[CLOSE] OSVDB ID : 38313 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault.

[CLOSE] OSVDB ID : 38314 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.

[CLOSE] OSVDB ID : 38315 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.

[CLOSE] OSVDB ID : 38316 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.

[CLOSE] OSVDB ID : 38317 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.

[CLOSE] OSVDB ID : 37345 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Astaro Security Gateway (ASG) before 7.005 allow remote attackers to cause a denial of service via (1) certain email, which stops the SMTP Proxy during scanning; (2) certain HTTP traffic, which stops or slows down the HTTP proxy during HTTP responses containing virus scanned web pages; and (3) a disconnection during a streaming session.

[CLOSE] OSVDB ID : 37346 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Astaro Security Gateway (ASG) before 7.005 allow remote attackers to cause a denial of service via (1) certain email, which stops the SMTP Proxy during scanning; (2) certain HTTP traffic, which stops or slows down the HTTP proxy during HTTP responses containing virus scanned web pages; and (3) a disconnection during a streaming session.

[CLOSE] OSVDB ID : 36606 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : SQL injection vulnerability in bb-includes/formatting-functions.php in bbPress before 0.8.1 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors to forums/bb-edit.php, as demonstrated by a PRE element, aka the "quircky slashes bug."

[CLOSE] OSVDB ID : 36889 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : SQL injection vulnerability in VirtueMart before 1.0.11 allows remote attackers to execute arbitrary SQL commands via unspecified parameters, possibly related to improper input validation of the PATH_INFO (PHP_SELF) by virtuemart_parser.php.

[CLOSE] OSVDB ID : 37317 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Buffer overflow in the NFS mount daemon (XNFS.NLM) in Novell NetWare 6.5 SP6, and probably earlier, allows remote attackers to cause a denial of service (abend) via a long path in a mount request.

[CLOSE] OSVDB ID : 36593 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Unspecified vulnerability in Sun Solaris 10 before 20070614, when IPv6 interfaces are present but not configured for IPsec, allows remote attackers to cause a denial of service (system crash) via certain network traffic.

[CLOSE] OSVDB ID : 36379 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session.

[CLOSE] OSVDB ID : 37544 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 before 20070611 allow remote attackers to inject arbitrary web script or HTML via (1) the URI in a GET request or (2) the Title field of a visitor comment, and (3) allow remote authenticated users to inject arbitrary web script or HTML via a message to another user. NOTE: vector (2) might overlap CVE-2006-3571.1.

[CLOSE] OSVDB ID : 37545 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 before 20070611 allow remote attackers to inject arbitrary web script or HTML via (1) the URI in a GET request or (2) the Title field of a visitor comment, and (3) allow remote authenticated users to inject arbitrary web script or HTML via a message to another user. NOTE: vector (2) might overlap CVE-2006-3571.1.

[CLOSE] OSVDB ID : 37546 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 before 20070611 allow remote attackers to inject arbitrary web script or HTML via (1) the URI in a GET request or (2) the Title field of a visitor comment, and (3) allow remote authenticated users to inject arbitrary web script or HTML via a message to another user. NOTE: vector (2) might overlap CVE-2006-3571.1.

[CLOSE] OSVDB ID : 36873 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HiddenChest "is ve Bayi Basvuru Formu" (Yb ve Bayi Babvuru Formu) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 38038 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : ** DISPUTED ** Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."

[CLOSE] OSVDB ID : 38468 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the Samples component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[CLOSE] OSVDB ID : 68683 - Disclosed: 2007-06-15

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.2.0 allow remote authenticated users to access arbitrary files and directories via a .. (dot dot) in a (1) LIST, (2) STOR, or (3) RETR command.

[CLOSE] OSVDB ID : 43615 - Disclosed: 2007-06-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 36381 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in dotProject before 2.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-2851 and CVE-2006-3240.

[CLOSE] OSVDB ID : 38862 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers to modify the window title and address bar while filling the main window with arbitrary content by setting the location bar and using setTimeout() to create an event that modifies the window content, which could facilitate phishing attacks.

[CLOSE] OSVDB ID : 36079 - Disclosed: 2007-06-14

Description:

Apache Tomcat contains a flaw that allows a remote cross site scripting attack. This flaw exists because the Manager and Host Manager applications do not validate the filename of files uploaded via the /manager/html/upload utility. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 36304 - Disclosed: 2007-06-14

Description:

PHP::HTML contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'phphtml.php' script not properly sanitizing user input supplied to the 'htmlclass_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 36305 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : SQL injection vulnerability in mod_banners.php in Elxis CMS before 2006.4 20070613 allows remote attackers to execute arbitrary SQL commands via the mb_tracker cookie. NOTE: the product was patched without updating the version number; later downloads of 2006.4 are not affected.

[CLOSE] OSVDB ID : 36376 - Disclosed: 2007-06-14

Description:

Letterman Subscriber Module for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'Itemid' parameter upon submission to the 'mod_lettermansubscribe.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 36816 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in saf/lib/PEAR/PhpDocumentor/Documentation/tests/bug-559668.php in Sitellite CMS 4.2.12 and earlier might allow remote attackers to execute arbitrary PHP code via a URL in the FORUM[LIB] parameter. NOTE: by default, access to the PhpDocumentor directory tree is blocked by .htaccess.

[CLOSE] OSVDB ID : 41345 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : index.php in Singapore Gallery allows remote attackers to obtain sensitive information via a request with a non-directory gallery parameter, which reveals the path in an error message.

[CLOSE] OSVDB ID : 39736 - Disclosed: 2007-06-14

Description:

(Description Provided by CVE) : PortalApp stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for 8691.mdb, a different vector than CVE-2004-1786.

[CLOSE] OSVDB ID : 89357 - Disclosed: 2007-06-14

Description:

By default, Edge-CorE WA2121 Mini AP Router installs with default user credentials (username/password combination) for the web interface. The 'root' account has a password of 'Edge-Core', which is publicly known and documented. This allows remote attackers to trivially access the program or system and gain privileged access.

[CLOSE] OSVDB ID : 41011 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : IBM DB2 UDB 9.1 before Fixpak 4 assigns incorrect privileges to the (1) DB2ADMNS and (2) DB2USERS alternative groups, which has unknown impact. NOTE: the vendor description of this issue is too vague to be certain that it is security-related.

[CLOSE] OSVDB ID : 38864 - Disclosed: 2007-06-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 36592 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : Unspecified vulnerability in the NFS server in Sun Solaris 10 before 20070613 allows remote attackers to cause a denial of service (system crash) via certain XDR data in NFS requests, probably related to processing of data by the xdr_bool and xdrmblk_getint32 functions.

[CLOSE] OSVDB ID : 37246 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : Unspecified vulnerability in Sun Java System Directory Server (slapd) 6.0, and 5.2 with Patch 3 or 4, allows remote attackers to modify certain data via unknown vectors.

[CLOSE] OSVDB ID : 37247 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : Unspecified vulnerability in Sun ONE/Java System Directory Server (slapd) 6.0, and 5.x before 5.2 Patch 5, allows remote attackers to determine the existence of attributes of an entry via unspecified vectors.

[CLOSE] OSVDB ID : 35468 - Disclosed: 2007-06-13

Description:

ActiveCGM contains a flaw that may allow a malicious user to execute arbitrary code on the remote system. The issue is triggered due to multiple unspecified boundary errors. It is possible that the flaw may allow code execution with privileges of the user resulting in a loss of integrity.

[CLOSE] OSVDB ID : 38865 - Disclosed: 2007-06-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 38866 - Disclosed: 2007-06-13

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 37239 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : Buffer overflow in Help and Support Center before 4.4 C on HP Windows systems allows remote attackers to read or write arbitrary files via unknown vectors.

[CLOSE] OSVDB ID : 37235 - Disclosed: 2007-06-13

Description:

(Description Provided by CVE) : Stack-based buffer overflow in nptoken.mox in the Cellosoft Tokens Object 2.0.0.6 extension for Vitalize! allows remote attackers to execute arbitrary code via a long string argument to the RemoveChr method. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.