Unknown · CVSS Not scored
SQL injection vulnerability in visitorduration.php in Gonafish WebStatCaffe allows remote attackers to execute arbitrary SQL commands via the nodayshow parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Mar 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Mar 17, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SmoothWall SmoothGuardian, as used in SmoothWall Firewall, NetworkGuardian, and SchoolGuardian 2008, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header.
Published Mar 4, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.
Published Mar 18, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list.
Published Mar 18, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Sun Java System Identity Manager (IdM) 7.0 through 8.0 allows remote authenticated users to gain privileges by submitting crafted commands to the Admin Console, as demonstrated by privileges for account creation and other administrative capabilities, related to the saveNoValidate action and saveNoValidateAllowedFormsAndWorkflows IDs.
Published Mar 25, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.
Published Mar 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple eval injection vulnerabilities in phpScheduleIt before 1.2.11 allow remote attackers to execute arbitrary code via (1) the end_date parameter to reserve.php and (2) the start_date and end_date parameters to check.php. NOTE: the start_date/reserve.php vector is already covered by CVE-2008-6132.
Published Mar 5, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Tour Extension (pm_tour) extension before 0.0.13 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published Mar 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Mailform (mailform) extension before 0.9.24 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Mar 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 has unspecified impact and remote attack vectors.
Published Mar 26, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Mozilla Firefox 2.0.0.20 and earlier allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print function, as demonstrated by a window.print(window.print()) in the onclick attribute of an INPUT element.
Published Mar 5, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Gonafish WebStatCaffe allow remote attackers to inject arbitrary web script or HTML via the (1) host parameter to stat/host.php, nodayshow parameter to (2) mostvisitpage.php and (3) visitorduration.php in stat/, (4) nopagesmost parameter to stat/mostvisitpagechart.php, and date parameter to (5) pageviewers.php, (6) pageviewerschart.php, and (7) referer.php in stat/.
Published Mar 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
Published Mar 7, 2021 · Updated Aug 7, 2024
Unknown · CVSS Not scored
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
Published Mar 29, 2017 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment.
Published Mar 13, 2020 · Updated Aug 7, 2024
Unknown · CVSS Not scored
GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.
Published Mar 6, 2014 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to inject arbitrary web script or HTML via the DOC parameter.
Published Mar 19, 2012 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
Published Mar 19, 2012 · Updated Aug 7, 2024
Unknown · CVSS Not scored
wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to obtain the installation path via a crafted request.
Published Mar 19, 2012 · Updated Aug 7, 2024
Unknown · CVSS Not scored
ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc.
Published Mar 30, 2011 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in shop.htm in PaymentProcessorScript.net PPScript allows remote attackers to execute arbitrary SQL commands via the cid parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in index.php in Discloser 0.0.4 rc2 allows remote attackers to execute arbitrary SQL commands via the more parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in dicas Mpegable Player 2.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .YUV file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Contact module in Exponent CMS 0.97-GA20090213 allows remote attackers to inject arbitrary web script or HTML via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in BrotherSoft BMXPlay 0.4.4b allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .BMX file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the administrative interface in Questions Answered 1.3 allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in PHP Live! 3.2.1 and 3.2.2 allow remote attackers to execute arbitrary SQL commands via the x parameter to (1) message_box.php and (2) request.php.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in home.php in Top Paidmailer allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in index.php in Dreamlevels DreamPoll 3.1 allows remote attackers to inject arbitrary web script or HTML via the recordsPerPage parameter in a poll_default login action.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in TraktorBeatport.exe 1.0.0.283 in Beatport Player 1.0.0.0 allows remote attackers to execute arbitrary code via a long string in a malformed playlist (.m3u) file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in history-storage.aspx in AfterLogic WebMail Pro 4.7.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) HistoryStorageObjectName and (2) HistoryKey parameters.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik action.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Winn ASP Guestbook 1.01 Beta stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for data/guestbook.mdb.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in report.php in x10 Adult Media Script 1.7 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Mercury Audio Player 1.21 allows remote attackers to execute arbitrary code via a long string in a malformed playlist (.m3u) file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the ClickHeat plugin, as used in phpMyVisites before 2.4, has unknown impact and attack vectors. NOTE: due to lack of details from the vendor, it is not clear whether this is related to CVE-2008-5793.
Published Mar 30, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the CheckLogin function in includes/functions.php in Limny 1.01, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in download.php in Quickdev 4 PHP allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in BrotherSoft EW-MusicPlayer 0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a malformed playlist (.m3u) file. NOTE: some of these details are obtained from third party information.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in x10 Adult Media Script 1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) pic_id parameter to includes/video_ad.php, (2) category parameter to linkvideos_listing.php, (3) id parameter to templates/header1.php, and (4) key parameter to video_listing.php.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Admin/index.asp in Andrews-Web (A-W) BannerAd 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) User and (2) Password parameters. NOTE: some of these details are obtained from third party information.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in index.php in Dreamlevels DreamPoll 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) sortField, (2) sortDesc, or (3) pageNumber parameter in a login action.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple stack-based buffer overflows in Mercury Audio Player 1.21 allow remote attackers to execute arbitrary code via a long string in a malformed (1) .b4s or (2) .pls playlist file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in modules/aljazeera/admin/setup.php in Arab Portal 2.2 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
Published Mar 18, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Mini-stream RM Downloader allows remote attackers to execute arbitrary code via a long string in a .smi file.
Published Mar 29, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in search.php in CommonSense CMS 5.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter.
Published Mar 23, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in public/code/cp_html2xhtmlbasic.php in All In One Control Panel (AIOCP) 1.4.001 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter, a different vector than CVE-2009-3220.
Published Mar 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary PHP code via a URL in the go parameter.
Published Mar 26, 2010 · Updated Aug 7, 2024