| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem. |
| S24EvMon.exe in the Intel PROset/Wireless software, possibly 10.1.0.33, uses a S24EventManagerSharedMemory shared memory section with weak permissions, which allows local users to read or modify passwords or other data, or cause a denial of service. |
| Unspecified vulnerability in Ideal Science Ideal BB 1.5.4a and earlier allows remote attackers to read arbitrary files under the web root via unspecified attack vectors related to the OpenTextFile method in Scripting.FileSystemObject. |
| Directory traversal vulnerability in index.php in OnlyScript.info Online Universal Payment System Script allows remote attackers to read arbitrary files via directory traversal sequences in the read parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| Mozilla Firefox 1.5.0.3 allows remote attackers to cause a denial of service via a web page with a large number of IMG elements in which the SRC attribute is a mailto URI. NOTE: another researcher found that the web page caused a temporary browser slowdown instead of a crash. |
| PlaNet Concept plaNetStat 20050127 allows remote attackers to gain administrative privileges, and view and configure log files, via a direct request to the (1) admin.php or (2) settings.php page. |
| The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. |
| SQL injection vulnerability in index.php in evoTopsites 2.x and evoTopsites Pro 2.x allows remote attackers to execute arbitrary SQL commands via the (1) cat_id and (2) id parameters. |
| NETGEAR FVS318 running firmware 1.1 stores the username and password in a readable format when a backup of the configuration file is made, which allows local users to obtain sensitive information. |
| Cross-site scripting (XSS) vulnerability in PassMasterFlex and PassMasterFlexPlus (PassMasterFlex+) 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) username, (2) password, or (3) User-Agent HTTP header in the Hack Log. |
| Multiple cross-site scripting (XSS) vulnerabilities in Spymac WebOS (WOS) 5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) del_folder, (2) nick, or (3) action parameters to (a) notes/index.php, (4) curr parameter to (b) ipod/get_ipod.php, and in (c) login.php. |
| Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a different vulnerability than CVE-2006-2162. |
| Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 and earlier, Java System Web Server 6.1 SP4 and earlier, Sun ONE Application Server 7 Platform and Standard Edition Update 6 and earlier, and Java System Application Server 7 2004Q2 Standard and Enterprise Edition Update 2 and earlier, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving error messages. |
| Cross-site scripting (XSS) vulnerability in the URL submission form in YourFreeWorld.com Short Url & Url Tracker Script allows remote attackers to inject arbitrary web script or HTML via an unspecified form for submitting URLs. |
| Coppermine galleries before 1.4.6, when running on Apache with mod_mime installed, allows remote attackers to upload arbitrary files via a filename with multiple file extensions. |
| ping.php in Russcom.Ping allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter. |
| (1) AlstraSoft Web Host Directory 1.2, aka (2) HyperStop WebHost Directory 1.2, allows remote attackers to obtain the installation path via an invalid entry in the Username field on the login page, which causes the path to be displayed in an SQL error. NOTE: this issue might be resultant from SQL injection. |
| Cross-site scripting (XSS) vulnerability in Andrew Godwin ByteHoard 2.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via file descriptions. |
| Absolute path traversal vulnerability in the copy action in index.php in Andrew Godwin ByteHoard 2.1 and earlier allows remote authenticated users to create or overwrite files in other users' directories by specifying the absolute path of the directory in the infolder parameter and simultaneously specifying the filename in the filepath parameter. |
| ** UNVERIFIABLE ** NOTE: this issue does not contain any verifiable or actionable details. Cross-site scripting (XSS) vulnerability in John Frank Asset Manager (AssetMan) 2.4a and earlier allows remote attackers to inject arbitrary web script or HTML via "any of its input." NOTE: the original disclosure is based on vague researcher claims without vendor acknowledgement; therefore this identifier cannot be linked with any future identifier that identifies more specific vectors. Perhaps this should not be included in CVE. |
