791GLSA-200607-0221000RHSA-2006:05002106220060701-01-U1016522211352138521701 102705 ADV-2007-0381 23939GLSA-200710-09MDKSA-2006:099SUSE-SR:2007:021271622716727271The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load.RHSA-2006:04932023721745Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.Bugzilla Bug 18943417742ADV-2006-1542198682006-002425068SUSE-SA:2006:028DSA-1103ADV-2006-255420914MDKSA-2006:150MDKSA-2006:1512161420398 kernel-cifs-directory-traversal(26141)MDKSA-2006:150MDKSA-2006:151Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.1773519869250672006-0026RHSA-2006:049320237DSA-109720671SUSE-SA:2006:028USN-302-120716DSA-1103ADV-2006-255420914RHSA-2006:0579RHSA-2006:058021035MDKSA-2006:150MDKSA-2006:151216142174520398RHSA-2006:07102249720061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 420061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-45022287523064 21476 kernel-smbfs-directory-traversal(26137)MDKSA-2006:150MDKSA-2006:151Argument injection vulnerability in Beagle before 0.2.5 allows attackers to execute arbitrary commands via crafted filenames that inject command line arguments when Beagle launches external helper applications while indexing.17611SUSE-SR:2006:00919897FEDORA-2006-440249381978119778beagle-indexing-command-execution(26104)Multiple unspecified vulnerabilities in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and other versions have unknown impact and attack vectors in the (1) Advanced Replication component, as identified by Vuln# DB01, and (2) Oracle Spatial component, as identified by Vuln# DB10. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that DB01 is an unknown issue in the DBMS_REPUTIL package, and DB10 is SQL injection in the INSERT_CATALOG, UPDATE_CATALOG, and DELETE_CATALOG functions of the SDO_CATALOG package.17590ADV-2006-1397101596119712HPSBMA02113VU#139049ADV-2006-157119859 TA06-109A oracle-dbmsreputil-sql-injection(26050) oracle-sdocatalog-sql-injection(26054)Unspecified vulnerability in Oracle Database Server 9.2.0.6 has unknown impact and attack vectors in the Advanced Replication component, aka Vuln# DB02.17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 oracle-database-multiple-unspecified(26068)Buffer overflow in the Advanced Replication component in Oracle Database Server 10.1.0.4 allows database users to execute arbitrary code via the VERIFY_LOG procedure of the DBMS_SNAPSHOT_UTL package, aka Vuln# DB03.17590ADV-2006-139710159611971220060420 [Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedureVU#797465HPSBMA02113ADV-2006-157119859 TA06-109A oracle-dbmssnapshotutl-bo(26049)Unspecified vulnerability in Oracle Database Server 8.1.7.4 and 9.0.1.5 has unknown impact and attack vectors in the Dictionary component, aka Vuln# DB04.17590ADV-2006-1397101596119712VU#241481HPSBMA02113ADV-2006-157119859 TA06-109A oracle-dictionary-constraint-modification(26052)Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.2 has unknown impact and attack vectors in the Export component, aka Vuln# DB05. NOTE: details are unavailable from Oracle, but as of 20060427, they have not publicly commented on whether DB05 is the same issue as CVE-2006-2081.17590ADV-2006-139710159611971220060419 Oracle 10g 10.2.0.2.0 DBA exploitVU#452681HPSBMA02113ADV-2006-157119859SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.5 allows remote attackers to execute arbitrary SQL commands via the DELETE_FROM_TABLE function in the DBMS_LOGMNR_SESSION (Log Miner) package, aka Vuln# DB06.17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-15711985920060418 SQL Injection in package SYS.DBMS_LOGMNR_SESSION20060418 SQL Injection in package SYS.DBMS_LOGMNR_SESSIONoracle-dbmslogmnrsession-sql-injection(26047)Unspecified vulnerability in Oracle Database Server 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors in the Oracle Enterprise Manager Intelligent Agent component, aka Vuln# DB07.Apply patches : http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 oracle-database-multiple-unspecified(26068)Unspecified vulnerability in Oracle Database Server 9.2.0.7, 10.1.0.4, and 10.2.0.1 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB08.Apply patches : http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859oracle-database-multiple-unspecified(26068)Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, and 9.2.0.6 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB09. NOTE: Oracle has not disputed reliable claims that this issue is SQL injection in MDSYS.PRVT_IDX using the (1) EXECUTE_INSERT, (2) EXECUTE_DELETE, (3) EXECUTE_UPDATE, (4) EXECUTE UPDATE, and (5) CRT_DUMMY functions.Apply patches.17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859oracle-prvtidx-sql-injection(26053)Unspecified vulnerability in Oracle Database Server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB11. NOTE: Oracle has not disputed reliable researcher claims that this issue is SQL injection in MDSYS.SDO_LRS_TRIG_INS.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859oracle-sdolrstrigins-sql-injection(26055)Unspecified vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.4 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB12. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the (1) GEN_RID_RANGE_BY_AREA and (2) GEN_RID_RANGE functions in the MDSYS.SDO_PRIDX package.17590ADV-2006-1397101596119712VU#240249HPSBMA02113ADV-2006-157119859oracle-sdopridx-sql-injection(26051)Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, and 9.2.0.7 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB13.17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-15711985924861oracle-database-multiple-unspecified(26068)Cross-site scripting (XSS) vulnerability in index.php in phpFaber TopSites allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060415 phpFaber TopSites Script Cross-Site Scripting17542ADV-2006-1394101594519652 phpfabertopsites-index-xss(25804)719760Multiple unspecified vulnerabilities in the Email Server component in Oracle Collaboration Suite 9.0.4.2, 10.1.1, 10.1.2.0, and 10.1.2.1 have unknown impact and attack vectors, aka Vuln# (1) OCS01, (2) OCS02, (3) OCS03, and (4) OCS04.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113VU#549146VU#879041ADV-2006-157119859 TA06-109A oracle-collab-unauth-access(26057)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, as identified by Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS09 in the (b) Oracle Diagnostics Interfaces component; (3) APPS10 in the (c) Oracle General Ledger component; (4) APPS12 and (5) APPS13 in the (d) Oracle Receivables component.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113VU#940729ADV-2006-157119859 oracle-ebusiness-multiple-unspecifed(26058)Unspecified vulnerability in the Financials for Asia/Pacific component in Oracle E-Business Suite and Applications 11.5.9 has unknown impact and attack vectors. component, aka Vuln# APPS02.Oracle Critical Patch Update - April 200617590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 oracle-ebusiness-multiple-unspecifed(26058)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unknown impact and attack vectors, as identified by Vuln# (1) APPS03 in (a) iProcurement; (2) APPS04 in (b) Oracle Application Object Library; (3) APPS06, (4) APPS07, and (5) APPS08 in (c) Oracle Applications Technology Stack; and (6) APPS11 in (d) Oracle Order Capture.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113VU#619194VU#824833ADV-2006-157119859 oracle-ebusiness-multiple-unspecifed(26058)Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite and Applications 11.5.10CU1 has unknown impact and attack vectors, aka Vuln# APPS05.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 oracle-ebusiness-multiple-unspecifed(26058)Unspecified vulnerability in the Oracle Thesaurus Management System component in Oracle E-Business Suite and OPA 4.5.2 Applications has unknown impact and attack vectors, aka Vuln# OPA01.The vendor has addressed this issue through the release of product updates: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859oracle-ebusiness-multiple-unspecifed(26058)Multiple unspecified vulnerabilities in the Reporting Framework component in Oracle Enterprise Manager 9.0.1.5 and 9.2.0.7 have unknown impact and attack vectors, aka Vuln# (1) EM01 and (2) EM02.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113VU#443265ADV-2006-157119859 oracle-reporting-framework-access(26056)Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise 8.46.12 and 8.47.04 has unknown impact and attack vectors, aka Vuln# PSE01.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 TA06-109A oracle-peopletools-unspecified(26059)Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Security Server 8.95.J1 has unknown impact and attack vectors, aka Vuln# JDE01.Oracle Critical Patch Update - April 2006 17590ADV-2006-1397101596119712HPSBMA02113ADV-2006-157119859 TA06-109A oracle-jdedwards-enterpriseone-unspecified(26069)phpGraphy 0.9.11 and earlier allows remote attackers to bypass authentication and gain administrator privileges via a direct request to index.php with the editwelcome parameter set to 1, which can then be used to modify the main page to inject arbitrary HTML and web script. NOTE: XSS attacks are resultant from this issue, since normal functionality allows the admin to modify pages.20060417 - PHPGraphy <= 0.9.11 PHPGraphy <= 0.9.11 'editwelcome' unauthorized access / cross site scripting1756720060418 Re: - PHPGraphy <= 0.9.11 ADV-2006-1379197051015971phpgraphy-index-xss(25892)733Cross-site scripting (XSS) vulnerability in the search action handler in index.php in Nils Asmussen (aka SCRIPTSOLUTION) Boardsolution 1.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the "Search for" item (keyword parameter).20060415 Boardsolution <= 1.12 XSS17549ADV-2006-1413101594819654 boardsolution-index-xss(25805)718766Multiple PHP remote file inclusion vulnerabilities in myWebland myEvent 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the myevent_path parameter in (1) event.php and (2) initialize.php. NOTE: vector 2 was later reported to affect 1.4 as well.20060416 MyEvent Remote File Execution And XSS Attacking175752472224723myevent-event-initialize-file-include(25882)1016616ADV-2006-138419680myevent-myevent-file-include(28347)726767Cross-site scripting (XSS) vulnerability in Martin Scheffler betaboard 0.1 allows remote attackers to inject arbitrary web script or HTML via a user's profile, possibly using the FormVal_profile parameter. NOTE: it is not clear whether this is a distributable product or a site-specific vulnerability. If it is site-specific, then it should not be included in CVE.20060416 BetaBoard Cross Site Scripting vulnerability20060416 BetaBoard Cross Site Scripting vulnerability17556ADV-2006-1377101595519700betaboard-editprofile-xss(25838)724765avast! 4 Linux Home Edition 1.0.5 allows local users to modify permissions of arbitrary files via a symlink attack on the /tmp/_avast4_ temporary directory.20060414 Avast Linux Home Edition (vulnerability on a temporary folder creation)17535ADV-2006-138719683712764Cross-site scripting (XSS) vulnerability in print.php in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the id parameter.20060413 Xss In ar-blog v 5.217522 arblog-print-xss(25834)763Cross-site scripting (XSS) vulnerability in RevoBoard 1.8, as derived from PunBB, allows remote attackers to inject arbitrary web script or HTML via a substitution cipher of the email tag, which is transformed when the application's e-mail address obfuscator reverses the transformation. NOTE: it is not clear whether this is a site-specific issue; however, the claimed codebase relationship with PunBB might be relevant.20060413 RevoBoard [email] tag XSS768Direct static code injection vulnerability in includes/template.php in phpBB allows remote authenticated users with write access to execute arbitrary PHP code by modifying a template in a way that (1) bypasses a loose ".*" regular expression to match BEGIN and END statements in overall_header.tpl, or (2) is used in an eval statement by includes/bbcode.php for bbcode.tpl.20060414 phpBB template file code execution17573 phpbb-template-code-execution(25888)769Unspecified vulnerability in phpBB allows remote authenticated users with Administration Panel access to execute arbitrary PHP code via crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature values, possibly involving the highlight functionality. NOTE: the original report does not clarify whether this issue is static code injection, eval injection, or another type of vulnerability.20060414 phpBB Admin command execution20060418 Re: phpBB Admin command executionDSA-10662019720093phpbb-admin-code-execution(25889)715762Webplus (aka talentsoft) Web+Shop 5.3.6, when Redirect URL for "Script Not Found" Error is not configured, allows remote attackers to obtain sensitive information via a quote (') or possibly other invalid value in the storeid parameter in store.wml in webplus.exe, which reveals the path in a "Script Not Found" error message.20060413 TalentSoft Web+Shop Path Disclosure2462119662 webplusshop-webplus-path-disclosure(25802)703761Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Tiny PHP Forum (TPF) 3.6 allow remote attackers to inject arbitrary web script or HTML via (1) the uname parameter in a view action in profile.php and (2) a login name. NOTE: the "Access to hash password" issue is already covered by CVE-2006-0103.20060417 Tiny PHP forum - vulns17553 tinyphpforum-profile-error-xss(25856)728773Multiple cross-site scripting (XSS) vulnerabilities in dev Neuron Blog 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) website parameters.20060417 Neuron Blog <= 1.1 XSS101596017552 ADV-2006-1406 19703 neuronblog-addcomment-xss(25913)Multiple buffer overflows in World Wide Web Consortium (W3C) Amaya 9.4, and possibly other versions including 8.x before 8.8.5, allow remote attackers to execute arbitrary code via a long value in (1) the COMPACT attribute of the COLGROUP element, (2) the ROWS attribute of the TEXTAREA element, and (3) the COLOR attribute of the LEGEND element; and via other unspecified attack vectors consisting of "dozens of possible snippets."17507ADV-2006-1351246232462419670amaya-various-attribute-bo(25791)20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.420060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2Mozilla Camino 1.0 and earlier allow remote attackers to cause a denial of service (null dereference and application crash or hang) via HTML with certain improperly nested elements. NOTE: this might be the same issue as CVE-2006-1724.20060413 Camino Browser HTML Parsing Null Pointer Dereference Denial of Service Vulnerability772fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers. NOTE: followup posts have disputed whether this is a compiler problem or an application problem, since some of the reported expressions might be undefined in C standards.20060417 gcc 4.1 bug miscompiles pointer range checks, may place you at risk20060418 Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk20060418 Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk[gcc-bugs] 20060417 [Bug c/27180] New: pointer arithmetic overflow handling broken[gcc-bugs] 20060417 [Bug middle-end/27180] New: pointer arithmetic overflow handling broken20060418 RE: gcc 4.1 bug miscompiles pointer range checks, may place you at riskMultiple cross-site scripting (XSS) vulnerabilities in UserLand Manila allow remote attackers to inject arbitrary web script or HTML (1) via the referer parameter in sendMail, and via attributes of (2) the A element and certain other HTML elements in web pages edited with the editInBrowser module. NOTE: the msgReader$1 mode attack vector is already covered by CVE-2006-1769.20060414 manila.userland cross site scriptable1756317565Cross-site scripting (XSS) vulnerability in index.php in AnimeGenesis Gallery allows remote attackers to inject arbitrary web script or HTML via the cat parameter.20060417 AnimeGenesis <= XSSADV-2006-1395Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0.99.3 allow remote attackers to execute arbitrary code via format string specifiers in a long filename on an EXTINFO line in a playlist file.20060418 Remote Xine Format String Vulnerability17579GLSA-200604-15ADV-2006-14321015959196711985424747xine-playlist-format-string(25851)MDKSA-2006:08520066SUSE-SA:2006:025Cross-site scripting (XSS) vulnerability in index.php in jjgan852 phpLister 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20060418 phpLister v. 0.4.1 XSS Attacking17591 phplister-index-xss(25910)735770Multiple SQL injection vulnerabilities in myEvent 1.x allow remote attackers to inject arbitrary SQL commands via the event_id parameter to (1) addevent.php or (2) del.php or (3) event_desc parameter to addevent.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.196802472024721myevent-addevent-del-sql-injection(25886)ADV-2006-1384Cross-site scripting vulnerability in addevent.php in myEvent 1.x allows remote attackers to inject arbitrary web script or HTML via the event_desc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.1968024719ADV-2006-1384 myevent-addevent-xss(25885)Directory traversal vulnerability in index.php in Coppermine 1.4.4 allows remote attackers to read arbitrary files via a .//./ (modified dot dot slash) in the file parameter, which causes a regular expression to collapse the sequences into standard "../" sequences.20060415 [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack20060416 Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack17570ADV-2006-139219665 coppermine-index-file-include(25866)config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.1756620040614 Serendipity Blog vulnCross-site scripting (XSS) vulnerability in MyBB (MyBulletinBoard) 1.1 allows remote attackers to inject arbitrary web script or HTML via the attachment content disposition in an HTML attachment.This vulnerability is addressed in the following product release: MyBB, MyBB, 1.1.1MyBB 1.1.1 Released ADV-2006-138119668 mybb-html-attachment-xss(25864)MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks.Upgrade to MyBB 1.1.1ADV-2006-1381196682471024711mybb-global-init-data-manipulation(25865) 20060415 [KAPDA]MyBB1.1.0~global.php~ParameterExtractingCross-site scripting (XSS) vulnerability in jax_guestbook.php in Jax Guestbook 3.50 allows remote attackers to inject arbitrary web script or HTML via the page parameter.175601984324991ADV-2006-180020110jaxguestbook-admin-xss(26448)DbbS 2.0-alpha and earlier allows remote attackers to obtain sensitive information via an invalid (1) fcategoryid parameter to topics.php or (2) unavariabile, (3) GLOBALS, or (4) _SERVER[] parameters to script.php. NOTE: this information leak might be resultant from a global variable overwrite issue.20060416 DbbS<=2.0-alpha Multiple Vulnerabilities dbbs-multiple-path-disclosure(25922)771SQL injection vulnerability in topics.php in DbbS 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the fcategoryid parameter.20060416 DbbS<=2.0-alpha Multiple Vulnerabilities661771Multiple cross-site scripting (XSS) vulnerabilities in profile.php in DbbS 2.0-alpha and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ulocation or (2) uhobbies parameters.20060416 DbbS<=2.0-alpha Multiple Vulnerabilities17559 dbbs-profile-xss(25923)771SQL injection vulnerability in member.php in Blackorpheus ClanMemberSkript 1.0 allows remote attackers to execute arbitrary SQL commands via the userID parameter.exploit 1683Blackorpheus ClanMemberSkript 1.0 remote sql injection17558ADV-2006-140519678 1683 blackorpheus-member-sql-injection(25902)Multiple cross-site scripting (XSS) vulnerabilities in Papoo 2.1.5 allow remote attackers to inject arbitrary web script or HTML via the menuid parameter to (1) index.php or (2) forum.php, or the (3) reporeid_print parameter to print.php.101593920060414 Vulnerabilities in Papoo17530PHP remote file inclusion vulnerability in index.php in Internet Photoshow 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.ADV-2006-1417197261762024743ip-index-file-include(25937)SQL injection vulnerability in index.php in PMTool 1.2.2 allows remote attackers to execute arbitrary SQL commands via the order parameter in the include files (1) user.inc.php, (2) customer.inc.php, and (3) project.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-14161968517599247802478124782pmtool-order-sql-injection(25877)nettools.php in PHP Net Tools 2.7.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the host parameter.ADV-2006-14201969417601[VIM] 20060609 [VIM] Update Regarding CVE-2006-1921 (fwd) phpnettools-nettools-command-execution(25941)PHP remote file inclusion vulnerability in (1) about.php or (2) auth.php in TotalCalendar allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter.ADV-2006-141819730176182474824751Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) RSS/RSS.php and (2) possibly other vectors.ADV-2006-142419719[VIM] 20060420 LinPHA provenance/acknowledgement1761924816 linpha-rss-xss(26269)SQL injection vulnerability in functions/db_api.php in LinPHA 1.1.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors.ADV-2006-142419719[VIM] 20060420 LinPHA provenance/acknowledgement1761924817 linpha-functionsdbapi-sql-injection(26268)Directory traversal vulnerability in the editnews module (inc/editnews.mdu) in index.php in CuteNews 1.4.1 allows remote attackers to read or modify files via the source parameter in the (1) editnews or (2) doeditnews action. NOTE: this can also produce resultant XSS when the target file does not exist.20060418 CuteNews 1.4.1 <= Cross Site Scripting1759220060420 Re: CuteNews 1.4.1 <= Cross Site Scriptingcutenews-index-source-xss(25935)775SQL injection vulnerability in showtopic.php in ThWboard 2.84 beta 3 and earlier allows remote attackers to execute arbitrary SQL commands via the pagenum parameter.20060419 ThWboard <= 3 Beta 2.84 SQL Injection1760620060611 ThWboard 3.0 <= SQL Injection20060613 Re: BUGTRAQ:20060611 ThWboard 3.0 <= SQL Injection thwboard-showtopic-sql-injection(25891)Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475.20060419 Cisco IOS XR MPLS Vulnerabilities17607ADV-2006-1433101596419740cisco-iosxr-mpls-dos(25881)Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531.20060419 Cisco IOS XR MPLS Vulnerabilities17607ADV-2006-143324811101596419740cisco-iosxr-mpls-dos(25881)PHP remote file inclusion vulnerability in include/common.php in I-Rater Platinum allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.ADV-2006-14311968417623 24777 Irater-common-file-include(25963)** DISPUTED ** Multiple SQL injection vulnerabilities in userscript.php in Green Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date parameters. NOTE: this issue has been disputed by the vendor, saying "those parameters mentioned ARE checked (preg_match) before they are used in SQL-query... If someone decided to add SQL-injection stuff to certain parameter, they would see an error text, but only because _nothing_ was passed inside that parameter (to MySQL-database)." As allowed by the vendor, CVE investigated this report on 20060525 and found that the demo site demonstrated a non-sensitive SQL error when given standard SQL injection manipulations.greenminute-userscript-sql-injection(25942)25207The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.MDKSA-2006:079USN-273-117645101597819772198042497216904ruby-socket-dos(26102)GLSA-200605-11RHSA-2006:04272002420064SUSE-SR:2006:01220457DSA-115721657MDKSA-2006:079Off-by-one error in the OID printing routine in Ethereal 0.10.x up to 0.10.14 has unknown impact and remote attack vectors.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-oid-printing-offbyone(26012)MDKSA-2006:077Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (large or infinite loops) viarafted packets to the (1) UMA and (2) BER dissectors.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-ber-loop-dos(26024) ethereal-uma-dissector-dos(26008)MDKSA-2006:077Multiple buffer overflows in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) ALCAP dissector, (2) Network Instruments file code, or (3) NetXray/Windows Sniffer file code.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-alcap-dissector-bo(26014) ethereal-net-instr-bo(26026) ethereal-netxwin-sniffer-bo(26027)MDKSA-2006:077Buffer overflow in Ethereal 0.9.15 up to 0.10.14 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the COPS dissector.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-cops-dissector-bo(26013)MDKSA-2006:077Buffer overflow in Ethereal 0.8.5 up to 0.10.14 allows remote attackers to execute arbitrary code via the telnet dissector.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-telnet-dissector-bo(26029)MDKSA-2006:077Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via (1) multiple vectors in H.248, and the (2) X.509if, (3) SRVLOC, (4) H.245, (5) AIM, and (6) general packet dissectors; and (7) the statistics counter.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:010201172094420060501-01-U20210ethereal-aim-dos(26019)ethereal-general-dissector-dos(26018)ethereal-h245-dos(26011)ethereal-h248-dissector-dos(26007)ethereal-h248-dos(26031)ethereal-srvloc-dos(26010)ethereal-statistics-counter-dos(26015)ethereal-x509if-dissector-dos(26009)MDKSA-2006:077Multiple unspecified vulnerabilities in Ethereal 0.8.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via the (1) Sniffer capture or (2) SMB PIPE dissector.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-smbpipe-dos(26023) ethereal-sniffer-capture-dos(26016)MDKSA-2006:077Multiple unspecified vulnerabilities in Ethereal 0.9.x up to 0.10.14 allow remote attackers to cause a denial of service (crash from null dereference) via (1) an invalid display filter, or the (2) GSM SMS, (3) ASN.1-based, (4) DCERPC NT, (5) PER, (6) RPC, (7) DCERPC, and (8) ASN.1 dissectors.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-asn1-dissector-dos(26022) ethereal-asn1based-dissector-dos(26030) ethereal-dcerpc-dissector-dos(26021) ethereal-dcerpcnt-dissector-dos(26032) ethereal-display-filter-dos(26017) ethereal-gsmsms-dissector-dos(26028) ethereal-per-diss-dos(26033) ethereal-rpc-dos(26020)MDKSA-2006:077Unspecified vulnerability in Ethereal 0.10.4 up to 0.10.14 allows remote attackers to cause a denial of service (abort) via the SNDCP dissector.ADV-2006-1501MDKSA-2006:0771768219769FEDORA-2006-456FEDORA-2006-461GLSA-200604-171015985198051982819839DSA-1049RHSA-2006:04201995819962SUSE-SR:2006:0102011720944 20060501-01-U 20210 ethereal-sndcp-dissector-dos(26025)MDKSA-2006:077Neon Responder 5.4 for LANsurveyor allows remote attackers to cause a denial of service (application outage) via a crafted Clock Synchronisation packet that triggers an access violation.20060417 Neon Responder (Dos,Exploit)17569ADV-2006-1442101595019702 neonresponder-clocksynchronization-dos(25904)731776Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a .wma file to launch Windows Media Player, or by referencing an "alternate web page."20060418 Another flaw in Firefox 1.5.0.2: to open files from remote1969820060505 Firefox 1.5.0.3 code execution exploit247131998820060602 rPSA-2006-0091-1 firefox thunderbird18228ADV-2006-2106101620220376SUSE-SA:2006:035DSA-1118DSA-11202118321176DSA-113421324HPSBUX02153 20060507 Re: Firefox 1.5.0.3 code execution exploit 20063 firefox-viewimage-security-bypass(25925)ADV-2006-374822066ADV-2008-0083Multiple cross-site scripting (XSS) vulnerabilities in Smarter Scripts IntelliLink Pro 5.06 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter in addlink_lwp.cgi and the (2) id, (3) forgotid, and (4) forgotpass parameters in edit.cgi.17605ADV-2006-1409197012473224733 intellilink-multiple-xss(25929)Multiple cross-site scripting (XSS) vulnerabilities in SibSoft CommuniMail 1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the list_id parameter in mailadmin.cgi and (2) the form_id parameter in templates.cgi.17602ADV-2006-1407196672473524736 communimail-multiple-xss(25931)Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.17621GLSA-200606-06 20496Multiple cross-site scripting (XSS) vulnerabilities in Visale 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the keyval parameter in pbpgst.cgi, (2) the catsubno parameter in pblscg.cgi, and (3) the listno parameter in pblsmb.cgi.17598ADV-2006-140824716247172471819655 visale-multiple-xss(25928)Multiple SQL injection vulnerabilities in plexum.php in NicPlex Plexum X5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pagesize, (2) maxrec, and (3) startpos parameters.17617ADV-2006-142319720 plexum-multiple-sql-injection(25918)The "Add Sender to Address Book" operation (AddSenderToAddressBook.lss) and NameHelper.lss in IBM Lotus Notes 6.0 and 6.5 before 20060331 do not properly store information in the Personal Address Book when multiple messages are checked and a message uses AltFrom, which might allow user-assisted remote attackers to trick a user into sending e-mail to an unauthorized recipient.1015914SQL injection vulnerability in plexcart.pl in NicPlex PlexCart X3 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. 18033 plexcartx3-catid-sql-injection(25917)Multiple cross-site scripting (XSS) vulnerabilities in banners.cgi in PerlCoders BannerFarm 2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) aff and (2) cat parameters.17613ADV-2006-14101971824728 bannerfarm-banners-xss(25919)Directory traversal vulnerability in SolarWinds TFTP Server 8.1 and earlier allows remote attackers to download arbitrary files via a crafted GET request including "....//" sequences, which are collapsed into "../" sequences by filtering.20060421 Rapid7 Advisory R7-0019: Directory traversal vulnerability in SolarWinds TFTP Server for Windows1764820060421 Rapid7 Advisory R7-0019: Directory traversal vulnerability in SolarWinds TFTP Server for WindowsADV-2006-156119848 tftp-dotdotdotdot-directory-traversal(25969)778Directory traversal vulnerability in WinAgents TFTP Server for Windows 3.1 and earlier allows remote attackers to read arbitrary files via "..." (triple dot) sequences in a GET request.According to the vendor, WinAgents TFTP server version 3.2 fixes this directory traversal vulnerability.17718ADV-2006-156219844 tftp-dotdotdot-directory-traversal(25971)Directory traversal vulnerability in Caucho Resin 3.0.17 and 3.0.18 for Windows allows remote attackers to read arbitrary files via a "C:%5C" (encoded drive letter) in a URL.This vulnerability is addressed in the following product release: Caucho Technology, Resin, 3.0.19 The following product releases are not vulnerable: Caucho Technology, Resin, 3.0.16 Caucho Technology, Resin, 2.1.12 Caucho Technology, Resin, 2.1.2 Caucho Technology, Resin, 2.1.1 Caucho Technology, Resin, 2.020060516 Caucho Resin Windows Directory Traversal Vulnerability18005ADV-2006-183120060516 Caucho Resin Windows Directory Traversal Vulnerability25570101610920125resin-webserver-directory-traversal(26478)904SQL injection vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the User field.1758820060419 RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilitiesADV-2006-14252475219728rechnungszentrale-authent-sql-injection(25911) 1699PHP remote file inclusion vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter.1758920060419 RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilitiesADV-2006-14252475319728rechnungszentrale-authent-file-inclusion(25912) 1699The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to obtain sensitive information via an invalid feed parameter, which reveals the path in an error message.20060418 [KAPDA::#41] - Mambo/Joomla rss component vulnerabilityThe com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter.20060418 [KAPDA::#41] - Mambo/Joomla rss component vulnerability 20060419 Re: [KAPDA::#41] - Mambo/Joomla rss component vulnerability mambo-joomla-rss-dos(26131)Multiple SQL injection vulnerabilities in WWWThreads RC 3 allow remote attackers to execute arbitrary SQL commands via (1) the forumreferrer cookie to register.php and (2) the messages parameter in message_list.php.20060419 WWWThread RC 3 MultBugs17615ADV-2006-144719732 wwwthreads-multiple-sql-injection(25936)739PHP remote file inclusion vulnerability in direct.php in ActualScripts ActualAnalyzer Lite 2.72 and earlier, Gold 7.63 and earlier, and Server 8.23 and earlier allows remote attackers to execute arbitrary code via a URL in the rf parameter.20060419 [MajorSecurity]ActualAnalyzer - Remote File Include Vulnerability17597ADV-2006-14301974324778101596720060520 ActualAnalyzer Server <=8.23 - Remote File Include Vulnerability actualanalyzer-direct-file-include(25893)742Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095.20060419 Multiple Vulnerabilities in the WLSE ApplianceADV-2006-143410159651973617604 20060419 Multiple vulnerabilities in Linux based Cisco products 20060419 Re: Multiple vulnerabilities in Linux based Cisco products 24812 cisco-wlse-user-xss(25883)Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory.20060419 Multiple Vulnerabilities in the WLSE Appliance20060419 Response to Privilege Escalation on Multiple Cisco ProductsADV-2006-1434101596519736ADV-2006-143519739197411760420060419 Multiple vulnerabilities in Linux based Cisco products20060419 Re: Multiple vulnerabilities in Linux based Cisco products1760924813cisco-wlse-shell-privilege-escalation(25884)SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.20060419 PCPIN Chat <= 5.0.4 17632ADV-2006-144119708101596820060604 Re: PCPIN Chat <= 5.0.4 pcpin-chat-main-sql-injection(25961)Directory traversal vulnerability in main.php in PCPIN Chat 5.0.4 and earlier allows remote authenticated users to include and execute arbitrary PHP code via a ".." (dot dot) in a language cookie, as demonstrated by uploading then accessing a smiliefile image that actually contains PHP code.20060419 PCPIN Chat <= 5.0.4 17632ADV-2006-144119708101596820060604 Re: PCPIN Chat <= 5.0.4 "login/language" remote cmmnds xctn pcpin-chat-main-file-include(25962)SQL injection vulnerability in Haberler.asp in ASPSitem 1.83 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.20060419 ASPSitem <= 1.83 Remote SQL Injection Vulnerability17616ADV-2006-143919693 aspsitem-haberler-sql-injection(25932)Multiple cross-site scripting (XSS) vulnerabilities in aasi media Net Clubs Pro 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) onuser, (2) pass, (3) chatsys, (4) room, (5) username, and (6) to parameters in (a) sendim.cgi; the (7) username parameter in (b) imessage.cgi; the (8) password parameter in (c) login.cgi; and the (9) cat_id parameter in (d) viewcat.cgi.17622ADV-2006-14362475424755247562475719651 netclubspro-multiple-xss(25957)An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST.20060416 Fortinet28 box does not resist has small synflood!20060418 Re: Fortinet28 box does not resist has small synflood!20060418 Re: Fortinet28 box does not resist has small synflood!Cross-site scripting (XSS) vulnerability in calendar/Visitor.cgi in KCScripts Calendar, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the sort_order parameter.ADV-2006-1440196951762824761portalpack-multiple-xss(25940)503Cross-site scripting (XSS) vulnerability in news/NsVisitor.cgi in KCScripts News Publisher, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the sort_order parameter.ADV-2006-1440196951762824762portalpack-multiple-xss(25940)Cross-site scripting (XSS) vulnerability in search/search.cgi in an unspecified KCScripts script, probably Search Engine or Site Search, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the q parameter.ADV-2006-1440196951762824763portalpack-multiple-xss(25940)Cross-site scripting (XSS) vulnerability in classifieds/viewcat.cgi in KCScripts Classifieds, distributed individually and as part of Portal Pack 6.0 and earlier, allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.ADV-2006-1440196951762824764portalpack-multiple-xss(25940)Cross-site scripting (XSS) vulnerability in login.php in KRANKIKOM ContentBoxX allows remote attackers to inject arbitrary web script or HTML via the action parameter.20060419 ContentBoxx Login.php Cross-Site Scripting17612ADV-2006-14381973324768 contentboxx-login-xss(25952)740779Cross-site scripting (XSS) vulnerability in EasyGallery.php in Wingnut EasyGallery allows remote attackers to inject arbitrary web script or HTML via the ordner parameter.20060419 EasyGallery Cross-Site Scripting17624ADV-2006-143719713 easygallery-script-xss(25943)746Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages.VU#621566ADV-2006-1443176312481019722 linksys-rt31p2-sip-dos(25915)SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.16443Cross-site scripting (XSS) vulnerability in guestbook_newentry.php in PHP-Gastebuch 1.61 allows remote attackers to inject arbitrary web script or HTML via the Kommentar field.2396219810Cross-site scripting (XSS) vulnerability in addRequest.php in Prayer Request Board (PRB) Beta 1 before 20060320 allows remote attackers to inject arbitrary web script or HTML via the Request field.23958Cross-site scripting (XSS) vulnerability in FlexBB 0.5.7 BETA and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) message parameters.20060415 FlexBB <= 0.5.7 BETA XSSADV-2006-13931015946 flexbb-newthread-xss(25868)777SQL injection vulnerability in inc/start.php in FlexBB 0.5.5 and earlier allows remote attackers to execute arbitrary SQL commands via the flexbb_username COOKIE parameter.20060417 FlexBB 0.5.5 Bypass Exploit101594917568 1686Cross-site scripting (XSS) vulnerability in mwguest.php in Manic Web MWGuest 2.1.0 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter.20060420 [eVuln] MWGuest XSS Vulnerability17630 mwguest-mwguest-xss(25674)747Cross-site scripting (XSS) vulnerability in W2B Online Banking allows remote attackers to inject arbitrary web script or HTML via the (1) query string, (2) SID parameter, or (3) ilang parameter.1762619717ADV-2006-144524759w2bonlinebanking-sid-xss(25947)Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen.ADV-2006-1398 macosx-java-inputmethods-info-disclosure(26167)Heap-based buffer overflow in the LZWDecodeVector function in Mac OS X before 10.4.6, as used in applications that use ImageIO or AppKit, allows remote attackers to execute arbitrary code via crafted TIFF images.1763419686ADV-2006-1452APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-1779 31837Multiple heap-based buffer overflows in Mac OS X 10.4.6 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) PredictorVSetField function for TIFF or (2) CFAllocatorAllocate function for GIF, as used in applications that use ImageIO or AppKit. NOTE: the BMP vector has been re-assigned to CVE-2006-2238 because it affects a separate product family.1763419686ADV-2006-1452248202482124822APPLE-SA-2006-05-11TA06-132A10160672007717951ADV-2006-1779 macosx-cfallocatorallocate-bo(25949) macosx-predictorvsetfield-bo(25951)Unspecified vulnerability in the _cg_TIFFSetField function in Mac OS X 10.4.6 and earlier, as used in applications that use ImageIO or AppKit, allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a null dereference.1763419686ADV-2006-1452APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-1779 macosx-tiffsetfield-bo(25950)Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier, allows user-assisted attackers to execute arbitrary code via a crafted archive (such as ZIP) that contains long path names, which triggers an error in the BOMStackPop function.1763419686ADV-2006-1452APPLE-SA-2006-05-11TA06-132A20077179511016082ADV-2006-177924819macosx-archivehelper-bo(25945)Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via a large CELLSPACING attribute in a TABLE tag, which triggers an error in KWQListIteratorImpl::KWQListIteratorImpl.1763419686ADV-2006-145224823 macosx-safari-dos(25946)Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via an invalid FRAME tag, possibly due to (1) multiple SCROLLING attributes with no values, or (2) a SRC attribute with no value. NOTE: due to lack of diagnosis by the researcher, it is unclear which vector is responsible.1763419686ADV-2006-1452 macosx-safari-dos(25946)The WebTextRenderer(WebInternal) _CG_drawRun:style:geometry: function in Apple Safari 2.0.3 allows remote attackers to cause a denial of service (application crash) via an HTML LI tag with a large VALUE attribute (list item number), which triggers a null dereference in QPainter::drawText, probably due to a failed memory allocation that uses the VALUE.1763419686ADV-2006-145224823 macosx-safari-dos(25946)Buffer overflow in the get_database function in the HTTP client in Freshclam in ClamAV 0.80 to 0.88.1 might allow remote web servers to execute arbitrary code via long HTTP headers.This vulnerability is addressed in the following product release: Clam Anti-Virus, ClamAV, 0.88.2Security advisory: 0.88.217754ADV-2006-158619880DSA-1050GLSA-200605-03MDKSA-2006:0802512019912199632006-00241987419964SUSE-SR:2006:0102015920117SUSE-SA:2006:025APPLE-SA-2006-06-27ADV-2006-2566VU#599220101639220877 clamav-freshclam-http-bo(26182)MDKSA-2006:080Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.101597919803ADV-2006-1500RHSA-2006:0501MDKSA-2006:0912022220269SUSE-SA:2006:031GLSA-200605-08MDKSA-2006:122RHSA-2006:0568USN-320-1210502103120060701-01-U211352125221564RHSA-2006:05492172322225APPLE-SA-2006-11-28TA06-333AADV-2006-475023155 20061005 rPSA-2006-0182-1 php php-mysql php-pgsql TLSA-2006-38 20052 20676 21125 php-wordwrap-string-bo(26001)MDKSA-2006:091MDKSA-2006:122The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument.1015979ADV-2006-1500MDKSA-2006:09120269SUSE-SA:2006:031GLSA-200605-08USN-320-1 20052 20676 21125 php-substrcompare-length-dos(26003)MDKSA-2006:091mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) via nested OBJECT tags, which trigger invalid pointer dererences including NULL dereferences. NOTE: the possibility of code execution was originally theorized, but Microsoft has stated that this issue is non-exploitable.20060422 MSIE (mshtml.dll) OBJECT tag vulnerability20060422 Re: MSIE (mshtml.dll) OBJECT tag vulnerabilityADV-2006-150719762176581016001MS06-021101629127475 20060423 MSIE (mshtml.dll) OBJECT tag vulnerability ie-object-memory-corruption(25978)781Mozilla Firefox 1.5.0.2, when designMode is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain Javascript that is not properly handled by the contentWindow.focus method in an iframe, which causes a reference to a deleted controller context object. NOTE: this was originally claimed to be a buffer overflow in (1) js320.dll and (2) xpcom_core.dll, but the vendor disputes this claim.20060424 Firefox Remote Code Execution and DoS 1.5.0.217671101598119802VU#866300ADV-2006-1614DSA-1053GLSA-200605-06DSA-10552001920015HPSBTU0211820214ADV-2006-1922HPSBUX02153oval:org.mitre.oval:def:1790 20070 firefox-iframe-contentwindowfocus-bo(25994)ADV-2006-374822066780ADV-2008-0083PHP remote file inclusion vulnerability in dForum 1.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DFORUM_PATH parameter to (1) about.php, (2) admin.php, (3) anmelden.php, (4) losethread.php, (5) config.php, (6) delpost.php, (7) delthread.php, (8) dfcode.php, (9) download.php, (10) editanoc.php, (11) forum.php, (12) login.php, (13) makethread.php, (14) menu.php, (15) newthread.php, (16) openthread.php, (17) overview.php, (18) post.php, (19) suchen.php, (20) user.php, (21) userconfig.php, (22) userinfo.php, and (23) verwalten.php.20060421 dForum <= 1.5 Multiple Remote File Inclusion Vulnerabilities.17650ADV-2006-148219788 20060421 dForum <= 1.5 Multiple Remote File Inclusion Vulnerabilities. dforum-dforumpath-parameter-file-include(26035)Directory traversal vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to read arbitrary files via ".." sequences in the p parameter, which is not properly sanitized due to an rtrim function call with the arguments in the wrong order.20060421 Scry Gallery Directory Traversal & Full Path Disclosure Vulnerabilites17649[VIM] 20060425 Interesting Scry stuff17668ADV-2006-14902488919777 scry-gallery-index-directory-traversal(25991)784Scry Gallery 1.1 allows remote attackers to obtain sensitive information via an invalid p parameter, which reveals the path in an error message.20060421 Scry Gallery Directory Traversal & Full Path Disclosure Vulnerabilites[VIM] 20060425 Interesting Scry stuff17668ADV-2006-14902489019777 scry-gallery-index-path-disclosure(25990)784Unspecified vulnerability in Sybase Pylon Anywhere groupware synchronization server before 7.0 allows local users to obtain sensitive information such as email and PIM data of another user via unknown attack vectors.ADV-2006-14771978417677pylon-groupware-unauth-access(25989)OpenTTD 0.4.7 and earlier allows local users to cause a denial of service (application exit) via a large invalid error number, which triggers an error.ADV-2006-14801976820060423 Denial of service bugs in OpenTTD 0.4.717661GLSA-200609-0321799 openttd-command-packet-dos(26000)The multiplayer menu in OpenTTD 0.4.7 allows remote attackers to cause a denial of service via a UDP packet with an incorrect size, which causes the client to return to the main menu.ADV-2006-14801976820060423 Denial of service bugs in OpenTTD 0.4.717661GLSA-200609-0321799 openttd-udp-packet-dos(26004)Cross-site scripting (XSS) vulnerability in /lms/a2z.jsp in logMethods 0.9 allows remote attackers to inject arbitrary web script or HTML via the kwd parameter.1979317675ADV-2006-148424876logmethods-lmsa2z-xss(25968)Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: this is a different vulnerability than the directory traversal vector.20060424 Scry Gallery XSS Vulnerability[VIM] 20060425 Interesting Scry stuff17668ADV-2006-14902489119777 scry-gallery-index-xss(26101)783PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter.20060422 Advisory: My Gaming Ladder Combo System <= 7.0 Remote File Inclusion Vulnerability.1765719773ADV-2006-148324892mygamingladder-stats-file-inclusion(25992)Cross-site scripting (XSS) vulnerability in cgi-bin/guest in Community Architect Guestbook allows remote attackers to inject arbitrary web script or HTML by signing the guestbook, which is displayed by fsguestbook.html. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-14461974224784Multiple SQL injection vulnerabilities in RI Blog 1.1 allow remote attackers to execute arbitrary SQL command via the (1) username or (2) password fields.176541978320060423 RIblog Remote SQL Injection ExploitADV-2006-1489 riblog-login-sql-injection(26132)Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an "include" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection.20060423 Advisory: Clansys <= 1.1 PHP Code Insertion Vulnerability.17660101598825083clansys-index-file-include(25976)782Multiple directory traversal vulnerabilities in IZArc Archiver 3.5 beta 3 allow remote attackers to write arbitrary files via a ..\ (dot dot backslash) in a (1) .rar, (2) .tar, (3) .zip, (4) .jar, or (5) .gz archive. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17664ADV-2006-14881979124895 izarc-extract-directory-traversal(26039)Heap-based buffer overflow in Winny 2.0 b7.1 and earlier allows remote attackers to execute arbitrary code via long strings to certain commands sent to the file transfer port.1766619795ADV-2006-148624883VU#167033 winny-file-transfer-bo(25986)PHP remote file inclusion vulnerability in movie_cls.php in Built2Go PHP Movie Review 2B and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path parameter.ADV-2006-1481197491767924887 moviereview-moviecls-file-include(26063)PHP remote file inclusion vulnerability in agenda.php3 in phpMyAgenda 3.0 Final and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootagenda parameter.20060424 [MajorSecurity] phpMyAgenda 3.0 Final - Remote File Include Vulnerability17670ADV-2006-15092494310159841974820060515 tyree[at]users.sourceforge.net phpmyagenda-rootagenda-file-include(26062)787Multiple SQL injection vulnerabilities in check_login.asp in Bloggage allow remote attackers to execute arbitrary SQL commands via the (1) acc_name and (2) password parameter.ADV-2006-14481975120060421 bloggage Remote SQL Injection1763924797 bloggage-checklogin-sql-injection(25955)751Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the nickname, probably involving the user_name parameter in register.php.20060420 4images <= 1.7 XSS17625ADV-2006-14491974524796 4images-member-xss(25987)Format string vulnerability in Skulltag 0.96f and earlier allows remote attackers to cause a denial of service via the version string.ADV-2006-14791976720060423 Format string bug in Skulltag 0.96f17659 skulltag-version-format-string(25988)SQL injection vulnerability in page.php in SL_site 1.0 allows remote attackers to execute arbitrary SQL commands via the id_page parameter. NOTE: this issue could be used to produce resultant XSS from an error message.10159721979217667ADV-2006-148724896 slsite-page-sql-injection(26036)Directory traversal vulnerability in gallerie.php in SL_site 1.0 allows remote attackers to list images in arbitrary directories via ".." sequences in the rep parameter, which is used to construct a directory name in admin/config.inc.php. NOTE: this issue could be used to produce resultant XSS from an error message.1015972197921766717672ADV-2006-148724897 slsite-gallerie-directory-traversal(26037)Cross-site scripting (XSS) vulnerability in SL_site 1.0 allows remote attackers to inject arbitrary web script or HTML via the recherche parameter in recherche.php. NOTE: other XSS vectors, as reported in the original disclosure, are resultant from other primary vulnerabilities that have separate CVE names.10159721979217667ADV-2006-148724898 slsite-recherche-xss(26038)Multiple cross-site scripting (XSS) vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dn parameter in (a) compare_form.php, (b) copy_form.php, (c) rename_form.php, (d) template_engine.php, and (e) delete_form.php; (2) scope parameter in (f) search.php; and (3) Container DN, (4) Machine Name, and (5) UID Number fields in (g) template_engine.php.17643ADV-2006-145024788247892479024792247932479419747DSA-105720124 phpldapadmin-templateengine-xss(25959) phpldapadmin-scope-dn-xss(25958)Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request.This vulnerability is addressed in the following product release: version 2.301766219760ADV-2006-149424884dnsmasq-dhcp-dos(26005)SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4.This vulnerability has been disputed by the vendor. The affected version has been disputed by the vendor via e-mail to CVE. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4.20060423 vbulletin<--3.0.x SQL Injection20060424 Re: vbulletin<--3.0.x SQL InjectionApple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute.20060424 Apple Mac OS X Safari 2.0.3 Vulnerability20060424 Re: Apple Mac OS X Safari 2.0.3 Vulnerability20060424 Apple Mac OS X Safari 2.0.3 Vulnerability17674ADV-2006-1508101598219763 1715 macosx-safari-table-dos(25998)Asterisk Recording Interface (ARI) in Asterisk@Home before 2.8 stores recordings/includes/main.conf under the web document root with insufficient access control, which allows remote attackers to obtain password information.This vulnerability is addressed in the following product releases: Littlejohn Consulting, Asterisk Recording Interface, 0.10.00 and higher20060421 [SecuriWeb 2006.1] directory traversal in Asterisk@Home and ARI2006.1 - directory traversal in Asterisk@HomeADV-2006-14572480519744 asterisk-mail-disclose-information(25993)Absolute path traversal vulnerability in recordings/misc/audio.php in the Asterisk Recording Interface (ARI) web interface in Asterisk@Home before 2.8 allows remote attackers to read arbitrary MP3, WAV, and GSM files via a full pathname in the recording parameter. NOTE: this issue can also be used to determine existence of files.This vulnerability is addressed in the following product release: Asterisk@Home, Asterisk@Home, 2.8 20060421 [SecuriWeb 2006.1] directory traversal in Asterisk@Home and ARI2006.1 - directory traversal in Asterisk@Home17641ADV-2006-1457248051974424806 asterisk-audio-directory-traversal(25996)750Buffer overflow in the parse_url function in the RTSP module (rtsp/parse_url.c) in Fenice 1.10 and earlier allows remote attackers to execute arbitrary code via a long URL.20060423 Buffer-overflow and crash in Fenice OMS 1.10176781977020060425 Fenice - Open Media Streaming Server remote BOF exploitADV-2006-149120060607 Re: Buffer-overflow and crash in Fenice OMS 1.10 fenice-parseurl-bo(26078)794Integer overflow in the RTSP_msg_len function in rtsp/RTSP_msg_len.c in Fenice 1.10 and earlier allows remote attackers to cause a denial of service (application crash) via a large HTTP Content-Length value, which leads to an invalid memory access.20060423 Buffer-overflow and crash in Fenice OMS 1.101767819770ADV-2006-14912488220060607 Re: Buffer-overflow and crash in Fenice OMS 1.10 fenice-contentlength-dos(26080)794Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1Bugzilla Bug 1102 Bugzilla Bug 189933ADV-2006-156319838SUSE-SR:2006:009177301985119897MDKSA-2006:082USN-277-119936199492006-0024DSA-105419964RHSA-2006:04252002120023GLSA-200605-1720345 20060501-01-U 20210 20667 libtiff-tifffetchanyarray-dos(26133)MDKSA-2006:082103099201332Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image.This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1Bugzilla Bug 1102 17732ADV-2006-156319838SUSE-SR:2006:00919897MDKSA-2006:082USN-277-119936199492006-0024DSA-105419964RHSA-2006:04252002120023GLSA-200605-1720345 20060501-01-U 20210 20667 libtiff-tifffetchdata-overflow(26134)MDKSA-2006:082103099201332Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."This vulnerability is addressed in the following product release: libTIFF, libTIFF, 3.8.1Bugzilla Bug 1102Bugzilla Bug 18993317733ADV-2006-156319838SUSE-SR:2006:00919897MDKSA-2006:082USN-277-119936199492006-0024DSA-105419964RHSA-2006:04252002120023GLSA-200605-172034520060501-01-U2021020667libtiff-tifjpeg-doublefree-memory-corruption(26135)MDKSA-2006:082103099201332Buffer overflow in Unicode processing in the logging functionality in Pablo Software Solutions Quick 'n Easy FTP Server Professional and Lite, probably 3.0, allows remote authenticated users to execute arbitrary code by sending a command with a long argument, which triggers a buffer overflow when an admin selects the Logging section in the FTP server main window. NOTE: the original researcher claims that the vendor disputes this issue.20060424 Quick 'n Easy FTP Server pro/lite Logging unicode stack overflow1768125235788Cross-site scripting (XSS) vulnerability in imagelist.php in Jeremy Ashcraft Simplog 0.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the imagedir parameter. NOTE: this issue might be resultant from directory traversal.20060421 Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.20060423 RE: Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.ADV-2006-1493248801976417653 simplog-imagelist-xss(25984)799Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter in (a) preview.php; the (2) cid, (3) pid, and (4) eid parameters in (b) archive.php; and the (5) pid parameter in (c) comments.php.20060421 Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.20060423 RE: Advisory: Simplog <= 0.93 Multiple Remote Vulnerabilities.ADV-2006-1493248772487824879101597619764 simplog-multiple-sql-injection(25982)799The Allied Telesyn AT-9724TS switch allows remote attackers to cause a denial of service via a large amount of UDP data to the switch, which leads to unstable operation and possibly failure of the management interface or routing.20060419 Allied Telesyn Switch UDP Data Flood Management Denial Of Service Vulnerability telesyn-udp-dos(25938)Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter.19659 phpmyadmin-index-xss(25954)Multiple SQL injection vulnerabilities in Core CoreNews 2.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) icon_id and (2) userid parameters in preview.php.20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities.17655 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. corenews-preview-sql-injection(25977)797PHP remote file inclusion vulnerability in Core CoreNews 2.0.1 and earlier allows remote authenticated users to execute arbitrary commands via the show parameter. NOTE: this is a different vector than CVE-2006-1212, although it might be the same primary issue.20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities.17655 20060421 Advisory: CoreNews <= 2.0.1 Multiple Remote Vulnerabilities. corenews-index-file-include(25979)797SQL injection vulnerability in function/showprofile.php in FlexBB 0.5.5 allows remote attackers to execute arbitrary SQL commands, and view all usernames and passwords, via the id parameter to the showprofile page in index.php.20060421 FlexBB 0.5.5 Exploit [ function/showprofile.php ] Remote SQL Injection1757424867Websense, when configured to permit access to the dynamic content category, allows local users to bypass intended blocking of the Uncategorized category by appending a "/?" sequence to a URL.20060420 Websense Filter Bypass20060421 RE: [BULK] - Websense Filter Bypass 25211 websense-uncategorized-filter-bypass(25980)iOpus Secure Email Attachments (SEA), probably 1.0, does not properly handle passwords that consist of repetitions of a substring, which allows attackers to decrypt files by entering only the substring.20060422 ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS1765620060425 Re: ADVISORY FOR IOPUS SECURE EMAIL ATTACHMENTS101598019771 iopus-insecure-passwords(26266)Cross-site scripting (XSS) vulnerability in index.php in Thwboard 3.0 Beta 2.84 allows remote attackers to inject arbitrary web script or HTML via the navpath parameter.20060420 ThWboard 3 Beta 2.84 Cross Site Scripting17627 thwboard-index-xss(25953)Multiple SQL injection vulnerabilities in ampleShop 2.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) RecordID parameter in (a) Customeraddresses_RecordAction.cfm and (b) youraccount.cfm; (2) solus parameter in (c) detail.cfm; and (3) cat parameter in (d) category.cfm.19806ADV-2006-151224934249352493624937 ampleshop-multiple-sql-injection(26064)Multiple SQL injection vulnerabilities in the osTicket module in Help Center Live before 2.1.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors.17676ADV-2006-149219776 helpcenterlive-osticket-sql-injection(26040)Multiple SQL injection vulnerabilities in photokorn 1.53 and 1.542 allow remote attackers to execute arbitrary SQL commands via the (1) cat, (2) pic and (3) page parameter in index.php; (4) id parameter in postcard.php; and (5) cat parameter in print.php.20060425 photokorn 1.53 , 1.542 << Sql17683ADV-2006-152519836249812498224983photokorn-multiple-sql-injection(26066)789PhpWebGallery before 1.6.0RC1 allows remote attackers to obtain arbitrary pictures via a request to picture.php without specifying the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.ADV-2006-151519801 phpwebgallery-picture-bypass-security(26079)Adobe Dreamweaver 8 before 8.0.2 and MX 2004 can generate code that allows SQL injection attacks in the (1) ColdFusion, (2) PHP mySQL, (3) ASP, (4) ASP.NET, and (5) JSP server models.This vulnerability affects all versions of Adobe, Dreamweaver, 8.0 before 8.0.2 This vulnerability is addressed in the following product releases: Adobe, Dreamweaver, 8.0.2 Code update for Macromedia, Dreamweaver MX, 2004APSB06-0720060509 Multiple SQL Injection Vulnerabilities in Dreamweaver Generated Code17928ADV-2006-175325361101605020054dreamweaver-server-sql-injection(26339)na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI).20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance17698ADV-2006-154019818 ip3-na75-backtick-command-injection(26108)793na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin.20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance17698ADV-2006-154019818 ip3-na75-default-account(26112)793The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data.20060424 Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance17698ADV-2006-154019818 ip3-na75-database-file-permission(26110) ip3-na75-shadow-file-permission(26109)Multiple SQL injection vulnerabilities in Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) keywords parameters in (a) Results.cfm, and the (3) ProdID parameter in (b) Details.cfm.ADV-2006-1513198122496124962cartweaver-multiple-sql-injection(26060) 17941426425210Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allows remote attackers to obtain sensitive information via an invalid (1) secondary, (2) PageNum_Results, (3) category, or (4) keywords parameter in (a) Results.cfm; or an invalid (5) ProdID parameter in (b) Details.cfm; which reveal the path in various error messages. NOTE: the behavior for the category, keywords, and ProdID parameters might be resultant from SQL injection.19812ADV-2006-15132496324964cartweaver-multiple-path-disclosure(26061)Multiple cross-site scripting (XSS) vulnerabilities in index.php in Edwin van Wijk phpWebFTP 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) port, (2) server, and (3) user parameters. NOTE: it is possible that the affected version is actually 3.2.20060425 PhpWebFtp Cross Site Scripting Vulnerability17688ADV-2006-15302497519827 phpwebftp-index-xss(26067)786Cross-site scripting (XSS) vulnerability in dcboard.cgi in DCScripts DCForumLite 3.0 allows remote attackers to inject arbitrary web script or HTML via the az parameter.20060425 DCForumLite V 3.0<--XSS/SQL Injection17697ADV-2006-15322498819815 dcforumlite-dcboard-xss(26083)792SQL injection vulnerability in dcboard.cgi in DCScripts DCForumLite 3.0 allows remote attackers to execute arbitrary SQL commands via the az parameter.20060425 DCForumLite V 3.0<--XSS/SQL Injection1769724989 deforumlite-dcboard-sql-injection(26084)792Multiple cross-site scripting (XSS) vulnerabilities in myadmin/index.php in NextAge Shopping Cart allow remote attackers to inject arbitrary web script or HTML via the (1) username and (2) password parameters.20060425 NextAge Shopping Cart Software17685 nextageshoppingcart-index-xss(26065)791Cross-site scripting (XSS) vulnerability in Verosky Media Instant Photo Gallery allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action in member.php. NOTE: the original report may be inaccurate, since the "viewpro" string does not appear in the source code for version 1.0.2 of the product.20060425 Instant Photo Gallery <= Multiple XSS20060427 Re: Instant Photo Gallery <= Multiple XSS1769624984790Multiple SQL injection vulnerabilities in QuickEStore 7.9 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the OrderID parameter in (a) shipping.cfm and (b) checkout.cfm, (2) ItemID parameter in (c) proddetail.cfm, (3) SubCatID parameter in (d) index.cfm, the (4) CategoryID parameter in (e) prodpage.cfm, and (5) ProdID parameter in (f) Details.cfm. NOTE: these issues can also be exploited for path disclosure.ADV-2006-1514198172497624977249782497924980 quickestore-multiple-sql-injection(26045)3Com Baseline Switch 2848-SFP Plus Model #3C16486 with firmware before 1.0.2.0 allows remote attackers to cause a denial of service (unstable operation) via long DHCP packets.Update to firmware version 1.0.2.0. http://www.3com.com/products/en_...e&order=desc&prodcat=all17686ADV-2006-1510197562494210159973com-baseline-dhcp-dos(26076)Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.19819ADV-2006-153825003office-mailto-obtain-information(26118)Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API. ADV-2006-1538 office-mailto-obtain-information(26118)Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.20060424 Multiple browsers Windows mailto protocol Office 2003 file attachment exploit ADV-2006-1538 office-mailto-obtain-information(26118)Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.20060424 Multiple browsers Windows mailto protocol Office 2003 file attachment exploit ADV-2006-1538 office-mailto-obtain-information(26118)785action_public/search.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary PHP code via a search with a crafted value of the lastdate parameter, which alters the behavior of a regular expression to add a "#e" (execute) modifier.20060425 Invision Vulnerabilities, including remote code execution1769520060427 Re: Invision Vulnerabilities, including remote code executionADV-2006-1534250051983020060427 Invision Power Board 2.1.5 POC20060710 Re: RE: Invision Vulnerabilities, including remote code execution invision-search-file-include(26070)796Directory traversal vulnerability in action_admin/paysubscriptions.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote authenticated administrators to include and execute arbitrary local PHP files via a .. (dot dot) in the name parameter, preceded by enough backspace (%08) characters to erase the initial static portion of a filename.If you've downloaded IPB 2.1.5 since the time of this post, there is no need to update your installation as the main download has been updated.20060425 Invision Vulnerabilities, including remote code execution20060427 Re: Invision Vulnerabilities, including remote code executionADV-2006-1534250081983020060710 Re: RE: Invision Vulnerabilities, including remote code execution invision-admin-file-include(26072)796SQL injection vulnerability in lib/func_taskmanager.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary SQL commands via the ck parameter, which can inject at most 32 characters.The vendor has released an update to address this and other versions.20060425 Invision Vulnerabilities, including remote code execution1769020060427 Re: Invision Vulnerabilities, including remote code executionADV-2006-153419830 invision-index-ck-sql-injection(26071)796Multiple SQL injection vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to execute arbitrary SQL commands via the (1) banner parameter in agent_links.pl; the offset parameter in (2) agent_links.pl, (3) agent_transactions.pl, (4) agent_subaffiliates.pl, and (5) agent_summary.pl; the camp_id parameter in (6) agent_transactions_csv.pl, (7) agent_subaffiliates.pl, and (8) agent_camp_det.pl; the (9) login parameter in agent_commission_statement.pl; the logged parameter in (10) agent_commission_statement.pl and (11) agent_camp_det.pl; the (12) agent_id parameter in agent_commission_statement.pl; and the (13) sub parameter in unspecified files.Leadhound multiple vuln2502325024250252502625027250282502919867Multiple cross-site scripting (XSS) vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to inject arbitrary web script or HTML via the login parameter in (1) agent_affil.pl, (2) agent_help.pl, (3) agent_faq.pl, (4) agent_help_insert.pl, (5) sign_out.pl, (6) members.pl, (7) modify_agent_1.pl, (8) modify_agent_2.pl, (9) modify_agent.pl, (10) agent_links.pl, (11) agent_stats_pending_leads.pl, (12) agent_logoff.pl, (13) agent_rev_det.pl, (14) agent_subaffiliates.pl, (15) agent_stats_pending_leads.pl, (16) agent_transactions.pl, (17) agent_payment_history.pl, (18) agent_summary.pl, (19) agent_camp_all.pl, (20) agent_camp_new.pl, (21) agent_camp_notsub.pl, (22) agent_campaign.pl, (23) agent_camp_expired.pl, (24) agent_stats_det.pl, (25) agent_stats.pl, (26) agent_camp_det.pl, (27) agent_camp_sub.pl, (28) agent_affil_list.pl, and (29) agent_affil_code.pl; the logged parameter in (30) agent_faq.pl, (31) agent_help_insert.pl, (32) members.pl, (33) modify_agent_1.pl, (34) modify_agent_2.pl, (35) modify_agent.pl, (36) agent_links.pl, (37) agent_subaffiliates.pl, (38) agent_stats_pending_leads.pl, (39) agent_transactions.pl, (40) agent_summary.pl, (41) agent_camp_all.pl, (42) agent_camp_new.pl, (43) agent_camp_notsub.pl, (44) agent_campaign.pl, (45) agent_camp_expired.pl, (46) agent_stats.pl, (47) agent_camp_det.pl, (48) agent_camp_sub.pl, (49) agent_affil_list.pl, and (50) agent_affil_code.pl; the camp_id parameter in (51) agent_links.pl, (52) agent_subaffiliates.pl, and (53) agent_camp_det.pl; the (54) banner parameter in agent_links.pl; the offset parameter in (55) agent_links.pl, (56) agent_subaffiliates.pl, (57) agent_transactions.pl, and (58) agent_summary.pl; the date parameter in (59) agent_subaffiliates.pl, (60) agent_transactions.pl, and (61) agent_summary.pl; the dates parameter in (62) agent_rev_det.pl and (63) agent_stats_det.pl; the (64) page parameter in agent_camp_det.pl; the (65) agent_id parameter in agent_commission_statement.pl; and the (66) lost password field in lost_pwd.pl.Leadhound multiple vuln.25030250322503325034250352503625038250392504125042250432504425045250462504725048250492505025051250522505325054250552505625057250582505925060198672503125037Unspecified vulnerability in the libpkcs11 library in Sun Solaris 10 might allow local users to gain privileges or cause a denial of service (application failure) via unknown attack vectors that involve the getpwnam family of non-reentrant functions.10231617687ADV-2006-1504101598719789 solaris-libpkcs11-privilege-escalation(26075)SQL injection vulnerability in save.php in PHPSurveyor 0.995 and earlier allows remote attackers to execute arbitrary SQL commands via the surveyid cookie. NOTE: this issue could be leveraged to execute arbitrary PHP code, as demonstrated by inserting directory traversal sequences into the database, which are then processed by the thissurvey['language'] variable.10159701976120060420 PHPSurveyor <= 0.995 %27save.php/surveyid%27 remote cmmnds xctn1763324787 phpsurveyor-surveyid-shell-execution(25970)Multiple cross-site scripting (XSS) vulnerabilities pm_popup.php in MKPortal 1.1 Rc1 and earlier, as used with vBulletin 3.5.4 and earlier, allow remote attackers to inject arbitary web script or HTML via the (1) u1, (2) m1, (3) m2, (4) m3, (5) m4 parameters.20060421 vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.ADV-2006-1485101597719786176512490120060927 MkPortal Cross Site Scripting (All versions) xSS20060928 Re: xxs in MKPortal M1.120232801SQL injection vulnerability in vb_board_functions.php in MKPortal 1.1, as used with vBulletin 3.5.4 and earlier, allows remote attackers to execute arbitrary SQL commands via the userid parameter.20060421 vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.101597717651801Unspecified vulnerability in Hitachi JP1 products allow remote attackers to cause a denial of service (application stop or fail) via unexpected requests or data.ADV-2006-15241984117706 hitachi-jp1-request-dos(26087)The recursor in PowerDNS before 3.0.1 allows remote attackers to cause a denial of service (application crash) via malformed EDNS0 packets.ADV-2006-15271983117711SUSE-SR:2006:01020117powerdns-recursor-ednso-dos(26100)Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action.20060426 DevBB <= 1.0.0 XSS17703ADV-2006-15441985524994 devbb-member-xss(26091)800Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs.24714MDKSA-2006:08620157USN-302-12071625139RHSA-2006:0579RHSA-2006:058021035RHSA-2006:068922292RHSA-2006:07102249720061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 42294520061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-45022287523064 ADV-2006-1391 linux-mprotect-security-bypass(26169)MDKSA-2006:086Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and 8.x before 8.11.6 allow remote attackers to cause a denial of service via crafted DNS responses messages that cause (1) a buffer over-read or (2) infinite recursion, which can trigger a segmentation fault or invalid memory access, as demonstrated by the OUSPG PROTOS DNS test suite.17691ADV-2006-1505ADV-2006-1506101599119750VU#955777 dns-improper-request-handling(26081)Unspecified vulnerability in ISC BIND allows remote attackers to cause a denial of service via a crafted DNS message with a "broken" TSIG, as demonstrated by the OUSPG PROTOS DNS test suite.17692ADV-2006-1505ADV-2006-1537198081015993VU#955777 dns-improper-request-handling(26081)Unspecified vulnerability in Juniper Networks JUNOSe E-series routers before 7-1-1 has unknown impact and remote attack vectors related to the DNS "client code," as demonstrated by the OUSPG PROTOS DNS test suite.17693ADV-2006-1505ADV-2006-1526101599219822VU#955777 dns-improper-request-handling(26081)Unspecified vulnerability in MyDNS 1.1.0 allows remote attackers to cause a denial of service via a crafted DNS message, aka "Query-of-death," as demonstrated by the OUSPG PROTOS DNS test suite.ADV-2006-15051015990VU#955777 dns-improper-request-handling(26081)Memory leak in Paul Rombouts pdnsd before 1.2.4 allows remote attackers to cause a denial of service (memory consumption) via a DNS query with an unsupported (1) QTYPE or (2) QCLASS, as demonstrated by the OUSPG PROTOS DNS test suite.17694ADV-2006-1505ADV-2006-1528101598919835GLSA-200605-1020055VU#955777 dns-improper-request-handling(26081)Buffer overflow in Paul Rombouts pdnsd before 1.2.4 has unknown impact and attack vectors. NOTE: this issue might be related to the OUSPG PROTOS DNS test suite.17720GLSA-200605-1020055VU#955777 dns-improper-request-handling(26081)Multiple unspecified vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000, and E20/E30, allow remote attackers to cause a denial of service via crafted DNS messages that trigger errors in (1) ProxyDNS or (2) PKI-Resolver, as demonstrated by the OUSPG PROTOS DNS test suite.NISCC Vulnerability Advisory 144154Id: 20060425-0031117710ADV-2006-1505ADV-2006-153619820VU#955777 dns-improper-request-handling(26081)Cross-site scripting (XSS) vulnerability in portfolio.php in Verosky Media Instant Photo Gallery, possibly before 1.0.2, allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.20060425 Instant Photo Gallery <= Multiple XSS20060427 Re: Instant Photo Gallery <= Multiple XSS17696[VIM] 20060427 Instant Photo Gallery <= Multiple XSS (fwd)24985803SQL injection vulnerability in portfolio_photo_popup.php in Verosky Media Instant Photo Gallery 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter, which is not cleansed before calling the count_click function in includes/functions/fns_std.php. NOTE: this issue could produce resultant XSS.20060425 Instant Photo Gallery <= Multiple XSS20060427 Re: Instant Photo Gallery <= Multiple XSS17696ADV-2006-1533[VIM] 20060427 Instant Photo Gallery <= Multiple XSS (fwd)249862498719813803Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not releated to special characters, so this is not "SQL injection" per se.20060419 Oracle 10g 10.2.0.2.0 DBA exploit20060426 Recent Oracle exploit is _actually_ an 0day with no patch20060427 Re: Recent Oracle exploit is _actually_ an 0day with no patch20060427 Re: Recent Oracle exploit is _actually_ an 0day with no patchVU#93212417699101599919860oracle-dbmsexportextension-sql-injection(26048) 20060501 RE: Oracle 10g 10.2.0.2.0 DBA exploit802Directory traversal vulnerability in Quake 3 engine, as used in products including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is enabled, allows remote attackers to read arbitrary files from the server via ".." sequences in a .pk3 file request.id Software has released patches to address this and other issues.20060508 Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games17924 20060508 Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games quake3-sv-allowdownload-directory-traversal(26347)880Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.ADV-2006-1606199202006-0024GLSA-200605-05177881996420011 rsync-xattr-overflow(26208)Multiple cross-site scripting (XSS) vulnerabilities in FarsiNews 2.5.3 Pro and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) month and (2) year parameters in (a) index.php, and the (3) mod parameter in (b) admin.php.20060426 XXS Attack On FarsiNews17701 farsinews-index-admin-xss(26097)812Multiple buffer overflows in (1) CxAce60.dll and (2) CxAce60u.dll in SpeedProject Squeez 5.10 Build 4460, and SpeedCommander 10.52 Build 4450 and 11.01 Build 4450, allow user-assisted remote attackers to execute arbitrary code via an ACE archive that contains a file with a long filename.20060426 Secunia Research: SpeedProject Products ACE Archive HandlingBuffer Overflow1770919473ADV-2006-15351016003249901016002 speedproject-ace-bo(26115)820Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter.20060426 [EEYEB-20060227] Juniper Networks SSL-VPN Client Buffer Overflow17712ADV-2006-1543101600019842VU#47760425001 juniper-ive-activex-bo(26077)819The Gmax Mail client in Hitachi Groupmax before 20060426 allows remote attackers to cause a denial of service (application hang or erroneous behavior) via an attachment with an MS-DOS device filename.19840ADV-2006-153924969 hitachi-groupmax-client-dos(26099)Multiple cross-site scripting (XSS) vulnerabilities in Devsyn Open Bulletin Board (OpenBB) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via (1) the FID parameter in board.php and (2) the TID parameter in read.php. NOTE: the SQL injection issues are already covered by CVE-2005-1612 (read.php) and CVE-2005-2566 (board.php).20060426 Open Bulletin Board < Multiple Vulnerability openbb-board-read-xss(26095)806Multiple cross-site scripting (XSS) vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to inject arbitrary web script or HTML via the (1) id and (2) username parameters.20060426 MySmartBB<---v 1.1.x SQL Injection/XSS17707 mysmartbb-misc-xss(26089)807Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) username parameters.20060426 MySmartBB<---v 1.1.x SQL Injection/XSS17707 mysmartbb-misc-sql-injection(26088)807admin.php in Virtual War (VWar) 1.5 and versions before 1.2 allows remote attackers to obtain sensitive information via an invalid vwar_root parameter, which reveals the path in an error message.20060423 VWar Path Disclosure virtualwar-admin-path-disclosure(26006)818Unspecified vulnerability in HP StorageWorks Secure Path for Windows 4.0C-SP2 before 20060419 allows remote attackers to cause an unspecified denial of service via unknown vectors.HPSBST02112ADV-2006-145810159691975217638 hp-storageworks-win-dos(25939)Nessus before 2.2.8, and 3.x before 3.0.3, allows user-assisted attackers to cause a denial of service (memory consumption) via a NASL script that calls split with an invalid sep parameter. NOTE: a design goal of the NASL language is to facilitate sharing of security tests by guaranteeing that a script "can not do anything nasty." This issue is appropriate for CVE only if Nessus users have an expectation that a split statement will not use excessive memory.20060425 NASL 'Split' function Buffer overflow Vulnerability20060425 Re: NASL 'Split' function Buffer overflow Vulnerability20060425 Re: NASL 'Split' function Buffer overflow VulnerabilityADV-2006-15411015996USN-279-125084 nessus-nasl-split-dos(26034)817Microsoft Internet Explorer before Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, when Prompt is configured in Security Settings, uses modal dialogs to verify that a user wishes to run an ActiveX control or perform other risky actions, which allows user-assisted remote attackers to construct a race condition that tricks a user into clicking an object or pressing keys that are actually applied to a "Yes" approval for executing the control.20040407 Race conditions in security dialogs20060426 Internet Explorer User Interface Races, Redeux20060427 PoC for Internet Explorer Modal Dialog Issue17713223511015720ADV-2006-1559 20060427 PoC for Internet Explorer Modal Dialog Issue ie-modal-dialog-code-execution(26111)Phex before 2.8.6 allows remote attackers to cause a denial of service (application hang) by initiating multiple chat requests to a single user and then logging off.ADV-2006-156019824 phex-request-dos(26124)plug.php in Land Down Under (LDU) 802 and earlier allows remote attackers to obtain sensitive information via an invalid (1) month or (2) year parameter, which reveals the path in an error message.20060427 Land Down Under 802 and below version Path Disclosure Vulnerability landdownunder-monthyear-path-disclosure(26143)814SQL injection vulnerability in func_msg.php in Invision Power Board (IPB) 2.1.4 allows remote attackers to execute arbitrary SQL commands via the from_contact field in a private message (PM).20060427 SQL injection exploit IPB <= 2.1.4177191986125021 invision-fromcontact-sql-injection(26107)813PHP remote file inclusion vulnerability in Thumbnail AutoIndex before 2.0 allows remote attackers to execute arbitrary PHP code via (1) README.html or (2) HEADER.html.24873Directory traversal vulnerability in UltraISO 8.0.0.1392 allows remote attackers to write arbitrary files via a .. (dot dot) in a filename in an ISO image.20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal VulnerabilityADV-2006-156919857177241016009 iso-dotdot-directory-traversal(26140)815Directory traversal vulnerability in Magic ISO 5.0 Build 0166 allows remote attackers to write arbitrary files via a .. (dot dot) in a filename in an ISO image.20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal VulnerabilityADV-2006-156819864177251016007 iso-dotdot-directory-traversal(26140)815Directory traversal vulnerability in WinISO 5.3 allows remote attackers to write arbitrary files via a .. (dot dot) in a filename in an ISO image.20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal VulnerabilityADV-2006-156719816177211016010 iso-dotdot-directory-traversal(26140)815Directory traversal vulnerability in PowerISO 2.9 allows remote attackers to write artibrary files via a .. (dot dot) in a filename in an ISO image.20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability20060428 WinISO/UltraISO/MagicISO/PowerISO Directory Traversal VulnerabilityADV-2006-157019858177261016008 iso-dotdot-directory-traversal(26140)815SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the (1) query string ($querystring variable) in (a) admin/adminlogs.php, which is not properly handled by adminfunctions.php; or (2) setid, (3) expand, (4) title, or (5) sid2 parameters to (b) admin/templates.php.Successful exploitation requires access to the admin section.20060427 MyBB 1.1.1 Local SQL Injections19865ADV-2006-15662507425075mybb-adminfunctions-templates-sql-injection(26103)808Multiple cross-site scripting (XSS) vulnerabilities in Kamgaing Email System (kmail) 2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) d parameter to main.php, ordner parameter to (2) main.php, or (3) webdisk.php, (4) draft parameter to compose.php, or (5) m, or (6) y parameter to calendar.php.Kmail <=2.3 vuln. ADV-2006-15641975525061250622506325064 kmail-multiple-scripts-xss(26117)Directory traversal vulnerability in index.php in Jupiter CMS 1.1.4 and 1.1.5 allows remote attackers to read arbitrary files via ".." sequences terminated by a %00 (null) character in the n parameter.17716Cross-site scripting (XSS) vulnerability in Edgewall Software Trac 0.9.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors related to a "wiki macro."ADV-2006-155710159861774119870 trac-wiki-engine-xss(26125)Buffer overflow in BL4 SMTP Server 0.1.4 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long argument to the (1) EHLO, (2) MAIL FROM, and (3) RCPT TO commands.20060427 BL4's SMTP server BufferOverflow VulnerableECHO_ADV_30$200617714bl4-smtp-bo(26114)809parser.exe in Oc&#xe9; (OCE) 3121/3122 Printer allows remote attackers to cause a denial of service (crash or reboot) via a long request, possibly triggering a buffer overflow.exploit 1718177151984725000oce-printer-url-dos(26123)Cross-site scripting (XSS) vulnerability in the parse_query_str function in include/print.php in JSBoard 2.0.10 and 2.0.11, and possibly other versions before 2.0.12, allows remote attackers to inject arbitrary web script or HTML via parameters that are set as global variables within the program, as demonstrated using the table parameter to login.php.This vulnerability is addressed in the following product release: JSBoard, JSBoard, 2.0.12Security Advisory AKLINK-SA-2006-00120060502 JSBoard XSS vulnerability17778ADV-2006-16362522219937jsboard-login-xss(26211)Virtual Private Server (Vserver) 2.0.x before 2.0.2-rc18 and 2.1.x before 2.1.1-rc18 provides certain context capabilities (ccaps) that allow local guest users to perform operations that were only intended to be allowed by the guest-root.This vulnerability is addressed in the following product releases: Virtual Private Server, Vserver, 2.0.2-rc18 Virtual Private Server, Vserver, 2.1.1-rc18[Vserver] 20060428 [SECURITY] ccaps not limited to root inside a guestADV-2006-166119961DSA-10601784220206 linux-vserver-ccaps-privilege-escalation(26285)A component in Microsoft Outlook Express 6 allows remote attackers to bypass domain restrictions and obtain sensitive information via redirections with the mhtml: URI handler, as originally reported for Internet Explorer 6 and 7, aka "URL Redirect Cross Domain Information Disclosure Vulnerability."Internet Explorer Arbitrary Content Disclosure Vulnerability Test17717ADV-2006-1558101600519738250732247720061025 IE7 status: 8 days after release, 3 unfixed issues20061026 IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006ie-mhtml-information-disclosure(26281)HPSBST02231MS07-034TA07-163AVU#783761ADV-2007-2154oval:org.mitre.oval:def:1605Fuji Xerox Printing Systems (FXPS) print engine, as used in products including (1) Dell 3000cn through 5110cn and (2) Fuji Xerox DocuPrint firmware before 20060628 and Network Option Card firmware before 5.13, allows remote attackers to use the FTP printing interface as a proxy ("FTP bounce") by using arbitrary PORT arguments to connect to systems for which access would be otherwise restricted.ADV-2006-340120060825 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS) print engine vulnerabilitie19711fxps-port-security-bypass(28637)20060825 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS) print engine vulnerabilities216302824922463The embedded HTTP server in Fuji Xerox Printing Systems (FXPS) print engine, as used in products including (1) Dell 3000cn through 5110cn and (2) Fuji Xerox DocuPrint firmware before 20060628 and Network Option Card firmware before 5.13, does not properly perform authentication for HTTP requests, which allows remote attackers to modify system configuration via crafted requests, including changing the administrator password or causing a denial of service to the print server.ADV-2006-340120060825 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS) print engine vulnerabilitie20060825 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS) print engine vulnerabilities19716282502163022463Buffer overflow in SWS web Server 0.1.7 allows remote attackers to execute arbitrary code via a long request.20060428 [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability17737 sws-webserver-syslog-bo(26159)816Format string vulnerability in SWS web Server 0.1.7 allows remote attackers to execute arbitrary code via unspecified vectors that are not properly handled in a syslog function call.20060428 [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability17737 sws-webserver-syslog-format-string(26158)816planetGallery allows remote attackers to gain administrator privileges via a direct request to admin/gallery_admin.php.20060501 planetGallery admin login17753825Cross-site scripting (XSS) vulnerability in Thyme 1.3 allows remote attackers to inject arbitrary web script or HTML via the search page.20060429 Thyme 1.3 Cross Site Scripting17746ADV-2006-160219909[VIM] 20060908 Vendor ACK for CVE-2006-2117 (Thyme) thyme-index-xss(26188)822JMK's Picture Gallery allows remote attackers to bypass authentication via a direct request to admin_gallery.php3, possibly related to the add action.20060501 JMK's Picture Gallery admin login17755 jmk-admingallery-unauth-access(26210)821PHP remote file inclusion vulnerability in event/index.php in Artmedic Event allows remote attackers to execute arbitrary code via a URL in the page parameter.20060428 [Kurdish Security #2] Artmedic Event Remote File Include Vulnerability17736ADV-2006-15881990725130 artmedic-event-index-file-include(26150)811The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read.MDKSA-2006:082USN-277-11780919936199492006-002419964RHSA-2006:042520023DSA-107820330 20060501-01-U 20210 20667MDKSA-2006:082PHP remote file include vulnerability in admin/config_settings.tpl.php in I-RATER Platinum allows remote attackers to execute arbitrary code via a URL in the include_path parameter. NOTE: this is a different vector, and possibly a different vulnerability, than CVE-2006-1929.20060429 I-RATER Platinum Remote File Inclusion exploit Cod3d by R@1D3N1773120060428 [Kurdish Secure Advisory #1] I-RATER Platinum %22Admin/configsettings.tpl.php%22 Remote File Include Vulnerability irater-configsettingtpl-file-include(26203)824PHP remote file inclusion vulnerability in index.php in CoolMenus allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: the original report for this issue is probably erroneous, since CoolMenus does not appear to be written in PHP.20060429 CoolMenus Event Remote File Inclusion exploit1773820060428 [Kurdish Security #3] CoolMenus Event Remote File Include Vulnerability (For PHP)20060501 Re: CoolMenus Event Remote File Inclusion exploit823Multiple SQL injection vulnerabilities in the report interface in Network Administration Visualized (NAV) before 3.0.1 allow remote attackers to execute arbitrary SQL commands via unknown vectors.1773425066ADV-2006-157219849 nav-report-interface-sql-injection(26151)Multiple cross-site scripting (XSS) vulnerabilities in SunShop 3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prevaction, (2) previd, (3) prevstart, (4) itemid, (5) id, and (6) action parameters in index.php.ADV-2006-1582198711777025119 sunshop-multiple-parameters-xss(26180)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3779. Reason: This candidate is a duplicate of CVE-2005-3779. Notes: All CVE users should reference CVE-2005-3779 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.SQL injection vulnerability in pocategories.php in MaxTrade 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) categori and (2) stranica parameters.ADV-2006-1581198761776525122 maxtrade-pocategories-sql-injection(26171)SQL injection vulnerability in weblog_posting.php in Blog Mod 0.2.x allows remote attackers to execute arbitrary SQL commands via the r parameter.20060429 Blog Mod <= 0.2.x SQL Injection17744TA06-164A blogmod-weblogposting-sql-injection(26198)810Multiple SQL injection vulnerabilities in Pro Publish 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) email and (2) password parameter to (a) admin/login.php, (3) find_str parameter to (b) search.php, or (4) artid parameter to (c) art.php, or (5) catid parameter to (d) cat.php.17762ADV-2006-15781988225124251262512720060602 Pro Publish SQL Injection and XSS Vulnerabilities 25125 propublish-multiple-sql-injection(26148)Direct static code injection vulnerability in Pro Publish 2.0 allows rmeote authenticated adminitrators to execute arbitrary PHP code by editing certain settings, which are stored in set_inc.php.17762ADV-2006-15781988225128 propublish-setinc-file-include(26149)SQL injection vulnerability in include/class_poll.php in Advanced Poll 2.0.4 allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.Successful exploitation requires that magic_quotes_gpc is set to off. EV0131ADV-2006-16032516719899advancedpoll-classpoll-sql-injection(26152)include/class_poll.php in Advanced Poll 2.0.4 uses the HTTP_X_FORWARDED_FOR (X-Forwarded-For HTTP header) to identify the IP address of a client, which makes it easier for remote attackers to spoof the source IP and bypass voting restrictions.EV0131ADV-2006-160319899 advancedpoll-header-spoofing(26154)SQL injection vulnerability in detail.asp in DUclassified allows remote attackers to execute arbitrary SQL commands via the iPro parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.17722SQL injection vulnerability in index.php in BoonEx Barracuda 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) link_dir_target and (2) link_id_target parameter, possibly involving the link_edit functionality.Barracuda vuln. barracuda-index-sql-injection(26175)PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.Successful exploitation requires that "register_globals" is enabled.exploit 1728ADV-2006-15851989217763kbmod-phpbb-kbconstants-file-include(26279)SQL injection vulnerability in login.php in Ruperts News allows remote attackers to execute arbitrary SQL commands via the username parameter.Successful exploitation requires that magic_quotes_gpc is set to off. EV0128ADV-2006-15801989517758rupertsnewsscript-login-sql-injection(26144)SQL injection vulnerability in news.php in AZNEWS allows remote attackers to execute arbitrary SQL commands via the ID parameter.Other versions of this product may also be affected by this vulnerability.EV0126ADV-2006-157919888177611016036aznews-news-sql-injection(26136)PHP remote file inclusion vulnerability in master.php in OpenPHPNuke and 2.3.3 earlier allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter.This vulnerability is addressed in the following product release: OpenPHPNuke, OpenPHPNuke, 2.3.5exploit 1727ADV-2006-1575198931777225140openphpnuke-master-file-include(26183)Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.29 allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter.20060428 Neomail.pl Local Cross Site Scripting1772819906ADV-2006-1590neomail-sessionid-xss(26127)827Multiple SQL injection vulnerabilities in PHP Newsfeed 20040723 allow remote attackers to execute arbitrary SQL commands via the (1) name parameter to (a) deltables.php, (2) select, (3) header, (4) url, (5) source, or (6) time parameters to (b) manualsubmit.php, (7) num parameter to (c) delete.php, or (8) tablename parameter to (d) searchnews.php.ADV-2006-1574199041775725132251332513425135phpnewsfeed-multiple-sql-injection(26205)Multiple cross-site scripting (XSS) vulnerabilities in OrbitHYIP 2.0 and earlier allow remote attackers to inject arbitrary web script via the (1) referral parameter to signup.php or (2) id parameter to members.php.ADV-2006-158319877177662514125142orbithyip-signup-members-xss(26163)Cross-site scripting (XSS) vulnerability in popup_image in Collaborative Portal Server (CPS) 3.4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the pos argument.1987917774ADV-2006-158925144cps-pos-parameter-xss(26155)PHP remote file inclusion vulnerability in classes/adodbt/sql.php in Limbo CMS 1.04 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the classes_dir parameter.ADV-2006-1584198911776025155webinsta-limbo-sql-fil-include(26196)20060913 Limbo - Lite Mambo CMS Multiple VulnerabilitiesMultiple cross-site scripting (XSS) vulnerabilities in TextFileBB 1.0.16 allow remote attackers to inject arbitrary web script or HTML via Javascript events such as "onmouseover" in the (1) color, (2) size, or (3) url bbcode tags.20060429 TextFileBB 1.0.16 Multiple XSS1775019883251231016013textfilebb-bbcode-tags-xss(26129)828PHP remote file inclusion vulnerability in kopf.php in DMCounter 0.9.2-b allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.20060501 DMCounter Remote File Include17756ADV-2006-15992515210160141991820060509 Hackmaster Group DMCounter Remote File Includedmcounter-kopf-file-include(26207)826Multiple SQL injection vulnerabilities in index.php in HB-NS 1.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) topic or (2) id parameter.1775919896251631016037hbns-index-sql-injection(26139)Multiple cross-site scripting (XSS) vulnerabilities in index.php in HB-NS 1.1.6 allow remote attackers to inject arbitrary web script or HTML via the (1) poster_name, (2) poster_email, (3) poster_homepage, or (4) message parameter.1775919896251641016037hbns-index-xss(26138)resmgrd in resmgr for SUSE Linux and other distributions does not properly handle when access to a USB device is granted by using "usb:<bus>,<dev>" notation, which grants access to all USB devices and allows local users to bypass intended restrictions. NOTE: this is a different vulnerability than CVE-2005-4788.SUSE-SR:2006:004DSA-104717752ADV-2006-15921988719898resmgr-security-bypass(26160)Multiple buffer overflows in client.c in CGI:IRC (CGIIRC) before 0.5.8 might allow remote attackers to execute arbitrary code via (1) cookies or (2) the query string.ADV-2006-160719922DSA-10521779919985cgiirc-client-bo(26173)PHP remote file inclusion vulnerability in sources/lostpw.php in Aardvark Topsites PHP 4.2.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the CONFIG[path] parameter, as demonstrated by including a GIF that contains PHP code.ADV-2006-15871991125158 17940 aardvark-lostpw-join-file-include(26189)PHP remote file inclusion vulnerability in top/list.php in phpBB TopList 1.3.8 and earlier allows remote attackers to include arbitrary files via the returnpath parameter.20060428 TopList <= 1.3.8 (PHPBB Hack) Remote File Inclusion Vulnerability25294toplist-toplist-list-file-include(26172)PHP remote file inclusion vulnerability in toplist.php in phpBB TopList 1.3.8 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path parameter.ADV-2006-16011988425260toplist-toplist-list-file-include(26172)PHP remote file inclusion vulnerability in admin/addentry.php in phpBB Advanced Guestbook 2.4.0 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path parameter.ADV-2006-16001990517745adv-guestbook-addentry-file-include(26217)Cross-site scripting (XSS) vulnerability in HTM_PASSWD in DirectAdmin Hosting Management allows remote attackers to inject arbitrary web script or HTML via the domain parameter.20060427 XSS Attack On DirectAdmin Hosting ManagmentADV-2006-157619885830EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and 7.5 before 7.5.1.105 does not drop privileges before opening files, which allows local users to execute arbitrary code via the File>Open dialog.Apply Retrospect Driver Update 7.5.1.105. Apply Application Security Update 7.0.344 (requires Retrospect 7.0.326 or Retrospect Express 7.0.301). Apply Application Security Update 6.5.382 (requires Retrospect 6.5.350 or Retrospect Express 6.5.350).ADV-2006-16121985017798retrospect-fileopen-privilege-escalation(26226)EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and 7.5 before 7.5.1.105 allows local users to execute arbitrary code by replacing the Retrospect.exe file, possibly due to improper file permissions.Retrospect 7.5: Apply Retrospect Driver Update 7.5.1.105. http://ftp.dantz.com/pub/updates/ru751105.exe Retrospect 7.0: Apply Application Security Update 7.0.344 (requires Retrospect 7.0.326 or Retrospect Express 7.0.301). http://download.dantz.com/archives/Retro-EN_7_0_344.exe Retrospect 6.5: Apply Application Security Update 6.5.382 (requires Retrospect 6.5.350 or Retrospect Express 6.5.350). http://download.dantz.com/archives/Retro-EN_6_5_382.exeADV-2006-161219850retrospect-code-execution(26227)Directory traversal vulnerability in help/index.php in X7 Chat 2.0 and earlier allows remote attackers to include arbitrary files via .. (dot dot) sequences in the help_file parameter.20060502 X7 Chat <=2.0 remote commands execution1777719886ADV-2006-160825149x7chat-index-file-include(26218) 1738829SQL injection vulnerability in gallery.php in Plogger Beta 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter, when the level is set to "slideshow". NOTE: This is a different vulnerability than CVE-2005-4246.plogger-gallery-sql-injection(26273)Dynamic variable evaluation vulnerability in index.php in Stadtaus Guestbook Script 1.7 and earlier, when register_globals is enabled, allows remote attackers to modify arbitrary program variables via parameters, which are evaluated as PHP variable variables, as demonstrated by performing PHP remote file inclusion using the include_files array parameter.Download Guestbook Script 1.9 17845ADV-2006-166019957guestbook-includefiles-file-include(26252)CRLF injection vulnerability in help.php in Russcom Network Loginphp allows remote attackers to spoof e-mails and inject MIME headers via CRLF sequences in the email address.20060502 Russcom.net Loginphp multiple vulnerabilties177872521419930russcom-loginphp-help-mail-relay(26250)Cross-site scripting (XSS) vulnerability in Russcom Network Loginphp (Russcom.Loginphp) allows remote attackers to inject arbitrary web script or HTML via the username field when registering.20060502 Russcom.net Loginphp multiple vulnerabilties177852521319930russcom-loginphp-register-xss(26249)Buffer overflow in (1) TZipBuilder 1.79.03.01, (2) Abakt 0.9.2 and 0.9.3-beta1, (3) CAM UnZip 4.0 and 4.3, and possibly other products, allows user-assisted attackers to execute arbitrary code via a ZIP archive that contains a file with a long file name.20060508 Secunia Research: TZipBuilder ZIP File Handling Buffer OverflowVulnerability17880ADV-2006-168719945101606420060515 Secunia Research: Abakt ZIP File Handling Buffer20060515 Secunia Research: Abakt ZIP File Handling Buffer OverflowVulnerabilityADV-2006-180510161072006820060519 Secunia Research: CAM UnZip ZIP File Handling Buffer OverflowVulnerabilityADV-2006-186519946camunzip-archive-bo(26549)abakt-zip-bo(26435) tzipbuilder-zip-bo(26275)853Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header.Upgrade to versions 1.4 and 2.3GLSA-200605-07USN-282-117879ADV-2006-1662199911999820013DSA-1072SUSE-SR:2006:0112021520247 nagios-multiple-scripts-bo(26253)Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart 3.33 and earlier allows remote attackers to inject arbitrary web script or HTML via the setbackurl parameter.17794ADV-2006-160919878 pinnaclecart-setbackurl-xss(26162)Multiple SQL injection vulnerabilities in Avactis Shopping Cart 0.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) category_id parameter in (a) store_special_offers.php and (b) store.php, and (2) prod_id parameter in (c) cart.php and (d) product_info.php. NOTE: this issue also produces resultant full path disclosure from invalid SQL queries. 25637 25638 25639 25640 avactis-multiple-scripts-sql-injection(26178)Multiple cross-site scripting (XSS) vulnerabilities in Avactis Shopping Cart 0.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) category_id parameter in (a) store_special_offers.php and (b) store.php and (2) prod_id parameter in (c) product_info.php. NOTE: this issue might be resultant from SQL injection. 25641 25642 25643 avactis-multiple-scripts-xss(26179)Unspecified vulnerability in the HTTP management interface in Cisco Unity Express (CUE) 2.2(2) and earlier, when running on any CUE Advanced Integration Module (AIM) or Network Module (NM), allows remote authenticated attackers to reset the password for any user with an expired password.20060501 Cisco Unity Express Expired Password Reset Privilege Escalation17775ADV-2006-1613101601519881 25165 cisco-cue-privilege-escalation(26165)Cross-site scripting (XSS) vulnerability in SloughFlash SF-Users 1.0, possibly in register.php, allows remote attackers to inject arbitrary web script or HTML by setting the username field to contain JavaScript in the SRC attribute of an IMG element.20060502 SF-Users V1.0 XSS injection17783ADV-2006-163719932 sfusers-register-xss(26215)831FileProtection Express 1.0.1 and earlier allows remote attackers to bypass authentication via a cookie with an Admin value of 1.20060502 FileProtection Express <= 1.0.1 authentification bypass17786 fileprotectionexpress-bypass-auth(26225)835RT: Request Tracker 3.5.HEAD allows remote attackers to obtain sensitive information via the Rows parameter in Dist/Display.html, which reveals the installation path in an error message. rtrequesttracker-display-info-disclosure(26164)Buffer overflow in ArgoSoft FTP Server 1.4.3.6 allows remote attackers to execute arbitrary code via Unicode in the RNTO command, as demonstrated by the Infigo FTPStress Fuzzer.20060502 FTP Fuzzer17789ADV-2006-16391993425216argosoft-ftp-rnto-bo(26197)20060508 INFIGO-2006-05-03: Multiple FTP Servers vulnerabilitiesBuffer overflow in WDM.exe in WarFTPD allows remote attackers to execute arbitrary code via unspecified arguments, as demonstrated by the Infigo FTPStress Fuzzer.20060502 FTP Fuzzer17803 20060508 INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities 25220 warftpd-wdm-bo(26304)Buffer overflow in Gene6 FTP Server 3.1.0 allows remote authenticated attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to (1) MKD or (2) XMKD, as demonstrated by the Infigo FTPStress Fuzzer.20060503 Re: FTP Fuzzer17810ADV-2006-16582523819965gene6-ftp-mkd-xmkd-dos(26237)Buffer overflow in FileZilla FTP Server 2.2.22 allows remote authenticated attackers to cause a denial of service and possibly execute arbitrary code via a long (1) PORT or (2) PASS followed by the MLSD command, or (2) the remote server interface, as demonstrated by the Infigo FTPStress Fuzzer.20060502 FTP Fuzzer178022522120060508 INFIGO-2006-05-03: Multiple FTP Servers vulnerabilitiesfilezilla-port-pass-dos(26303)Multiple cross-site scripting (XSS) vulnerabilities in admin/server_day_stats.php in Virtual Hosting Control System (VHCS) allow remote attackers to inject arbitrary web script or HTML via the (1) day, (2) month, or (3) year parameter.20060502 VHCS --- Virtual Hosting Control System Cross Site Scripting1779019940ADV-2006-1634 vhcs-serverdaystats-xss(26209)832PHP remote file inclusion vulnerability in FtrainSoft Fast Click 2.3.8 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) show.php or (2) top.php.ADV-2006-16311992320060502 Fast Click <= 2.3.8 Remote File Inclusion1781325192252891016021fastclick-multiple-file-include(26235)Multiple cross-site scripting (XSS) vulnerabilities in links.php in PHP Linkliste 1.0b allow remote attackers to inject arbitrary web script or HTML via the (1) new_input, (2) new_url, or (3) new_name parameter.ADV-2006-16271992517828 phplinkliste-linkliste-xss(26229)Cross-site scripting (XSS) vulnerability in viewcat.php in geoBlog 1.0 allows remote attackers to inject arbitrary web script or HTML via the cat parameter.20060502 geoBlog Mutiple XSS Vulnerability17784 geoblog-viewcat-xss(26204)833Multiple cross-site scripting (XSS) vulnerabilities in CyberBuild allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to login.asp, (2) ProductIndex parameter to browse0.htm, (3) rowcolor parameter to result.asp, or (4) heading parameter to result.asp. NOTE: vectors 1 and 2 might be resultant from SQL injection.ADV-2006-16301988917829251972519825199 cyberbuild-multiple-xss(26202)Multiple SQL injection vulnerabilities in CyberBuild allow remote attackers to execute arbitrary SQL commands via the (1) SessionID parameter to login.asp or (2) ProductIndex parameter to browse0.htm.ADV-2006-163019889178292519525196 cyberbuild-multiple-sql-injection(26201)Buffer overflow in Golden FTP Server Pro 2.70 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long argument to the (1) NLST or (2) APPE commands, as demonstrated by the Infigo FTPStress Fuzzer.20060502 FTP Fuzzer17801ADV-2006-16401991720060508 INFIGO-2006-05-03: Multiple FTP Servers vulnerabilities25217goldenftp-nlst-appe-bo(26195)Multiple cross-site scripting (XSS) vulnerabilities in Albinator 2.0.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) cid parameter to dlisting.php or (2) preloadSlideShow parameter to showpic.php.17826ADV-2006-1643199522524225243albinator-multiple-xss(26240)Multiple PHP remote file inclusion vulnerabilities in (1) eday.php, (2) eshow.php, or (3) forgot.php in albinator 2.0.8 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the Config_rootdir parameter.17825ADV-2006-164325239252402524119952Untrusted search path vulnerability in Truecrypt 4.1, when running suid root on Linux, allows local users to execute arbitrary commands and gain privileges via a modified PATH environment variable that references a malicious mount command.[Dailydave] 20060430 Non disclosure from security vendors: Truecrypt exempleADV-2006-15912513119903 truecrypt-execvp-gain-privileges(26191)Cross-site scripting (XSS) vulnerability in search.php in PHPKB Knowledge Base allows remote attackers to inject arbitrary web script or HTML via the searchkeyword parameter. NOTE: the issue was originally disputed by the vendor, but on 20060519, the vendor notified CVE that "We have fixed all the mentioned issues and now the search section of PHPKB script is free from any XSS issues."ADV-2006-162819913[VIM] 20060512 Vendor dispute of CVE-2006-2184[VIM] 20060519 Resolved PHPKB vendor dispute (CVE-2006-2184)PORTAL.NLM in Novell Netware 6.5 SP5 writes the username and password in cleartext to the abend.log log file when the groupOperationsMethod function fails, which allows context-dependent attackers to gain privileges.TID2973698ADV-2006-18291016106netware-portal-information-disclosure(26488)202881801725780zenphoto 1.0.1 beta and earlier allow remote attackers to obtain sensitive information via a direct request for the (1) /photos/themes/default/ and (2) /photos/themes/testing/ URIs, which reveals the path in an error message.20060502 zenphoto Multiple Path Disclosure and Cross Site Scripting Vulnerabilities17779 zenphoto-i-path-disclosure(26220)834Multiple cross-site scripting (XSS) vulnerabilities in zenphoto 1.0.1 beta and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) a parameter in i.php, and the (2) album and (3) image parameters in index.php.This vulnerability is addressed in the following product release: zenphoto, zenphoto, 1.0.2 beta20060502 zenphoto Multiple Path Disclosure and Cross Site Scripting Vulnerabilitieszenphoto Multiple Path Disclosure and Cross Site Scripting Vulnerabilities17779 zenphoto-index-i-xss(26219)Multiple cross-site scripting (XSS) vulnerabilities in CMScout 1.10 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the Body field of a private message (PM), (2) BBCode, or (3) a forum post.This vulnerability is addressed in the following product release: CMScout, CMScout, 1.2120060502 Cmscout <= V1.10 multiple XSS attack vectors177961016023199332524625247 cmscout-messageform-xss(26223)838SQL injection vulnerability in search.php in Servous sBLOG 0.7.2 allows remote attackers to execute arbitrary SQL commands via the keyword parameter. NOTE: this issue can be used to trigger path disclosure. In addition, it might be primary to vector 1 in CVE-2006-1135.20060502 sBlog SQL Injection and Path Disclosure VulnerabilityVulnerability :sBlog SQL Injection and Path Disclosure Vulnerability1778225612sblog-search-sql-injection(26212) sblog-search-path-disclosure(26213)836Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter in (1) openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3) openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5) openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl, and (8) openwebmail-webdisk.pl. NOTE: the openwebmail-main.pl vector is already covered by CVE-2005-2863.This vulnerability is addressed in the following product release: Open WebMail, Open WebMail, 2.52Open WebMail <=2.51 XSS vuln.[owm-announce] 20060502 OpenWebMail version 2.5216734openwebmail-multiple-scripts-xss(26105)** DISPUTED ** Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the vendor has disputed this vulnerability, stating that it is "unexploitable."[Mailman-Announce] 20060913 RELEASED: Mailman 2.1.9[security] 20060906 Re: mailman 2.1.5-8sarge3: screwup between security and maintainer uploadSUSE-SR:2006:02522639Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.Debian Bug - #370355Bugzilla Bug 1196 DSA-1091ADV-2006-219720488USN-289-1205012052018331MDKSA-2006:10220693SUSE-SR:2006:01420766GLSA-200607-0321002 libtiff-tiff2pdf-bo(26991)MDKSA-2006:102103099103160ADV-2007-3486ADV-2007-4034271812722227832201331The winbind plugin in pppd for ppp 2.4.4 and earlier does not check the return code from the setuid function call, which might allow local users to gain privileges by causing setuid to fail, such as exceeding PAM limits for the maximum number of user processes, which prevents the winbind NTLM authentication helper from dropping privileges.USN-310-118849DSA-110626994209632096720996MDKSA-2006:11920987MDKSA-2006:119Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php.This vulnerability is addressed in the following product release: Horde, Horde, 3.1.1DSA-10982067220750GLSA-200606-2818436101631020849SUSE-SR:2006:016ADV-2006-235626513265142066120960horde-test-problem-xss(27168)Unspecified vulnerability in pinball 0.3.1 allows local users to gain privileges via unknown attack vectors that cause pinball to load plugins from an attacker-controlled directory while operating at raised privileges.DSA-1102ADV-2006-25352077820834emilia-pinball-plugins-privilege-escalation(27420)26829Integer overflow in wv2 before 0.2.3 might allow context-dependent attackers to execute arbitrary code via a crafted Microsoft Word document.This vulnerability is addressed in the following product release: Debian, wv2, 0.2.2-1DSA-1100USN-300-118437ADV-2006-2350206652068820689GLSA-200606-24MDKSA-2006:10910163132082620844SUSE-SR:2006:01520899 wvware-wv2-word-overflow(27184)MDKSA-2006:109OpenOffice.org (aka StarOffice) 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to conduct unauthorized activities via an OpenOffice document with a malicious BASIC macro, which is executed without prompting the user.102490DSA-1104RHSA-2006:0573SUSE-SA:2006:04018738ADV-2006-2607ADV-2006-26211016414208672089320911MDKSA-2006:118USN-313-1209132091020975openoffice-macro-code-execution(27564)20995USN-313-2VU#170113GLSA-200607-122127822129FEDORA-2007-0052362020060926 rPSA-2006-0173-1 openoffice.orgMDKSA-2006:118Unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x (aka StarOffice) up to 1.1.5 and 2.0.x before 2.0.3 allows user-assisted attackers to escape the Java sandbox and conduct unauthorized activities via certain applets in OpenOffice documents.102475DSA-1104RHSA-2006:0573SUSE-SA:2006:04018737ADV-2006-2607ADV-2006-26211016414208672089320911MDKSA-2006:118USN-313-1209132091020975openoffice-applet-sandbox-bypass(27569)20995USN-313-2VU#243681GLSA-200607-1221278FEDORA-2007-0052362020060926 rPSA-2006-0173-1 openoffice.orgMDKSA-2006:118Stack-based buffer overflow in libmms, as used by (a) MiMMS 0.0.9 and (b) xine-lib 1.1.0 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions.18608ADV-2006-248720749USN-309-1MDKSA-2006:1172094820964MDKSA-2006:121USN-315-12102321036GLSA-200607-072113923218SSA:2006-357-0523512MDKSA-2006:117MDKSA-2006:121Unspecified vulnerability in CA Resource Initialization Manager (CAIRIM) 1.x before 20060502, as used in z/OS Common Services and the LMP component in multiple products, allows attackers to violate integrity via a certain "problem state program" that uses SVC to gain access to supervisor state, key 0.This vulnerability affects all z/OS releases of this product prior to May