| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| mailPage.asp in QuickerSite 1.8.5 allows remote attackers to flood e-mail accounts with messages via a large number of requests with a modified sEmail parameter. |
| Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attackers to bypass intended file-extension restrictions via unknown vectors. |
| NetScout (formerly Network General) Visualizer V2100 and InfiniStream i1730 do not restrict access to ResourceManager/en_US/domains/add_domain.jsp, which allows remote attackers to gain administrator privileges via a direct request. |
| Flat Calendar 1.1 does not properly restrict access to administrative functions, which allows remote attackers to (1) add new events via calAdd.php, as reachable from admin/add.php, or (2) delete events via admin/deleteEvent.php. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation. |
| dotProject before 2.1.2 does not properly restrict access to administrative pages, which allows remote attackers to gain privileges. NOTE: some of these details are obtained from third party information. |
| ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script. |
| ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file. |
| YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for users.txt. |
| YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function. |
| internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is detected, which allows remote attackers to bypass intended restrictions and edit toolbar settings via an invalid username. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| connection.php in FlashChat 5.0.8 allows remote attackers to bypass the role filter mechanism and gain administrative privileges by setting the s parameter to "7." |
| The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, ContentObjectAttribute_data_user_password_30, and other parameters. |
| The ssl_parse_client_key_exchange function in XySSL before 0.9 does not protect against certain Bleichenbacher attacks using chosen ciphertext, which allows remote attackers to recover keys via unspecified vectors. |
| NetRisk 1.9.7 does not properly restrict access to admin/change_submit.php, which allows remote attackers to change the password of arbitrary users via a direct request. |
| Unrestricted file upload vulnerability in EkinBoard 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading an avatar file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in uploaded/avatars/. |
| Fortinet FortiGuard Fortinet FortiGate-1000 3.00 build 040075,070111 allows remote attackers to bypass URL filtering via fragmented GET or POST requests that use HTTP/1.0 without the Host header. NOTE: this issue might be related to CVE-2005-3058. |
| Unrestricted file upload vulnerability in upload.php in Page Manager 2006-02-04 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. |
| GSC build 2067 and earlier relies on the client to enforce administrator privileges, which allows remote attackers to execute arbitrary administrator commands via a crafted packet. |
| Lightweight news portal (LNP) 1.0b does not properly restrict access to administrator functionality, which allows remote attackers to gain administrator privileges via direct requests to admin.php with the (1) potd_delete, (2) potd, (3) vote_update, (4) vote, or (5) modifynews actions. |
| The Jura Internet Connection Kit for the Jura Impressa F90 coffee maker does not properly restrict access to privileged functions, which allows remote attackers to cause a denial of service (physical damage), modify coffee settings, and possibly execute code via a crafted request. NOTE: this issue is being included in CVE because the denial of service may include financial loss or water damage. |
