Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 128082 entries
IDDescriptionPriorityModified date
CVE-2007-5216 Multiple PHP remote file inclusion vulnerabilities in eArk (e-Ark) 1.0 allow remote attackers to execute arbitrary PHP code via a URL in (1) the cfg_vcard_path parameter to src/vcard_inc.php or (2) the cfg_phpmailer_path parameter to src/email_inc.php. NOTE: the ark_inc.php vector is already covered by CVE-2006-6086. Medium Oct 8, 2007
CVE-2007-5215 Multiple PHP remote file inclusion vulnerabilities in Jacob Hinkle GodSend 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the SCRIPT_DIR parameter to (1) gtk/main.inc.php or (2) cmdline.inc.php. NOTE: vector 2 is disputed by CVE because it is contained in unaccessible code, requiring that two undefined constants be equal. Medium Oct 8, 2007
CVE-2007-5214 Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. Medium Oct 8, 2007
CVE-2007-5213 Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page. High Oct 8, 2007
CVE-2007-5212 Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. Medium Oct 8, 2007
CVE-2007-5211 Multiple cross-site scripting (XSS) vulnerabilities in Arbor Networks Peakflow SP 3.5.1 before patch 14, and 3.6.1 before patch 5, when scope accounts are enabled, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving GET or POST requests. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 8, 2007
CVE-2007-5210 Arbor Networks Peakflow SP before 3.5.1 patch 14, and 3.6.x before 3.6.1 patch 5, allows remote authenticated users to bypass access restrictions and read or write unspecified data via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 8, 2007
CVE-2007-5209 Stack-based buffer overflow in DriveLock.exe in CenterTools DriveLock 5.0 allows remote attackers to execute arbitrary code via a long HTTP request to TCP port 6061. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. High Oct 15, 2007
CVE-2007-5208 hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail. High Oct 18, 2007
CVE-2007-5207 guilt 0.27 allows local users to overwrite arbitrary files via a symlink attack on a guilt.log.[PID] temporary file. Low Oct 8, 2007
CVE-2007-5201 The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments. Low Oct 8, 2007
CVE-2007-5200 hugin, as used on various operating systems including SUSE openSUSE 10.2 and 10.3, allows local users to overwrite arbitrary files via a symlink attack on the hugin_debug_optim_results.txt temporary file. Low Oct 17, 2007
CVE-2007-5199 A single byte overflow in catalogue.c in X.Org libXfont 1.3.1 allows remote attackers to have unspecified impact. High Aug 23, 2017
CVE-2007-5198 Buffer overflow in the redir function in check_http.c in Nagios Plugins before 1.4.10, when running with the -f (follow) option, allows remote web servers to execute arbitrary code via Location header responses (redirects) with a large number of leading "L" characters. Medium Oct 8, 2007
CVE-2007-5197 Buffer overflow in the Mono.Math.BigInteger class in Mono allows context-dependent attackers to execute arbitrary code via unspecified vectors. High Dec 14, 2007
CVE-2007-5196 Unspecified vulnerability in the SSL implementation in Groupwise client system in the novell-groupwise-client package in SUSE Linux Enterprise Desktop 10 allows remote attackers to obtain credentials via a man-in-the-middle attack, a different vulnerability than CVE-2007-5195. High Oct 17, 2007
CVE-2007-5195 Unspecified vulnerability in the SSL implementation in Groupwise client system in the novell-groupwise-client package in SUSE Linux Enterprise Desktop 10 allows remote attackers to obtain credentials via a man-in-the-middle attack, a different vulnerability than CVE-2007-5196. Medium Oct 17, 2007
CVE-2007-5194 The Chroot server in rMake 1.0.11 creates a /dev/zero device file with read/write permissions for the rMake user and the same minor device number as /dev/port, which might allow local users to gain root privileges. Medium Oct 8, 2007
CVE-2007-5193 The default configuration for twiki 4.1.2 on Debian GNU/Linux, and possibly other operating systems, specifies the work area directory (cfg{RCS}{WorkAreaDir}) under the web document root, which might allow remote attackers to obtain sensitive information when .htaccess restrictions are not applied. Medium Oct 5, 2007
CVE-2007-5191 mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs. Medium Oct 8, 2007
CVE-2007-5190 Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI. Medium Oct 23, 2007
CVE-2007-5189 Multiple SQL injection vulnerabilities in mes_add.php in x-script GuestBook 1.3a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) icq, and (4) website parameters. High Oct 4, 2007
CVE-2007-5188 Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1 and earlier allows remote attackers to upload arbitrary files via unspecified vectors related to improper upload configuration settings in class/uploader.php and class/mimetypes.inc.php, possibly an incomplete blacklist that omits the .php4 extension. High Oct 4, 2007
CVE-2007-5187 SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter. High Oct 4, 2007
CVE-2007-5186 PHP remote file inclusion vulnerability in index.php in Segue CMS 1.8.4 and earlier, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the themesdir parameter, a different vector than CVE-2006-5497. NOTE: this issue was disputed, but the dispute was retracted after additional analysis. Medium Oct 4, 2007
CVE-2007-5185 Multiple PHP remote file inclusion vulnerabilities in phpWCMS XT 0.0.7 BETA and earlier allow remote attackers to execute arbitrary PHP code via a URL in the HTML_MENU_DirPath parameter to (1) config_HTML_MENU.php and (2) config_PHPLM.php in phpwcms_template/inc_script/frontend_render/navigation/. Medium Oct 4, 2007
CVE-2007-5184 Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name. High Oct 4, 2007
CVE-2007-5183 Cross-site scripting (XSS) vulnerability in Mailbox.mws in OdysseySuite, possibly 4.0.729, allows remote attackers to inject arbitrary web script or HTML via the idkey parameter. Medium Oct 4, 2007
CVE-2007-5182 Cross-site scripting (XSS) vulnerability in mail.asp in Netkamp Emlak Scripti allows remote attackers to inject arbitrary web script or HTML via the (1) Email parameter, and possibly the (2) Ad, (3) Soyad, (4) Konu, and (5) Mesaj parameters to iletisim.asp. Medium Oct 4, 2007
CVE-2007-5181 SQL injection vulnerability in detay.asp in Netkamp Emlak Scripti allows remote attackers to execute arbitrary SQL commands via the ilan_id parameter. High Oct 4, 2007
CVE-2007-5180 Multiple SQL injection vulnerabilities in Ohesa Emlak Portali allow remote attackers to execute arbitrary SQL commands via the (1) Kategori parameter in satilik.asp and the (2) Emlak parameter in detay.asp. High Oct 3, 2007
CVE-2007-5179 Multiple cross-site scripting (XSS) vulnerabilities in iletisim.asp in Y&K Iletisim Formu allow remote attackers to inject arbitrary web script or HTML via the (1) ad, (2) sehir, (3) yas, (4) cins, (5) tel, (6) mail, and (7) mesaj parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 3, 2007
CVE-2007-5178 contrib/mx_glance_sdesc.php in the mx_glance 2.3.3 module for mxBB places a critical security check within a comment because of a missing comment delimiter, which allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via a URL in the mx_root_path parameter. NOTE: some sources incorrectly state that phpbb_root_path is the affected parameter. Medium Oct 3, 2007
CVE-2007-5177 SQL injection vulnerability in index.php in the MambAds (com_mambads) 1.5 and earlier component for Mambo allows remote attackers to execute arbitrary SQL commands via the caid parameter. High Oct 3, 2007
CVE-2007-5176 Multiple cross-site scripting (XSS) vulnerabilities in GroupLink eHelpDesk 6.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) NA_DISPLAYNAME parameter in helpdesk/user/rf_create.jsp and the (2) username and (3) LDAPError parameters in index2.jsp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 3, 2007
CVE-2007-5175 PHP remote file inclusion vulnerability lib/base.php in actSite 1.991 Beta allows remote attackers to execute arbitrary PHP code via a URL in the BaseCfg[BaseDir] parameter. Medium Oct 3, 2007
CVE-2007-5174 Directory traversal vulnerability in phpinc/Unchangeds.php in actSite 1.56 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the do parameter. High Oct 3, 2007
CVE-2007-5173 PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID/BBStore.php in phpBB Openid 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the openid_root_path parameter. Medium Oct 3, 2007
CVE-2007-5172 Quicksilver Forums before 1.4.1 allows remote attackers to obtain sensitive information by causing unspecified connection errors, which reveals the database password in the resulting error message. Medium Oct 2, 2007
CVE-2007-5171 Unspecified vulnerability in Quicksilver Forums before 1.4.1 allows remote attackers to delete arbitrary PMs via unspecified vectors. Medium Oct 2, 2007
CVE-2007-5170 Unspecified vulnerability in the embedded service processor (SP) before 3.09 in Sun Fire X2100 M2 and X2200 M2 Embedded Lights Out Manager (ELOM) allows remote attackers to send arbitrary network traffic and use ELOM as a spam proxy. Medium Oct 2, 2007
CVE-2007-5169 Stack-based buffer overflow in MAIPM6.dll in Adobe PageMaker 7.0.1 and 7.0.2 on Windows allows user-assisted remote attackers to execute arbitrary code via a long font name in a .PMD file. High Oct 15, 2007
CVE-2007-5168 Multiple PHP remote file inclusion vulnerabilities in ClanLite 1.23.01.2005 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) modules/serveur_jeux.php or (2) conf/conf-php.php. NOTE: vector 1 is disputed by CVE because the require_once is only reached when a certain constant has already been defined. Medium Oct 2, 2007
CVE-2007-5167 PHP remote file inclusion vulnerability in .systeme/fonctions.php in phpLister 0.5-pre2 allows remote attackers to execute arbitrary PHP code via a URL in the nom_rep_systeme parameter. Medium Oct 2, 2007
CVE-2007-5166 Multiple PHP remote file inclusion vulnerabilities in SiteSys 1.0a allow remote attackers to execute arbitrary PHP code via a URL in the doc_root parameter to (1) inc/pagehead.inc.php or (2) inc/pageinit.inc.php. Medium Oct 2, 2007
CVE-2007-5165 ** DISPUTED ** PHP remote file inclusion vulnerability in init.php in Jens Tkotz myIpacNG-stats (MINGS) 0.05 allows remote attackers to execute arbitrary PHP code via a URL in the MINGS_BASE parameter. NOTE: this issue is disputed by CVE because MINGS_BASE is defined before use. Medium Oct 2, 2007
CVE-2007-5164 ** DISPUTED ** PHP remote file inclusion vulnerability in htmls/forum/includes/topic_review.php in UniversiBO 1.3.4 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue is disputed by CVE because the applicable include is in a function that is not called on a direct request. Medium Oct 3, 2007
CVE-2007-5163 ** DISPUTED ** PHP remote file inclusion vulnerability in includes/functions/layout.php in Nexty 1.01.A Beta allows remote attackers to execute arbitrary PHP code via a URL in the rel parameter. NOTE: this issue is disputed by CVE because the applicable include is in a function that is not called on a direct request. Medium Oct 2, 2007
CVE-2007-5162 The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. Medium Oct 2, 2007
CVE-2007-5161 Cross-zone scripting vulnerability in the internal browser in i-Systems Feedreader 3.10 allows remote attackers to inject arbitrary web script or HTML via an item in a feed, as demonstrated by a WordPress blog update. NOTE: this was originally reported as XSS. Medium Oct 2, 2007
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online