Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 237429 entries
IDDescriptionPriorityModified date
CVE-2007-6413 Sun Solaris 10 with the 120011-04 and 120012-04 patches, and later 120011-* and 120012-* patches, allows remote attackers to bypass certain netgroup restrictions and obtain root access to a filesystem via NFS requests from a client root user. High Dec 18, 2007
CVE-2007-6412 Direct static code injection vulnerability in wiki/index.php in Bitweaver 2.0.0 and earlier, when comments are enabled, allows remote attackers to inject arbitrary PHP code via an editcomments action. Medium Dec 18, 2007
CVE-2007-6411 Multiple buffer overflows in the HandleEmotsConfig function in the GG Client in Gadu-Gadu 7.7 Build 3669 allow user-assisted remote attackers to execute arbitrary code or cause a denial of service (gg.exe process crash) via a long string in an emots.txt file. Medium Dec 17, 2007
CVE-2007-6410 Gadu-Gadu does not properly perform protocol handling, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and add arbitrary user accounts or cause a denial of service as administrators via an unspecified "crafted link," possibly related to the gg protocol. Medium Dec 17, 2007
CVE-2007-6409 The gg protocol handler in Gadu-Gadu, when this product is installed but not running, does not properly handle the skin attribute, which allows remote attackers to cause a denial of service (resource consumption) via unspecified network traffic. Medium Dec 17, 2007
CVE-2007-6408 IBM Tivoli Provisioning Manager Express provides unspecified information in error messages when (1) attempted duplication of a username occurs when creating an account or (2) when trying to login using a valid username, which makes it easier for remote attackers to enumerate usernames. Medium Dec 17, 2007
CVE-2007-6407 Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Provisioning Manager Express allow remote attackers to inject arbitrary web script or HTML via the (1) "assess modification," (2) user-id, and other unspecified fields to the /tpmx URI; or (3) involving unspecified vectors related to "error processing." Medium Dec 17, 2007
CVE-2007-6406 Multiple cross-site scripting (XSS) vulnerabilities in CA (formerly Computer Associates) eTrust Threat Management Console allow remote attackers to inject arbitrary web script or HTML via the IP Address field and other unspecified fields. Medium Dec 17, 2007
CVE-2007-6405 Sergey Lyubka Simple HTTPD (shttpd) 1.38 and earlier on Windows allows remote attackers to download arbitrary CGI programs or scripts via a URI with an appended (1) '+' character, (2) '.' character, (3) %2e sequence (hex-encoded dot), or (4) hex-encoded character greater than 0x7f. NOTE: the %20 vector is already covered by CVE-2007-3407. Medium Dec 17, 2007
CVE-2007-6404 Directory traversal vulnerability in Sergey Lyubka Simple HTTPD (shttpd) 1.38 and earlier on Windows allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the URI. Medium Dec 17, 2007
CVE-2007-6403 Stack-based buffer overflow in Nullsoft Winamp 5.32 allows user-assisted remote attackers to execute arbitrary code via crafted unicode in a .mp4 file, with crafted tags, contained in a certain .rar archive, a related issue to CVE-2007-2498. NOTE: for exploitation, the victim must select a certain menu option at the time of the attack. Medium Dec 17, 2007
CVE-2007-6402 Stack-based buffer overflow in mplayerc.exe in Media Player Classic (MPC) 6.4.9, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6401. High Jan 2, 2008
CVE-2007-6401 Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402. High Jan 2, 2008
CVE-2007-6400 Directory traversal vulnerability in download_file.php in PolDoc CMS (aka PDDMS) 0.96 allows remote attackers to read arbitrary files via a .. (dot dot) or absolute pathname in the filename parameter. Medium Dec 17, 2007
CVE-2007-6399 index.php in Flat PHP Board 1.2 and earlier allows remote authenticated users to obtain the password for the current user account by reading the password parameter value in the HTML source for the page generated by a profile action. Medium Dec 17, 2007
CVE-2007-6398 Flat PHP Board 1.2 and earlier allows remote attackers to bypass authentication and obtain limited access to an arbitrary user account via the fpb_username cookie. Medium Dec 17, 2007
CVE-2007-6397 Multiple directory traversal vulnerabilities in index.php in Flat PHP Board 1.2 and earlier allow remote attackers to (1) create arbitrary files via a .. (dot dot) in the username parameter when registering a user account, and (2) read arbitrary PHP files via a .. (dot dot) in (a) the topic parameter in a topic action or (b) the username parameter in a viewprofile action. Medium Dec 17, 2007
CVE-2007-6396 Direct static code injection vulnerability in index.php in Flat PHP Board 1.2 and earlier allows remote attackers to inject arbitrary PHP code via the (1) username, (2) password, and (3) email parameters when registering a user account, which can be executed by accessing the user's php file for this account. NOTE: similar code injection might be possible in a user profile. High Dec 17, 2007
CVE-2007-6395 Flat PHP Board 1.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials via a direct request for the username php file for any user account in users/. Medium Dec 17, 2007
CVE-2007-6394 SQL injection vulnerability in index.php in Content Injector 1.53 allows remote attackers to execute arbitrary SQL commands via the id parameter in an expand action. High Dec 17, 2007
CVE-2007-6393 SQL injection vulnerability in albums.php in Ace Image Hosting Script allows remote authenticated users to execute arbitrary SQL commands via the id parameter in editalbum mode. Medium Dec 17, 2007
CVE-2007-6392 SQL injection vulnerability in DWdirectory 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the search parameter to the /search URI. High Dec 17, 2007
CVE-2007-6391 SQL injection vulnerability in patch/comments.php in SH-Unchangeds 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. High Dec 17, 2007
CVE-2007-6390 Cross-site request forgery (CSRF) vulnerability in the mycalendar plugin before 0.13 for Serendipity allows remote attackers to perform actions as blog administrators, which can be leveraged to conduct cross-site scripting (XSS) attacks on the blog page. Medium Jan 11, 2008
CVE-2007-6389 The notify feature in GNOME screensaver (gnome-screensaver) 2.20.0 might allow local users to read the clipboard contents and X selection data for a locked session by using ctrl-V. Low Dec 17, 2007
CVE-2007-6388 Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Medium Jan 8, 2008
CVE-2007-6387 Multiple stack-based buffer overflows in the awApi4.AnswerWorks.1 ActiveX control in awApi4.dll 4.0.0.42, as used by Vantage Linguistics AnswerWorks, and Intuit Clearly Bookkeeping, ProSeries, QuickBooks, Quicken, QuickTax, and TurboTax, allow remote attackers to execute arbitrary code via long arguments to the (1) GetHistory, (2) GetSeedQuery, (3) SetSeedQuery, and possibly other methods. NOTE: some of these details are obtained from third party information. High Dec 17, 2007
CVE-2007-6386 Stack-based buffer overflow in PccScan.dll before build 1451 in Trend Micro AntiVirus plus AntiSpyware 2008, Internet Security 2008, and Internet Security Pro 2008 allows user-assisted remote attackers to cause a denial of service (SfCtlCom.exe crash), and allows local users to gain privileges, via a malformed .zip archive with a long name, as demonstrated by a .zip file created via format string specifiers in a crafted .uue file. High Dec 17, 2007
CVE-2007-6385 The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries. Low Dec 17, 2007
CVE-2007-6384 Unspecified vulnerability in the Image Converter functionality in BEA WebLogic Mobility Server 3.3, 3.5, and 3.6 through 3.6 SP1 allows remote attackers to obtain application file and resource access via unspecified vectors. High Dec 17, 2007
CVE-2007-6383 The DAV component in Chandler Server (Cosmo) before 0.10.1 does not check resource creation permissions, which allows remote authenticated users to create arbitrary resources in another user's home collection. Medium Dec 17, 2007
CVE-2007-6382 The Event Dispatch Thread in Robocode before 1.5.1 allows remote attackers to execute arbitrary Java code by using a robot to invoke the SwingUtilities.invokeLater method. Medium Dec 17, 2007
CVE-2007-6381 SQL injection vulnerability in the indexed_search system extension in TYPO3 3.x, 4.0 through 4.0.7, and 4.1 through 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Medium Dec 17, 2007
CVE-2007-6380 Multiple SQL injection vulnerabilities in e-Xoops (exoops) 1.08, and 1.05 Rev 1 through 3, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to (a) mylinks/ratelink.php, (b) adresses/ratefile.php, (c) mydownloads/ratefile.php, (d) mysections/ratefile.php, and (e) myalbum/ratephoto.php in modules/; the (2) bid parameter to (f) modules/banners/click.php; and the (3) gid parameter to (g) modules/arcade/index.php in a show_stats and play_game action, related issues to CVE-2007-5104 and CVE-2007-6266. High Dec 17, 2007
CVE-2007-6379 BadBlue 2.72b and earlier allows remote attackers to obtain sensitive information via an invalid browse parameter, which reveals the installation path in an error message. Medium Dec 17, 2007
CVE-2007-6378 Directory traversal vulnerability in upload.dll in BadBlue 2.72b and earlier allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the filename parameter. High Dec 17, 2007
CVE-2007-6377 Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string. High Dec 17, 2007
CVE-2007-6376 Directory traversal vulnerability in autohtml.php in Francisco Burzi PHP-Nuke 8.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the filename parameter, a different vector than CVE-2006-4190. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. High Dec 17, 2007
CVE-2007-6375 Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue. High Dec 17, 2007
CVE-2007-6374 Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) users/register.php or (2) search/index.php, or an editcomments action in (3) wiki/index.php or (4) forums/index.php. NOTE: the error parameter to users/login.php is covered by CVE-2006-3103. Medium Dec 17, 2007
CVE-2007-6373 Multiple SQL injection vulnerabilities in GestDown 1.00 Beta allow remote attackers to execute arbitrary SQL commands via the (1) categorie parameter to catdownload.php, or the id parameter to (2) download.php or (3) hitcounter.php. High Dec 17, 2007
CVE-2007-6372 Unspecified vulnerability in Juniper JUNOS 7.3 through 8.4 allows remote attackers to cause a denial of service (crash) via malformed BGP packets, possibly BGP UPDATE packets that trigger session flapping. High Jan 11, 2008
CVE-2007-6371 Nokia N95 cell phone with RM-159 12.0.013 firmware allows remote attackers to cause a denial of service (device inoperability) via a SIP INVITE message accompanied by an immediately subsequent SIP CANCEL message, followed by a second SIP INVITE message in a different session. High Dec 17, 2007
CVE-2007-6370 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-5583. Reason: This candidate is a duplicate of CVE-2007-5583. Notes: All CVE users should reference CVE-2007-5583 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Low Jan 10, 2008
CVE-2007-6369 Multiple directory traversal vulnerabilities in resize.php in the PictPress 0.91 and earlier plugin for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) size or (2) path parameter. Medium Dec 17, 2007
CVE-2007-6368 Directory traversal vulnerability in index.php in ezContents 1.4.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the link parameter. Medium Dec 17, 2007
CVE-2007-6367 Multiple cross-site scripting (XSS) vulnerabilities in the guestbook in SineCMS 2.3.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) username (user) or (2) comment (commento) field, different vectors than CVE-2007-2357. Medium Dec 17, 2007
CVE-2007-6366 Multiple SQL injection vulnerabilities in SineCMS 2.3.4 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to mods/Calendar/index.php, accessed through a Calendar info action to mods.php; the id parameter to admin/mods_adm.php in a (2) Guestbook modifica or (3) Calendar modify action; or the (4) mese or (5) anno parameter to admin/mods_adm.php in a Calendar action. NOTE: the component for vectors 2 through 5 might be limited to administrators. High Dec 17, 2007
CVE-2007-6365 Cross-site scripting (XSS) vulnerability in modules/ecal/display.php in the Event Calendar in bcoos 1.0.10 allows remote attackers to inject arbitrary web script or HTML via the month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the day and year vectors are covered by CVE-2007-6274. Medium Dec 17, 2007
CVE-2007-6364 Cross-site scripting (XSS) vulnerability in modificarPerfil.php in JLMForo System allows remote authenticated users to inject arbitrary web script or HTML via a signature. Medium Dec 17, 2007
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online