LiveActive security incident?Get immediate response
CVE archive

2007 CVE Archive

Browse CVE records published in 2007 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 6458 matching CVEs · Page 1 of 130.

Unknown · CVSS Not scored

CVE-2007-2447: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitr...

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

Published May 14, 2007 · Updated Nov 4, 2025

Low · CVSS 3.5

CVE-2007-10001: web-cyradm search.php sql injection

A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is recommended to apply a patch to fix this issue. The identifier VDB-217449 was assigned to this vulnerability.

Published Jan 5, 2023 · Updated Apr 10, 2025

High · CVSS 7.5

CVE-2007-10002: web-cyradm auth.inc.php sql injection

A vulnerability, which was classified as critical, has been found in web-cyradm. Affected by this issue is some unknown functionality of the file auth.inc.php. The manipulation of the argument login/login_password/LANG leads to sql injection. The attack may be launched remotely. The name of the patch is 2bcbead3bdb5f118bf2c38c541eaa73c29dcc90f. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217640.

Published Jan 8, 2023 · Updated Apr 9, 2025

Medium · CVSS 5.3

CVE-2007-3650: myWebland myBloggie 2.1.6 allow remote attackers to obtain sensitive information via (1) an invalid year pa...

myWebland myBloggie 2.1.6 allow remote attackers to obtain sensitive information via (1) an invalid year parameter to calendar.php, reached through index.php; (2) a direct request to common.php; and (3) a mode array parameter in the query string to login.php, which reveal the installation path in various error messages.

Published Jul 9, 2008 · Updated Apr 3, 2025

Critical · CVSS 9.8

CVE-2007-4039: Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attacke...

Argument injection vulnerability involving Mozilla, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.

Published Jul 27, 2007 · Updated Apr 3, 2025

High · CVSS 8.8

CVE-2007-4040: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are reg...

Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.

Published Jul 27, 2007 · Updated Apr 3, 2025

Critical · CVSS 9.8

CVE-2007-5775: Unspecified vulnerability in BitDefender allows attackers to execute arbitrary code via unspecified vectors...

Unspecified vulnerability in BitDefender allows attackers to execute arbitrary code via unspecified vectors, aka EEYEB-20071024. NOTE: as of 20071029, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Published Nov 1, 2007 · Updated Apr 3, 2025

Critical · CVSS 9.8

CVE-2007-5097: PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (...

PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests

Published Sep 26, 2007 · Updated Jan 17, 2025

Medium · CVSS 6.1

CVE-2007-4465: Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when th...

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Published Sep 14, 2007 · Updated Jan 17, 2025

Medium · CVSS 5.3

CVE-2007-4786: Cisco Adaptive Security Appliance (ASA) running PIX 7.0 before 7.0.7.1, 7.1 before 7.1.2.61, 7.2 before 7.2...

Cisco Adaptive Security Appliance (ASA) running PIX 7.0 before 7.0.7.1, 7.1 before 7.1.2.61, 7.2 before 7.2.2.34, and 8.0 before 8.0.2.11, when AAA is enabled, composes %ASA-5-111008 messages from the "test aaa" command with cleartext passwords and sends them over the network to a remote syslog server or places them in a local logging buffer, which allows context-dependent attackers to obtain sensitive information.

Published Sep 10, 2007 · Updated Jan 17, 2025

Critical · CVSS 9.8

CVE-2007-4290: Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execut...

Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the script_root parameter to (1) delete.php, (2) edit.php, or (3) inc/common.inc.php; or (4) database.php, (5) entries.php, (6) index.php, (7) logout.php, or (8) settings.php in admin/. NOTE: a third party disputes this vulnerability, noting that these scripts defend against direct requests

Published Aug 9, 2007 · Updated Jan 17, 2025

High · CVSS 7.5

CVE-2007-3816: JWIG might allow context-dependent attackers to cause a denial of service (service degradation) via loops o...

JWIG might allow context-dependent attackers to cause a denial of service (service degradation) via loops of references to external templates. NOTE: this issue has been disputed by multiple third parties who state that only the application developer can trigger the issue, so no privilege boundaries are crossed. However, it seems possible that this is a vulnerability class to which an JWIG application may be vulnerable if template contents can be influenced, but this would be an issue in the application itself, not JWIG

Published Jul 17, 2007 · Updated Jan 17, 2025

Critical · CVSS 9.8

CVE-2007-3194: Multiple PHP remote file inclusion vulnerabilities in myBloggie 2.1.5 allow remote attackers to execute arb...

Multiple PHP remote file inclusion vulnerabilities in myBloggie 2.1.5 allow remote attackers to execute arbitrary PHP code via a URL in the bloggie_root_path parameter to (1) config.php; (2) db.php, (3) template.php, (4) functions.php, and (5) classes.php in includes/; (6) viewmode.php; and (7) blog_body.php. NOTE: another researcher disputes the vulnerability because the files are protected against direct requests, contain no relevant include statements, or do not exist

Published Jun 12, 2007 · Updated Jan 17, 2025

Critical · CVSS 9.8

CVE-2007-2422: Multiple PHP remote file inclusion vulnerabilities in Modules Builder (modbuild) 4.1 for Comdev One Admin a...

Multiple PHP remote file inclusion vulnerabilities in Modules Builder (modbuild) 4.1 for Comdev One Admin allow remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter to (1) config-bak.php or (2) config.php. NOTE: CVE disputes this vulnerability because the unmodified scripts set the applicable variable to the empty string; reasonable modified copies would use a fixed pathname string

Published May 2, 2007 · Updated Jan 17, 2025

Medium · CVSS 5.4

CVE-2007-1679: Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticat...

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages

Published Mar 26, 2007 · Updated Jan 17, 2025

High · CVSS 7.8

CVE-2007-0257: Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privile...

Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code

Published Jan 16, 2007 · Updated Jan 17, 2025

Unknown · CVSS Not scored

CVE-2007-4150: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) wh...

The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) when (1) transmitting passwords, which allows remote attackers to obtain sensitive information by sniffing the network; and (2) storing passwords in the configuration file, which allows local users to obtain sensitive information by reading this file.

Published Aug 3, 2007 · Updated Dec 4, 2024

Unknown · CVSS Not scored

CVE-2007-5551: Off-by-one error in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors tha...

Off-by-one error in Cisco IOS allows remote attackers to execute arbitrary code via unspecified vectors that trigger a heap-based buffer overflow. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Published Oct 18, 2007 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2007-5556: Unspecified vulnerability in the Avaya VoIP Handset allows remote attackers to cause a denial of service (r...

Unspecified vulnerability in the Avaya VoIP Handset allows remote attackers to cause a denial of service (reboot) via crafted packets. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Published Oct 18, 2007 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2007-3841: Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux allows remote authenticated users, who...

Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux allows remote authenticated users, who are listed in a users list, to execute certain commands via unspecified vectors, aka ZD-00000035. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.

Published Jul 17, 2007 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2007-5561: Format string vulnerability in the logging function in the Oracle OPMN daemon, as used on Oracle Enterprise...

Format string vulnerability in the logging function in the Oracle OPMN daemon, as used on Oracle Enterprise Grid Console server 10.2.0.1, allows remote attackers to execute arbitrary code via format string specifiers in the URI in an HTTP request to port 6003, aka Oracle reference number 6296175. NOTE: this might be the same issue as CVE-2007-0282 or CVE-2007-0280, but there are insufficient details to be sure.

Published Oct 18, 2007 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2007-3627: Multiple SQL injection vulnerabilities in PHP Lite Calendar Express 2.2 allow remote attackers to execute a...

Multiple SQL injection vulnerabilities in PHP Lite Calendar Express 2.2 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) login.php, (2) auth.php, and (3) subscribe.php. NOTE: the month.php, year.php, week.php, and day.php vectors are already covered by CVE-2005-4009. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Jul 9, 2007 · Updated Sep 17, 2024