LiveActive security incident?Get immediate response
CVE archive

December 2005

Browse CVE records published in December 2005, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 639 matching CVEs · Page 1 of 13.

Medium · CVSS 6.3

CVE-2005-4349: SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users...

SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450

Published Dec 19, 2005 · Updated Jan 16, 2025

Medium · CVSS 6.1

CVE-2005-4206: Blackboard Learning and Community Portal System in Academic Suite 6.3.1.424, 6.2.3.23, and other versions b...

Blackboard Learning and Community Portal System in Academic Suite 6.3.1.424, 6.2.3.23, and other versions before 6 allows remote attackers to redirect users to other URLs and conduct phishing attacks via a modified url parameter to frameset.jsp, which loads the URL into a frame and causes it to appear to be part of a valid page.

Published Dec 13, 2005 · Updated Jan 16, 2025

Unknown · CVSS Not scored

CVE-2005-4171: The "Upload new image" command in the "Manage Images" eFiction 1.1, when members are allowed to upload imag...

The "Upload new image" command in the "Manage Images" eFiction 1.1, when members are allowed to upload images, allows remote attackers to execute arbitrary PHP code by uploading a filename with a .php extension that contains a GIF header, which passes the image validity check but executes any PHP code within the file.

Published Dec 11, 2005 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2005-4276: Westell Versalink 327W allows remote attackers to cause a denial of service (device crash) via an IP packet...

Westell Versalink 327W allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD). NOTE: the provenance of this issue is unknown; the details are obtained solely from third party information.

Published Dec 16, 2005 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2005-4339: Cross-site scripting (XSS) vulnerability in Blackboard Learning and Community Portal System in Academic Sui...

Cross-site scripting (XSS) vulnerability in Blackboard Learning and Community Portal System in Academic Suite 6.3.1.424, 6.2.3.23, and other versions before 6 allows remote attackers to inject arbitrary web script or HTML via the context parameter to announcement.pl, which is reflected in the resulting page.

Published Dec 17, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4341: Blackboard Learning and Community Portal System in Academic Suite 6.3.1.424, 6.2.3.23, and other versions b...

Blackboard Learning and Community Portal System in Academic Suite 6.3.1.424, 6.2.3.23, and other versions before 6 allows remote attackers to list all available categories via a blank category_id parameter to category.pl. NOTE: it is not clear whether this information is sensitive or not, so this might not be an exposure.

Published Dec 17, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4130: ** UNVERIFIABLE, PRERELEASE ** NOTE: this issue describes a problem that can not be independently verified...

** UNVERIFIABLE, PRERELEASE ** NOTE: this issue describes a problem that can not be independently verified as of 20051208. Unspecified vulnerability in unspecified versions of Real Networks RealPlayer allows remote attackers to execute arbitrary code. NOTE: it is not known whether this issue should be MERGED with CVE-2005-4126. The information regarding this issue is extremely vague and does not provide any verifiable information. It has been posted by a reliable reporter with a prerelease disclosure policy. This item has only been assigned a CVE identifier for tracking purposes, and to serve as a concrete example for discussion of the newly emerging UNVERIFIABLE and PRERELEASE content decisions in CVE, which must be discussed by the Editorial Board. Without additional details or independent verification by reliable sources, it is possible that this item might be RECAST or REJECTED.

Published Dec 9, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4275: Scientific Atlanta DPX2100 Cable Modem allows remote attackers to cause a denial of service (device crash)...

Scientific Atlanta DPX2100 Cable Modem allows remote attackers to cause a denial of service (device crash) via an IP packet with the same source and destination IPs and ports, and with the SYN flag set (aka LanD), as demonstrated using hping2. NOTE: the provenance of this issue is unknown; the details are obtained solely from third party information.

Published Dec 16, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4450: Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 allows remote attackers to perform unau...

Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag to server_privileges.php, as demonstrated using the dbname and checkprivs parameters. NOTE: the provenance of this issue is unknown, although third parties imply that it is related to the disclosure of CVE-2005-4349, which was labeled as SQL injection but disputed.

Published Dec 21, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4269: mshtml.dll in Microsoft Windows XP, Server 2003, and Internet Explorer 6.0 SP1 allows attackers to cause a...

mshtml.dll in Microsoft Windows XP, Server 2003, and Internet Explorer 6.0 SP1 allows attackers to cause a denial of service (access violation) by causing mshtml.dll to process button-focus events at the same time that a document is reloading, as seen in Microsoft Office InfoPath 2003 by repeatedly clicking the "Delete" button in a repeating section in a form. NOTE: the normal operation of InfoPath appears to involve a local user without any privilege boundaries, so this might not be a vulnerability in InfoPath. If no realistic scenarios exist for this problem in other products, then perhaps it should be excluded from CVE.

Published Dec 15, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4256: Cross-site scripting (XSS) vulnerability in forum.asp in ASP-DEV XM Forum RC3 allows remote attackers to in...

Cross-site scripting (XSS) vulnerability in forum.asp in ASP-DEV XM Forum RC3 allows remote attackers to inject arbitrary web script or HTML via the forum_title parameter. NOTE: the provenance of this issue is unknown; the details are obtained solely from the BID. In addition, its accuracy is in question because "forum_title" does not appear to be specified in the source code for XM Forum RC3. It is possible, but not certain, that this is CVE-2004-2211.

Published Dec 15, 2005 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2005-4568: Multiple format string vulnerabilities in FTGate Technology (formerly known as Floosietek) FTGate 4.4 (aka...

Multiple format string vulnerabilities in FTGate Technology (formerly known as Floosietek) FTGate 4.4 (aka Build 4.4.000 Oct 26 2005) allow remote attackers to execute arbitrary code via format string specifiers in the (1) USER, (2) PASS, and (3) TOP commands to the POP3 server; and the (4) LIST and (5) AUTHENTICATE commands to the IMAP server.

Published Dec 29, 2005 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2005-4582: Electric Sheep 2.6.3 does not require authentication or integrity checks from the server to the client, whi...

Electric Sheep 2.6.3 does not require authentication or integrity checks from the server to the client, which allows remote attackers to download and display arbitrary MPEG movie files via (1) DNS spoofing, (2) a URL on the command line, or (3) a URL in the configuration file. NOTE: the same attack vectors apply to common web browsers that are able to communicate with untrusted web servers, and other problems related to DNS design issues. Therefore this may not be a specific vulnerability. However, a client would reasonably expect to receive content only from the server.

Published Dec 29, 2005 · Updated Aug 7, 2024