LiveActive security incident?Get immediate response
CVE archive

November 2007

Browse CVE records published in November 2007, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 426 matching CVEs · Page 3 of 9.

Unknown · CVSS Not scored

CVE-2007-6079: Directory traversal vulnerability in include/common.php in bcoos 1.0.10 allows remote attackers to include...

Directory traversal vulnerability in include/common.php in bcoos 1.0.10 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xoopsOption[pagetype] parameter to the default URI for modules/news/. NOTE: this can be leveraged by using legitimate product functionality to upload a file that contains the code, then including that file.

Published Nov 21, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6105: Multiple PHP remote file inclusion vulnerabilities in TalkBack 2.2.7 allow remote attackers to execute arbi...

Multiple PHP remote file inclusion vulnerabilities in TalkBack 2.2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) language_file parameter to (a) comments-display-tpl.php and (b) addons/separate-comments-mod/my-comments-display-tpl.php and the (2) config[comments_form_tpl] parameter to comments-display-tpl.php.

Published Nov 23, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6127: Multiple SQL injection vulnerabilities in project alumni 1.0.9 and earlier allow remote attackers to execut...

Multiple SQL injection vulnerabilities in project alumni 1.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via the year parameter to (1) view.page.inc.php, which is reachable through a view action to index.php; or (2) the year parameter to news.page.inc.php, which is reachable through a news action to index.php.

Published Nov 26, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6098: Ingate Firewall before 4.6.0 and SIParator before 4.6.0 do not log truncated (1) ICMP, (2) UDP, and (3) TCP...

Ingate Firewall before 4.6.0 and SIParator before 4.6.0 do not log truncated (1) ICMP, (2) UDP, and (3) TCP packets, which has unknown impact and remote attack vectors; and do not log (4) serial-console login attempts with nonexistent usernames, which might make it easier for attackers with physical access to guess valid login credentials while avoiding detection.

Published Nov 22, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6060: AhnLab Antivirus 3 Internet Security 2008 Platinum appends data to a filename string at a location indicate...

AhnLab Antivirus 3 Internet Security 2008 Platinum appends data to a filename string at a location indicated by the "Filename length" field in a ZIP header, which allows remote attackers to cause a denial of service (machine crash) and possibly execute arbitrary code via a ZIP file in which this field's value is larger than the actual number of bytes in the filename.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6030: Unspecified vulnerability in Weird Solutions BOOTPTurbo 1.2 has unknown impact and remote attack vectors.

Unspecified vulnerability in Weird Solutions BOOTPTurbo 1.2 has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6100: Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2....

Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992.

Published Nov 23, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6044: Multiple unspecified vulnerabilities in IBM WebSphere MQ 6.0 have unknown impact and remote attack vectors...

Multiple unspecified vulnerabilities in IBM WebSphere MQ 6.0 have unknown impact and remote attack vectors involving "memory corruption." NOTE: as of 20071116, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6061: Audacity 1.3.2 creates a temporary directory with a predictable name without checking for previous existenc...

Audacity 1.3.2 creates a temporary directory with a predictable name without checking for previous existence of that directory, which allows local users to cause a denial of service (recording deadlock) by creating the directory before Audacity is run. NOTE: this issue can be leveraged to delete arbitrary files or directories via a symlink attack.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6031: Unspecified vulnerability in VanDyke VShell 3.0.1 allows remote attackers to cause a denial of service via...

Unspecified vulnerability in VanDyke VShell 3.0.1 allows remote attackers to cause a denial of service via unspecified vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6077: The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, remov...

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

Published Nov 21, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6039: PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) v...

PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in (1) the domain parameter to the dgettext function, the message parameter to the (2) dcgettext or (3) gettext function, the msgid1 parameter to the (4) dngettext or (5) ngettext function, or (6) the classname parameter to the stream_wrapper_register function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code execution.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6028: Multiple stack-based buffer overflows in the VSFlexGrid.VSFlexGridL ActiveX control in ComponentOne FlexGri...

Multiple stack-based buffer overflows in the VSFlexGrid.VSFlexGridL ActiveX control in ComponentOne FlexGrid 7.1 Light allow remote attackers to cause a denial of service and possibly execute arbitrary code via a long string in the (1) Text, (2) EditSelText, (3) EditText, and (4) CellFontName property values.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6054: Cross-site scripting (XSS) vulnerability in the login page in the management interface in the Aruba 800 Mob...

Cross-site scripting (XSS) vulnerability in the login page in the management interface in the Aruba 800 Mobility Controller 2.5.4.18 and earlier, and 2.4.8.6-FIPS and earlier, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /screens URI, related to the url variable.

Published Nov 20, 2007 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2007-6026: Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0 (aka Microsoft Jet Engine), as used by Acce...

Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0 (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft Office 2003 SP3, allows user-assisted attackers to execute arbitrary code via a crafted MDB file database file containing a column structure with a modified column count. NOTE: this might be the same issue as CVE-2005-0944.

Published Nov 20, 2007 · Updated Aug 7, 2024