Unknown · CVSS Not scored
Heap-based buffer overflow in the Data Protection for SQL CAD service (aka dsmcat.exe) in the Client Acceptor Daemon (CAD) and the scheduler in the Backup-Archive client 5.1.0.0 through 5.1.8.1, 5.2.0.0 through 5.2.5.2, 5.3.0.0 through 5.3.6.1, 5.4.0.0 through 5.4.2.2, and 5.5.0.0 through 5.5.0.91 in IBM Tivoli Storage Manager (TSM); and the Backup-Archive client in TSM Express; allows remote attackers to execute arbitrary code by sending a large amount of crafted data to a TCP port.
Published Oct 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
pamperspective in Netpbm before 10.35.48 does not properly calculate a window height, which allows context-dependent attackers to cause a denial of service (crash) via a crafted image file that triggers an out-of-bounds read.
Published Oct 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in easyshop.php in the EasyShop plugin for e107 allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.
Published Oct 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in index.php in Simple PHP Scripts gallery 0.1, 0.3, and 0.4 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Oct 31, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the aid parameter in a showalbum action to index.php. NOTE: some of these details are obtained from third party information. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.
Published Oct 31, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
libgadu before 1.8.2 allows remote servers to cause a denial of service (crash) via a contact description with a large length, which triggers a buffer over-read.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in complete.php in Simple PHP Scripts blog 0.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Oct 31, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Showroom Joomlearn LMS (com_lms) component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the cat parameter in a showTests task.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
IBM Lotus Connections 2.x before 2.0.1 stores the password for the administrative user in the trace.log file, which allows local users to obtain sensitive information by reading this file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Oct 31, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in update.php in MyKtools 2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langage parameter.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in VATDecoder.VatCtrl.1 ActiveX control in (1) 4xem VatCtrl Class (VATDecoder.dll 1.0.0.27 and 1.0.0.51), (2) D-Link MPEG4 SHM Audio Control (VAPGDecoder.dll 1.7.0.5), (3) Vivotek RTSP MPEG4 SP Control (RtspVapgDecoderNew.dll 2.0.0.39), and possibly other products, allows remote attackers to execute arbitrary code via a long Url property. NOTE: some of these details are obtained from third party information.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Microsoft Internet Explorer 6 omits high-bit URL-encoded characters when displaying the address bar, which allows remote attackers to spoof the address bar via a URL with a domain name that differs from an important domain name only in these characters, as demonstrated by using exam%A9ple.com to spoof example.com, aka MSRC ticket MSRC7900.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in public/code/cp_polls_results.php in All In One Control Panel (AIOCP) 1.4 allows remote attackers to execute arbitrary SQL commands via the poll_id parameter.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in main/main.php in QuestCMS allows remote attackers to inject arbitrary web script or HTML via the cx parameter.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin."
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers to denial of service (crash) or execute arbitrary code via a long filename in a .zip file.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the gallery module in Koobi CMS 4.3.0 allows remote attackers to execute arbitrary SQL commands via the galid parameter in a showimages action.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in admin/centre.php in MyForum 1.3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the padmin parameter.
Published Oct 29, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in TLM CMS 3.1 allows remote attackers to execute arbitrary SQL commands via the nom parameter to a-b-membres.php. NOTE: the goodies.php vector is already covered by CVE-2007-4808. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in main/main.php in QuestCMS allows remote attackers to execute arbitrary SQL commands via the obj parameter.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.
Published Oct 23, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in PHP-Daily allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) add_postit.php (b) delete.php, and (c) mod_prest_date.php; and the (2) prev parameter to (d) prest_detail.php.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in index.php in RPG.Board 0.8 Beta2 and earlier allows remote attackers to execute arbitrary SQL commands via the showtopic parameter.
Published Oct 24, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in EditUrl.php in AJ Square RSS Reader allows remote attackers to execute arbitrary SQL commands via the url parameter.
Published Oct 27, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in emailFriend.asp in Uniwin eCart Professional 2.0.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Oct 27, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in interface/Login.php in TimeTrex 2.2.11 allow remote attackers to inject arbitrary web script or HTML via the (1) password and (2) user_name parameters.
Published Oct 27, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in templater.php in the ZZ_Templater module in TinyCMS 1.1.2, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the config[template] parameter.
Published Oct 27, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in view.php in 212cafe Board 0.07 allows remote attackers to execute arbitrary SQL commands via the qID parameter.
Published Oct 23, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Uniwin eCart Professional 2.0.17 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) search.asp and (2) cartUtil.asp.
Published Oct 27, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in CafeEngine allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) dish.php and (2) menu.php.
Published Oct 17, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the eXtplorer module (com_extplorer) 2.0.0 RC2 and earlier in Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in index.php in PlugSpace 0.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the navi parameter.
Published Oct 24, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
GuildFTPd 0.999.14, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long arguments to the CWD and LIST commands, which triggers heap corruption related to an improper free call, and possibly triggering a heap-based buffer overflow.
Published Oct 15, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.
Published Oct 20, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in the DownloadsPlus module in PHP-Nuke allows remote attackers to execute arbitrary code by uploading a file with (1) .htm, (2) .html, or (3) .txt extensions, then accessing it via a direct request to the file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: it is unclear how allowing the upload of .html or .txt files supports arbitrary code execution; this might be legitimate functionality.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple insecure method vulnerabilities in the DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control 10.0.0.44 in Hummingbird Deployment Wizard 2008 allow remote attackers to execute arbitrary programs via the (1) Run and (2) PerformUpdateAsync methods, and (3) modify arbitrary registry values via the SetRegistryValueAsString method. NOTE: the SetRegistryValueAsString method could be leveraged for code execution by specifying executable file values to Startup folders.
Published Oct 23, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in MyID.php in phpMyID 0.9 allows remote attackers to inject arbitrary web script or HTML via the openid_trust_root parameter and an inconsistent openid_return_to parameter, which is not properly handled in an error message.
Published Oct 24, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in download.php in BuzzyWall 1.3.1 allows remote attackers to read arbitrary local files via a .. (dot dot) in the id parameter.
Published Oct 28, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera 9.52 allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly escaped before storage in the History Search database (aka md.dat), a different vector than CVE-2008-4696. NOTE: some of these issues were addressed before 9.60.
Published Oct 23, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in bannerclick.php in ZeeScripts Zeeproperty allows remote attackers to execute arbitrary SQL commands via the adid parameter.
Published Oct 21, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the Message::AddToString function in message/Message.cpp in MUSCLE before 4.40 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted message. NOTE: some of these details are obtained from third party information.
Published Oct 21, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in header.php in Concord Asset, Software, and Ticket system (CoAST) 0.95 allows remote attackers to execute arbitrary PHP code via a URL in the sections_file parameter.
Published Oct 24, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception.
Published Oct 22, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Hummingbird.XWebHostCtrl.1 ActiveX control (hclxweb.dll) in Hummingbird Xweb ActiveX Control 13.0 and earlier allows remote attackers to execute arbitrary code via a long PlainTextPassword property. NOTE: code execution might not be possible in 13.0.
Published Oct 23, 2008 · Updated Aug 7, 2024