Unknown · CVSS Not scored
Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2, when Internet Connection Sharing is enabled, allows remote attackers to cause a denial of service (svchost.exe crash) via a malformed DNS query, which results in a null pointer dereference.
Published Oct 31, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in dir.php in TorrentFlux 2.1 allows remote attackers to list arbitrary directories via "\.\./" sequences in the dir parameter.
Published Oct 30, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in phpcards.header.php in phpCards 1.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the CardLanguageFile parameter.
Published Oct 30, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in heading.php in Boesch ProgSys 0.151 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/index.php, and unspecified vectors related to certain other files. NOTE: some of these details are obtained from third party information.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in end.php in ask_rave 0.9 PR, and other versions before 0.9b, allows remote attackers to execute arbitrary PHP code via a URL in the footfile parameter.
Published Oct 31, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in LedgerSMB (LSMB) 1.1.0 and earlier allow remote attackers to execute arbitrary SQL commands via unspecified vectors in (1) OE.pm, (2) AM.pm, and (3) Form.pm.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in /scripts/cruise/cws.exe in CruiseWorks 1.09c and 1.09d allows remote attackers to read arbitrary files via a .. (dot dot) in the doc parameter.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before 1.5.2.1 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "parameters from URLs."
Published Oct 30, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in /cgi-bin/webcm in INCA IM-204 allows remote attackers to read arbitrary files via a "/./." (modified dot dot) sequences in the getpage parameter.
Published Oct 30, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Oracle Application Express (formerly HTML DB) before 2.2.1 allows remote attackers to inject arbitrary HTML or web script via the WWV_FLOW_ITEM_HELP package. NOTE: it is likely that this issue overlaps one of the Oracle VulnIDs covered by CVE-2006-5351. Oracle has not publicly disputed claims by a reliable researcher that this has been fixed by the October 2006 CPU.
Published Oct 28, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in BytesFall Explorer (bfExplorer) 0.0.7.1 and earlier allow remote attackers to execute arbitrary SQL commands via the username ($User variable) to login/doLogin.php and other unspecified vectors.
Published Oct 31, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Admin/check.asp in PacPoll 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameters.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allow remote attackers to inject arbitrary web script or HTML via the (1) upnp:settings/state or (2) upnp:settings/connection parameters.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels.
Published Oct 31, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple unspecified vulnerabilities in OpenPBS, as used in SUSE Linux 9.2 through 10.1, allow attackers to execute arbitrary code via unspecified vectors.
Published Oct 31, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in CMS Faethon 2.0 Ultimate and earlier, when register_globals and magic_quotes_gpc are enabled, allow remote attackers to execute arbitrary PHP code via a URL in the mainpath parameter to (1) includes/rss-reader.php or (2) admin/config.php, different vectors than CVE-2006-3185.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
FtpXQ Server 3.0.1 allows remote attackers to cause a denial of service (CPU exhaustion) via a long MKD command.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
CRLF injection vulnerability in MAXdev MD-Pro 1.0.76 allows remote attackers to inject arbitrary HTTP headers via a CRLF sequence in the (1) name, (2) file, (3) module, and (4) func parameters in (a) index.php; and the (5) file parameter in (b) modules.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in the localtime_r function, and certain other functions, in libc in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via a long TZ environment variable.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
CRLF injection vulnerability in premium/index.php in Shop-Script allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the (1) links_exchange, (2) news, (3) search_with_change_category_ability, (4) logging, (5) feedback, (6) show_price, (7) register, (8) answer, (9) productID, and (10) inside parameters.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
backend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) related to duration logging of V3-protocol Execute messages for (1) COMMIT and (2) ROLLBACK SQL statements.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple heap-based buffer overflows in RevilloC MailServer 1.21 and earlier allow remote attackers to cause a denial of service (CPU consumption or application crash) or execute arbitrary code via a long argument to the (1) MAIL FROM or (2) RCPT TO command.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
backend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via certain aggregate functions in an UPDATE statement, which are not properly handled during a "MIN/MAX index optimization."
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in include/database.php in SourceForge (aka alexandria) 1.0.4 allows remote attackers to execute arbitrary PHP code via the sys_dbtype parameter.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the AirPcap support in Wireshark (formerly Ethereal) 0.99.3 has unspecified attack vectors related to WEP key parsing.
Published Oct 28, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in MDweb 1.3 and earlier (Mdweb132-postgres) allow remote attackers to execute arbitrary PHP code via a URL in the chemin_appli parameter in (1) admin/inc/organisations/form_org.inc.php and (2) admin/inc/organisations/country_insert.php.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in user.php in MAXdev MD-Pro 1.0.76 allows remote attackers to inject arbitrary web script or HTML via the op parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.31 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) ultravox-max-msg header to the Ultravox protocol handler or (2) unspecified Lyrics3 tags.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple memory leaks in xsupplicant before 1.2.6, and possibly other versions, allow attackers to cause a denial of service (memory consumption) via unspecified vectors.
Published Oct 28, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in Yahoo! Messenger (Service 18) before 8.1.0.195 allows remote attackers to cause a denial of service (NULL dereference and application crash) via a crafted room name in a Conference Invite. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in constantes.inc.php in EPNadmin 0.7 and 0.7.1 allows remote attackers to execute arbitrary PHP code via the langage parameter.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the eap_do_notify function in eap.c in xsupplicant before 1.2.6, and possibly other versions, allows remote authenticated users to execute arbitrary code via unspecified vectors.
Published Oct 28, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the (1) swpackage and (2) swmodify commands in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via a long -S argument. NOTE: this might be a duplicate of CVE-2006-2574, but the details relating to CVE-2006-2574 are too vague to be certain.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Axalto Protiva 1.1, possibly only non-commercial versions, stores passwords in plaintext in files with insecure permissions, which allows local users to gain privileges by reading the passwords from (1) KeyTool\keytool.config or (2) webapps\protiva\WEB-INF\classes\authserver.config.
Published Oct 28, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in index.php in ArticleBeach Script 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Premium Antispam in Symantec Mail Security for Domino Server 5.1.x before 5.1.2.28 does not filter certain SMTP address formats, which allows remote attackers to use the product as a spam relay.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cisco Security Agent (CSA) for Linux 4.5 before 4.5.1.657 and 5.0 before 5.0.0.193, as used by Unified CallManager (CUCM) and Unified Presence Server (CUPS), allows remote attackers to cause a denial of service (resource consumption) via a port scan with certain options.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in Rhode Island Open Meetings Filing Application (OMFA) allow remote attackers to execute arbitrary PHP code via a URL in the PROJECT_ROOT parameter to (1) editmeetings/session.php, (2) email/session.php, (3) entityproperties/session.php, or (4) inc/mail.php.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in /scripts/cruise/cws.exe in CruiseWorks 1.09c and 1.09d allows remote attackers to execute arbitrary code via a long string in the doc parameter.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in login/secure.php in UeberProject Management System 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfg[homepath] parameter.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in index.php in Imageview 5 allows remote attackers to read or execute arbitrary local files via a .. (dot dot) in the user_settings cookie, as demonstrated by using the MyFile parameter in albumview.php to upload a text/plain .gif file containing PHP code, which is executed by index.php.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Visual truncation vulnerability in Microsoft Internet Explorer 7 allows remote attackers to spoof the address bar and possibly conduct phishing attacks via a malicious URL containing non-breaking spaces (%A0), which causes the address bar to omit some characters from the URL.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open Tibia Server Content Management System (OTSCMS) 1.3.0 through 1.4.1 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][otscms][directories][classes] parameter.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open Tibia Server Content Management System (OTSCMS) 1.0.0 through 1.0.3 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][otscms][directories][includes] parameter.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via a coercion of an unknown element to ANYARRAY.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Format string vulnerability in the swask command in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via format string specifiers in the -s argument. NOTE: this might be a duplicate of CVE-2006-2574, but the details relating to CVE-2006-2574 are too vague to be certain.
Published Oct 27, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open Tibia Server Content Management System (OTSCMS) 2.0.0 through 2.1.3 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][directories][classes] parameter.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to list contents of the cgi-bin directory via unspecified vectors, probably a direct request.
Published Oct 26, 2006 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in index.htm in Zwahlen Online Shop Freeware 5.2.2.50, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) Kat, (3) id, or (4) no parameters. NOTE: some of these details are obtained from third party information.
Published Oct 26, 2006 · Updated Aug 7, 2024