LiveActive security incident?Get immediate response
CVE archive

November 2006

Browse CVE records published in November 2006, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 518 matching CVEs · Page 4 of 11.

Unknown · CVSS Not scored

CVE-2006-6031: Multiple SQL injection vulnerabilities in Greater Cincinnati Internet Solutions (GCIS) ASPCart allow remote...

Multiple SQL injection vulnerabilities in Greater Cincinnati Internet Solutions (GCIS) ASPCart allow remote attackers to execute arbitrary SQL commands via (1) the prodid parameter in (a) prodetails.asp; (2) the page parameter in (b) display.asp; the (3) custid, (4) item, (5) price, (6) custom, (7) department, (8) start, (9) quantity, (10) submit, (11) custom1, (12) custom2, or (13) custom3 parameters in (c) addcart.asp; or the (14) customerid parameter in (d) payment.asp.

Published Nov 21, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-6018: PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attacke...

PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attackers to execute arbitrary PHP code via a URL in the INC_PATH parameter, a different vector than CVE-2006-5089. NOTE: this issue is disputed by CVE and third party researchers because INC_PATH is a constant

Published Nov 21, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-6032: Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow re...

Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter in add_block.php or (2) the entry parameter in index.php, different vectors than CVE-2005-1135. NOTE: this has been reported to affect 0.8, but as of 20061121, the most recent version is only 0.4.9.

Published Nov 21, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5960: Multiple cross-site scripting (XSS) vulnerabilities in account_login.asp in A+ Store E-Commerce allow remot...

Multiple cross-site scripting (XSS) vulnerabilities in account_login.asp in A+ Store E-Commerce allow remote attackers to inject arbitrary web script or HTML via the (1) username (txtUserName) and (2) password (txtPassword) parameters. NOTE: portions of these details are obtained from third party information.

Published Nov 17, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5981: Multiple directory traversal vulnerabilities in SeleniumServer FTP Server 1.0, and possibly earlier, allow...

Multiple directory traversal vulnerabilities in SeleniumServer FTP Server 1.0, and possibly earlier, allow remote attackers to list arbitrary directories, read arbitrary files, and upload arbitrary files via directory traversal sequences in the (1) DIR (LIST or NLST), (2) GET (RETR), and (3) PUT (STOR) commands.

Published Nov 20, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5957: Multiple SQL injection vulnerabilities in INFINICART allow remote attackers to execute arbitrary SQL comman...

Multiple SQL injection vulnerabilities in INFINICART allow remote attackers to execute arbitrary SQL commands via the (1) groupid parameter in (a) browse_group.asp, (2) productid parameter in (b) added_to_cart.asp, and (3) catid and (4) subid parameter in (c) browsesubcat.asp. NOTE: the vendor has disputed this report, saying "The vulnerabilities mentioned were never present in our official released products but only in the unofficial demo version. However we do appreciate the information. We have update our demo version and made sure all those vulnerabilities are fixed.

Published Nov 17, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-6033: Multiple directory traversal vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote at...

Multiple directory traversal vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to read arbitrary files and possibly include arbitrary PHP code via a .. (dot dot) sequence in the blog_theme parameter in (1) index.php, (2) add_cgi.php, (3) add_link.php, (4) login.php, (5) template.php, or (6) contact.php.

Published Nov 21, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5970: Verity Ultraseek before 5.7 allows remote attackers to obtain sensitive information via direct requests wit...

Verity Ultraseek before 5.7 allows remote attackers to obtain sensitive information via direct requests with (1) a null ("%00") terminated url parameter to help/urlstatusgo.html; or missing parameters to (2) help/header.html, (3) help/footer.html, (4) spell.html, (5) coreforma.html, (6) daterange.html, (7) hits.html, (8) hitsnavbottom.html, (9) indexform.html, (10) indexforma.html, (11) languages.html, (12) nohits.html, (13) onehit1.html, (14) onehit2.html, (15) query.html, (16) queryform0.html, (17) queryform0a.html, (18) queryform1.html, (19) queryform1a.html, (20) queryform2.html, (21) queryform2a.html, (22) quicklinks.html, (23) relatedtopics.html, (24) signin.html, (25) subtopics.html, (26) thesaurus.html, (27) topics.html, (28) hitspagebar.html, (29) highlight/highlight.html, (30) highlight/highlight_one.html, and (31) highlight/topnav.html, which leaks the installation path in the resulting error message.

Published Nov 18, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5984: Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote a...

Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable.

Published Nov 20, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5968: MDaemon 9.0.5, 9.0.6, 9.51, and 9.53, and possibly other versions, installs the MDaemon application folder...

MDaemon 9.0.5, 9.0.6, 9.51, and 9.53, and possibly other versions, installs the MDaemon application folder with insecure permissions (Users create files/directories), which allows local users to execute arbitrary code by creating malicious RASAPI32.DLL or MPRAPI.DLL libraries in the MDaemon\APP folder, which is an untrusted search path element due to insecure permissions.

Published Nov 17, 2006 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2006-5983: Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authen...

Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user parameter to (a) CMD_SHOW_RESELLER or (b) CMD_SHOW_USER in the Admin level; the (2) TYPE parameter to (c) CMD_TICKET_CREATE or (d) CMD_TICKET, the (3) user parameter to (e) CMD_EMAIL_FORWARDER_MODIFY, (f) CMD_EMAIL_VACATION_MODIFY, or (g) CMD_FTP_SHOW, and the (4) name parameter to (h) CMD_EMAIL_LIST in the User level; or the (5) user parameter to (i) CMD_SHOW_USER in the Reseller level.

Published Nov 20, 2006 · Updated Aug 7, 2024