LiveActive security incident?Get immediate response
CVE archive

August 2007

Browse CVE records published in August 2007, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 527 matching CVEs · Page 1 of 11.

Critical · CVSS 9.8

CVE-2007-4290: Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execut...

Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the script_root parameter to (1) delete.php, (2) edit.php, or (3) inc/common.inc.php; or (4) database.php, (5) entries.php, (6) index.php, (7) logout.php, or (8) settings.php in admin/. NOTE: a third party disputes this vulnerability, noting that these scripts defend against direct requests

Published Aug 9, 2007 · Updated Jan 17, 2025

Unknown · CVSS Not scored

CVE-2007-4150: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) wh...

The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) when (1) transmitting passwords, which allows remote attackers to obtain sensitive information by sniffing the network; and (2) storing passwords in the configuration file, which allows local users to obtain sensitive information by reading this file.

Published Aug 3, 2007 · Updated Dec 4, 2024

Unknown · CVSS Not scored

CVE-2007-4548: The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException...

The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

Published Aug 27, 2007 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2007-0437: Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in Inter...

Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in InterSystems Cache' allow remote attackers to inject arbitrary web script or HTML via (1) the TO parameter to loop.csp, (2) the VALUE parameter to cookie.csp, and (3) the PAGE parameter to showsource.csp in csp/samples/; and allow remote authenticated users to inject arbitrary web script or HTML via (4) the ERROR parameter to csp/samples/xmlclasseserror.csp, and unspecified vectors in (5) object.csp and (6) lotteryhistory.csp in csp/samples/.

Published Aug 20, 2007 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2007-4557: Cross-site scripting (XSS) vulnerability in the webacc servlet in Novell GroupWise 6.5 WebAccess allows rem...

Cross-site scripting (XSS) vulnerability in the webacc servlet in Novell GroupWise 6.5 WebAccess allows remote attackers to inject arbitrary web script or HTML via the User.Id parameter, as demonstrated by a URL within a url field in a STYLE element, possibly due to an incomplete fix for CVE-2004-2103.2.

Published Aug 28, 2007 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2007-4635: Yahoo!

Yahoo! Messenger 8.1.0.209 and 8.1.0.402 allows remote attackers to cause a denial of service (application crash) via certain file-transfer packets, possibly involving a buffer overflow, as demonstrated by ym8bug.exe. NOTE: this might be related to CVE-2007-4515. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Aug 31, 2007 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2007-4633: Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager...

Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to inject arbitrary web script or HTML via the lang variable to the (1) user or (2) admin logon page, aka CSCsi10728.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4632: Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VTY configuration when an administrator...

Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VTY configuration when an administrator makes certain changes to a (1) VTY/AUX or (2) CONSOLE setting on a device without AAA enabled, which allows remote attackers to bypass authentication and obtain a terminal session, a different vulnerability than CVE-1999-0293 and CVE-2005-2105.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4648: The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) f...

The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) for the NvcOa device, which allows local users to gain privileges by (1) triggering a buffer overflow in a kernel pool via a string argument to ioctl 0xBF67201C; or by (2) sending a crafted KEVENT structure through ioctl 0xBF672028 to overwrite arbitrary memory locations.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4642: Multiple buffer overflows in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allow remote attackers to execut...

Multiple buffer overflows in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allow remote attackers to execute arbitrary code via a long chat (PKT_CHAT) message that is not properly handled by the (1) D_NetPlayerEvent function in d_net.c or the (2) Msg_Write function in net_msg.c, or (3) many commands that are not properly handled by the NetSv_ReadCommands function in d_netsv.c; or (4) cause a denial of service (daemon crash) via a chat (PKT_CHAT) message without a final '\0' character.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4613: SSL libraries in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Gold through SP5 m...

SSL libraries in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Gold through SP5 might allow remote attackers to obtain plaintext from an SSL stream via a man-in-the-middle attack that injects crafted data and measures the elapsed time before an error response, a different vulnerability than CVE-2006-2461.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4634: Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) befor...

Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to execute arbitrary SQL commands via the lang variable to the (1) user or (2) admin logon page, aka CSCsi64265.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4595: Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows remote attackers to inject arbitrary...

Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows remote attackers to inject arbitrary web script or HTML in certain circumstances involving (1) lack of charset specification within a META element or (2) a META element that specifies an unrecognized charset, which trigger automatic character set recognition by the web browser, as demonstrated by improper handling of UTF-7 data.

Published Aug 29, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4639: EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur befor...

EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4606: PHP remote file inclusion vulnerability in convert/mvcw_conver.php in the Virtual War (VWar) module for PHP...

PHP remote file inclusion vulnerability in convert/mvcw_conver.php in the Virtual War (VWar) module for PHPNuke-Clan (PNC) 4.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter, a different vector than CVE-2006-1602. NOTE: it is possible that this issue stems from a problem in VWar itself.

Published Aug 31, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-4609: eyeOS uses predictable checksum values in the checknum parameter for access control, which allows remote at...

eyeOS uses predictable checksum values in the checknum parameter for access control, which allows remote attackers to register many accounts via doCreateUser actions, add many eyeBoard messages via addMsg actions, and cause a denial of service or conduct certain unauthorized activities, by guessing valid parameter values.

Published Aug 31, 2007 · Updated Aug 7, 2024