| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| PHP remote file inclusion vulnerability in admin.jobline.php in Jobline 1.1.1 allows remote attackers to execute arbitrary code via a URL in the mosConfig_absolute_path parameter. NOTE: CVE disputes this issue because the script is protected against direct requests |
| CRLF injection vulnerability in (1) include/inc_act/act_formmailer.php and possibly (2) sample_ext_php/mail_file_form.php in phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attackers to modify HTTP headers and send spam e-mail via a spoofed HTTP Referer (HTTP_REFERER). |
| The Tools module in fx-APP 0.0.8.1 allows remote attackers to misrepresent the contents of a web page via an arbitrary URL in the url parameter to a showhtml action for index.php, which causes the URL to be displayed within an iframe. |
| Multiple PHP remote file inclusion vulnerabilities in Harpia CMS 1.0.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) func_prog parameter to (a) preload.php and (b) index.php; (2) header_prog parameter to (c) missing.php and (d) email.php, (e) files.php, (f) headlines.php, (g) search.php, (h) topics.php, and (i) users.php in _mods/; (3) theme_root parameter to (j) footer.php, (k) header.php, (l) pfooter.php, and (m) pheader.php in _inc; (4) mod_root parameter to _inc/header.php; and the (5) mod_dir and (6) php_ext parameters to (n) _inc/web_statsConfig.php. |
| PHP remote file inclusion vulnerability in sources/join.php in Aardvark Topsites PHP 4.2.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG[path] parameter, a different vector than CVE-2006-2149. |
| Microsoft Internet Explorer 6 SP2 and earlier allows remote attackers to cause a denial of service (crash) via a frameset with only one frame that calls resizeTo with certain arguments. NOTE: this issue might be related to CVE-2006-3637. |
| Microsoft Internet Explorer 6 SP2 and earlier allows remote attackers to cause a denial of service (crash) via certain malformed HTML, possibly involving applet and base tags without required arguments, which triggers a null pointer dereference in mshtml.dll. |
| PHP remote file inclusion vulnerability in phpbb/getmsg.php in FlashBB 1.1.5 and earlier allows remote attackers to execute arbitrary code via a URL in the phpbb_root_path parameter. |
| Cross-site scripting (XSS) vulnerability in Super Link Exchange Script 1.0 allows remote attackers to inject arbitrary web script or HTML via IMG tags in the search box. |
| PHP remote file inclusion vulnerability in register.php for Andys Chat 4.5 allows remote attackers to execute arbitrary code via the action parameter. NOTE: this issue was announced by an unreliable researcher, but the vendor is no longer distributing the product, so the original claims can not be evaluated. |
| Mathcad 12 through 13.1 allows local users to bypass the security features by directly accessing or editing the XML representation of the worksheet with a text editor or other program, which allows attackers to (1) bypass password protection by replacing the password field with a hash of a known password, (2) modify timestamps to avoid detection of modifications, (3) remove locks by removing the "is-locked" attribute, and (4) view locked data, which is stored in plaintext. |
| The IMAP4 service in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (crash) via a message with a long subject field. |
| Unspecified vulnerability in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (crash) via a TOP command to the POP3 service. |
| Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Blogger allow remote authenticated users to inject arbitrary web script or HTML via script tags in (1) posts and (2) profile names; and (3) a javascript URI in a URL argument in the photo gallery. |
| PHP remote file inclusion vulnerability in comment.core.inc.php in Clan Manager Pro (CMPRO) 1.11 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the sitepath parameter. |
| Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) clarolineRepositorySys parameter to (a) atutor.inc.php (b) db-generic.inc.php (c) docebo.inc.php (d) dokeos.1.6.inc.php (e) dokeos.inc.php (f) ganesha.inc.php (g) mambo.inc.php (h) moodle.inc.php (i) phpnuke.inc.php (j) postnuke.inc.php and (k) spip.inc.php in claroline/auth/extauth/drivers/; (2) includePath parameter in mambo.inc.php, postnuke.inc.php, and (l) inc/lib/event/init_event_manager.inc.php; and (3) rootSys parameter in (m) inc/lib/export_exe_tracking.class.php, a different set of vectors than CVE-2006-2284. |
| The Method method in WikkaWiki (Wikka Wiki) before 1.1.6.2 calls the strstr and strrpos functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files. |
| Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop 1.4 allows remote attackers to inject arbitrary web script or HTML via arbitrary query strings when the action parameter is not "1", as demonstrated using script in the action parameter, a different vulnerability than CVE-2006-5632. |
| Qbik WinGate 6.1.4 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a DNS request with a self-referencing compressed name pointer, which triggers an infinite loop. |
| Messenger Agents (nmma.exe) in Novell GroupWise 2.0.2 and 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted HTTP POST request to TCP port 8300 with a modified val parameter, which triggers a null dereference related to "zero-size strings in blowfish routines." |
