Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in index.php in Check Point Connectra NGX R62 HFA_01 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in siteadmin/forgot.php in PHP JOBWEBSITE PRO allow remote attackers to inject arbitrary web script or HTML via (1) the adname parameter in a Submit action or (2) the UserName field.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
Published Jan 22, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in view_group.php in QuidaScript BookMarks Favourites Script (APB) allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in NavBoard 16 (2.6.0) allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to (1) admin_modules.php and (2) modules.php.
Published Jan 22, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in index.php in CMS ISWEB 3.0 allows remote attackers to execute arbitrary SQL commands via the id_sezione parameter.
Published Jan 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in defs.php in PHPcounter 1.3.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the l parameter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allows remote authenticated users, with create and edit permissions for posts, to inject arbitrary web script or HTML via unspecified vectors involving the ajax_checklist filter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
VP-ASP Shopping Cart 6.50 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database containing the password via a direct request for database/shopping650.mdb. NOTE: some of these details are obtained from third party information.
Published Jan 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in search.php in AJ Auction Pro Platinum 2 allows remote attackers to inject arbitrary web script or HTML via the product parameter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in links.asp in Active Price Comparison 4.0 allows remote attackers to execute arbitrary SQL commands via the linkid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in login.aspx in Active Price Comparison 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) password and (2) username fields.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Jetik Emlak Sistem A (ESA) 2.0 allow remote attackers to execute arbitrary SQL commands via the KayitNo parameter to (1) diger.php and (2) sayfalar.php.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in library/setup/rpc.php in Gravity Getting Things Done (GTD) 0.4.5 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the objectname parameter.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Nukeviet 2.0 Beta allows remote attackers to bypass authentication and gain administrative access by setting the admf cookie to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jan 22, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Mydyngallery (com_mydyngallery) component 1.4.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the directory parameter to index.php.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.
Published Jan 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in profile_social.php in i-Net Solution Orkut Clone allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in default.asp in Active Business Directory 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Wbstreet (aka PHPSTREET Webboard) 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database credentials via a direct request to connect.inc.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Untrusted search path vulnerability in the Python interface in Eye of GNOME (eog) 2.22.3, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in profile_social.php in i-Net Solution Orkut Clone allows remote authenticated users to inject arbitrary web script or HTML via the id parameter.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter to the default URI.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS) for Joomla! allow remote attackers to execute arbitrary SQL commands via the id parameter in a showhoteldetails action to index.php in the (1) com_allhotels or (2) com_5starhotels module. NOTE: some of these details are obtained from third party information.
Published Jan 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Active Test 2.1 allow remote attackers to execute arbitrary SQL commands via the QuizID parameter to (1) questions.asp, (2) importquestions.asp, and (3) quiztakers.asp.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in scripts/recruit_details.php in Jadu CMS for Government allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SG Real Estate Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the Auth cookie to 1.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in search.php in EsFaq 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) keywords and (2) cat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in SG Real Estate Portal 2.0 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) mod, (2) page, or (3) lang parameter to index.php; or the (4) action or (5) folder parameter in a security request to admin/index.php.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in image.php in Barcode Generator 1D (barcodegen) 2.0.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the code parameter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in questions.php in EsFaq 2.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2008-3952. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in scripts/links.php in Rianxosencabos CMS 0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
front-end/edit.php in mini-pub 0.3 and earlier allows remote attackers to read files and obtain PHP source code via a filename in the sFileName parameter.
Published Jan 22, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.
Published Jan 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Ocean12 Mailing List Manager Gold allow remote attackers to execute arbitrary SQL commands via the Email parameter to (1) default.asp and (2) s_edit.asp.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
index.php in ADN Forum 1.0b and earlier allows remote attackers to bypass authentication and gain sysop access via a fpusuario cookie composed of an initial sysop: string, an arbitrary password field, and a final :sysop:0 string.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in index.php in LokiCMS 0.3.4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to check for the existence of arbitrary files via a .. (dot dot) in the page parameter.
Published Jan 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the tid parameter in a vtech action to the default URI.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in print.php in PHP iCalendar 2.24 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cookie_language parameter in a phpicalendar_* cookie, a different vector than CVE-2006-1292.
Published Jan 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Untrusted search path vulnerability in the Python plugin in Dia 0.96.1, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in docs.php in MailWatch for MailScanner 1.0.4 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the doc parameter.
Published Jan 28, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in login.aspx in Active Web Mail 4.0 allows remote attackers to execute arbitrary SQL commands via the password parameter.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Eval injection vulnerability in library/setup/rpc.php in Gravity Getting Things Done (GTD) 0.4.5 and earlier allows remote attackers to execute arbitrary PHP code via the objectname parameter.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in Micronation Banking System (minba) 1.5.0 allow remote attackers to execute arbitrary PHP code via a URL in the minsoft_path parameter to (1) utdb_access.php and (2) utgn_message.php in utility/.
Published Jan 30, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in popupproduct.php in Sunbyte e-Flower allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Absolute path traversal vulnerability in front-end/dir.php in mini-pub 0.3 and earlier allows remote attackers to list arbitrary directories via a full pathname in the sDir parameter.
Published Jan 12, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in include/class_yapbbcooker.php in YapBB 1.2.Beta 2 allows remote attackers to execute arbitrary PHP code via a URL in the cfgIncludeDirectory parameter.
Published Jan 22, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in show.php in Wbstreet (aka PHPSTREET Webboard) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
Published Jan 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in index.php in MODx CMS 0.9.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in the username field, possibly related to snippet.ditto.php. NOTE: some sources list the id parameter as being affected, but this is probably incorrect based on the original disclosure.
Published Jan 22, 2009 · Updated Aug 7, 2024