[CLOSE] OSVDB ID : 18293 - Disclosed: 2005-07-15

Description:

By default, many of Belkin wireless routers using a default ssid of "belkin54g" are preconfigured with a default password. The "admin" account has a null password which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 40621 - Disclosed: 2007-10-17

Description:

Simple PHP Blog contains a flaw that allows a remote Cross-Site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps and/or confirmation for sensitive transactions to delete posts. By using a crafted URL (e.g. a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 821 - Disclosed: 2002-09-12

Description:

By default, Linksys routers install with a default password. The administrative account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 28946 - Disclosed: 2006-09-19

Description:

A remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 592 - Disclosed: 2002-09-12

Description:

By default, Zyxel routers install with a default password. The administrative account has a password of 1234 which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 44643 - Disclosed: 2008-04-23

Description:

A buffer overflow exists in HD Audio Codec Driver. RTKVHDA.sys and RTKVHDA64.sys fail to validate IOCTL requests resulting in an integer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 16866 - Disclosed: 2005-05-26

Description:

A remote overflow exists in Terminator 3: War of the Machines. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long CD-key hash, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 877 - Disclosed: 2003-01-20

Description:

RFC compliant web servers support the TRACE HTTP method, which contains a flaw that may lead to an unauthorized information disclosure. The TRACE method is used to debug web server connections and allows the client to see what is being received at the other end of the request chain. Enabled by default in all major web servers, a remote attacker may abuse the HTTP TRACE functionality, i.e. cross-site scripting (XSS), which will disclose sensitive configuration information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 382 - Disclosed: 1999-07-17

Description:

By default, PostgresSQL installs without a default password for the postgres user account. This username and password combination is publicly known and documented. This allows attackers to trivially access the program or system with administrative priveleges.

[CLOSE] OSVDB ID : 4030 - Disclosed: 2004-04-20

Description:

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.

[CLOSE] OSVDB ID : 25257 - Disclosed: 2006-05-04

Description:

Big Webmaster Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name', 'mail', 'site', 'city', 'state' and 'country' fields upon submission to the 'addguest.cgi' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 22297 - Disclosed: 2006-01-09

Description:

VenomBoard contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the add_post.php3 script not properly sanitizing user-supplied input to the 'topic_id', 'root' and 'parent' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

[CLOSE] OSVDB ID : 12627 - Disclosed: 2004-12-27

Description:

PHProxy contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the error variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 16876 - Disclosed: 2005-05-26

Description:

BookReview contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'node' variable upon submission to the 'add_url.htm' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 3092 - Disclosed: 1994-01-01

Description:

A potentially interesting file, directory or CGI was found on the web server. While there is no known vulnerability or exploit associated with this, it may contain sensitive information which can be disclosed to unauthenticated remote users, or aid in more focused attacks.

[CLOSE] OSVDB ID : 944 - Disclosed: 1999-02-11

Description:

Allaire Forums contains a flaw that allows remote attackers to retrieve arbitrary files from the system through the GetFile.cfm program. This could allow information disclosure and lead to system compromise.

[CLOSE] OSVDB ID : 49243 - Disclosed: 2008-10-23

Description:

Microsoft Windows Server Service contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is triggered when a crafted RPC request is handled. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 36385 - Disclosed: 2007-08-14

Description:

A buffer overflow exists in Windows Media Player 11. The player fails to handle the space allocated for uncompressing a compressed skin file resulting in a heap overflow. With a specially crafted file, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 25261 - Disclosed: 2006-04-28

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in admin/addentry.php in phpBB Advanced Guestbook 2.4.0 and earlier, when register_globals is enabled, allows remote attackers to include arbitrary files via the phpbb_root_path parameter.

[CLOSE] OSVDB ID : 3592 - Disclosed: 2003-01-29

Description:

dotProject contains a flaw that allows a remote attacker to include arbitrary files. The issue is due to numerous scripts that call the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary server/path/file name which may include malicious commands that would be executed on the vulnerable server.

[CLOSE] OSVDB ID : 29725 - Disclosed: 2006-10-12

Description:

AFGB Guestbook contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to add.php not properly sanitizing user input supplied to the 'Htmls' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 132 - Disclosed: 1997-10-04

Description:

By default, HP Jet Direct printers install without a password. This lack of password is publicly known and documented. This allows attackers to trivially access the system.

[CLOSE] OSVDB ID : 6704 - Disclosed: 2004-05-04

Description:

MoinMoin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a user with the same name as an administrative group. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 26127 - Disclosed: 2006-06-06

Description:

myNewsletter contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the adminLogin.asp script not properly sanitizing user-supplied input to the 'UserName' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

[CLOSE] OSVDB ID : 23246 - Disclosed: 2006-02-16

Description:

By default, some Kyocera printers install with an default password. The 'admin' account has an empty password, which is publicly known and documented. This allows attackers to trivially access the system.

[CLOSE] OSVDB ID : 34323 - Disclosed: 2007-04-16

Description:

A remote overflow exists in the Download Manager Active X Control. The 'GetPrivateProfileSectionW()' function gets passed the wrong value for its 'nSize' parameter for wide characters, resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code in the trust relationship between the client and the browser, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 38669 - Disclosed: 2007-11-12

Description:

Boinc Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'search_string' variables upon submission to the forum_text_search_action.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 24120 - Disclosed: 2006-03-25

Description:

ssCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'keywords' variable upon submission to the search.aspx script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 30768 - Disclosed: 2000-09-15

Description:

By default, APC installs with a default password on the integrated HTTP server (TCP Port 3052). The 'apc' account has a password of 'apc' which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 44642 - Disclosed: 2008-04-23

Description:

HD Audio Codec Driver contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by a specially crafted IOCTL request, and allows an attacker to create, read and write arbitrary registry keys. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 26352 - Disclosed: 2006-06-11

Description:

Content*Builder contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /modules/guestbook/guestbook.inc.php script not properly sanitizing user input supplied to the 'path[cb]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 20712 - Disclosed: 2005-11-08

Description:

ASP-Programmers ASPKnowledgebase contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the adminlogin.asp script not properly sanitizing user-supplied input to the pwd variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

[CLOSE] OSVDB ID : 3511 - Disclosed: 2004-01-08

Description:

By default, the EDIMAX AR-6004 Full Rate ADSL Router installs with a default password. The admin account has a password of 1234 which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 18695 - Disclosed: 2005-08-12

Description:

Veritas Backup Exec for Windows Servers contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote user sends a CONNECT_CLIENT_AUTH request with a hardcoded password value to trigger the flaw. If successful, the flaw will disclose arbitrary files that are accessible via the Windows system account, resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 32397 - Disclosed: 2006-12-21

Description:

opentaps contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'SEARCH_STRING' variable upon submission to the keywordsearch script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 630 - Disclosed: 2000-07-13

Description:

Microsoft IIS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when attempting to access an area protected via basic HTTP authentication without providing realm information, making a request without a host: header, or by trying to access a resource that has been moved (302). This may disclose the internal IP address or network name in the response header resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 20954 - Disclosed: 2005-11-18

Description:

VP-ASP Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "UserName" variable upon submission to the shopadmin.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12548 - Disclosed: 2004-12-14

Description:

ASP-Rider contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'username' parameter in the 'verify.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 22191 - Disclosed: 2006-01-02

Description:

B-net Software contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'title' and 'message' variables upon submission to the guestbook.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 31367 - Disclosed: 2006-09-25

Description:

BirdBlog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'entryid' variable upon submission to the 'comment.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.