Total
5466 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-0357 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-29 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. | |||||
| CVE-2009-0355 | 1 Mozilla | 1 Firefox | 2017-09-29 | 5.4 MEDIUM | N/A |
| components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. | |||||
| CVE-2009-0336 | 1 Katywhitton | 1 Blogit\! | 2017-09-29 | 5.0 MEDIUM | N/A |
| Katy Whitton BlogIt! stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for database/Blog.mdb. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-0328 | 1 Robs-projects | 1 Digital Sales Ipn | 2017-09-29 | 5.0 MEDIUM | N/A |
| ROBS-PROJECTS Digital Sales IPN (aka DS-IPN.NET or DS-IPN Paypal Shop) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request for Database/Sales.mdb. | |||||
| CVE-2009-0250 | 1 Ryneezy | 1 Phosheezy | 2017-09-29 | 5.0 MEDIUM | N/A |
| Ryneezy phoSheezy 0.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the file containing the administrator's password hash via a direct request for config/password. | |||||
| CVE-2009-0249 | 1 Katywhitton | 1 Rankem | 2017-09-29 | 5.0 MEDIUM | N/A |
| Katy Whitton RankEm stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for database/topsites.mdb. | |||||
| CVE-2009-0108 | 1 Phpauctions | 1 Phpauctions | 2017-09-29 | 7.5 HIGH | N/A |
| PHPAuctions (aka PHPAuctionSystem) allows remote attackers to bypass authentication and gain administrative access via modified (1) PHPAUCTION_RM_ID, (2) PHPAUCTION_RM_NAME, (3) PHPAUCTION_RM_USERNAME, and (4) PHPAUCTION_RM_EMAIL cookies. | |||||
| CVE-2008-7188 | 1 Clip-share | 1 Clipshare | 2017-09-29 | 7.5 HIGH | N/A |
| ClipShare 2.6 does not properly restrict access to certain functionality, which allows remote attackers to change the profile of arbitrary users via a modified uid variable to siteadmin/useredit.php. NOTE: this can be used to recover the password of the user by using the modified e-mail address in the email parameter to recoverpass.php. | |||||
| CVE-2008-7181 | 1 Butterflymedia | 1 Butterfly Organizer | 2017-09-29 | 7.5 HIGH | N/A |
| Butterfly Organizer 2.0.0 allows remote attackers to (1) delete arbitrary categories via a modified tablehere parameter to category-delete.php with the is_js_confirmed parameter set to 1, or (2) delete arbitrary accounts via the mytable parameter to delete.php. | |||||
| CVE-2008-7172 | 1 Yanick Bourbeau | 1 Lightweight News Portal | 2017-09-29 | 7.5 HIGH | N/A |
| Lightweight news portal (LNP) 1.0b does not properly restrict access to administrator functionality, which allows remote attackers to gain administrator privileges via direct requests to admin.php with the (1) potd_delete, (2) potd, (3) vote_update, (4) vote, or (5) modifynews actions. | |||||
| CVE-2008-7167 | 1 Sami Ekblad | 1 Page Manager | 2017-09-29 | 7.5 HIGH | N/A |
| Unrestricted file upload vulnerability in upload.php in Page Manager 2006-02-04 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2008-7157 | 1 Ekinboard | 1 Ekinboard | 2017-09-29 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in EkinBoard 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading an avatar file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in uploaded/avatars/. | |||||
| CVE-2008-7118 | 1 Webidsupport | 1 Webid | 2017-09-29 | 5.0 MEDIUM | N/A |
| WeBid auction script 0.5.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain SQL query logs via a direct request for logs/cron.log. | |||||
| CVE-2008-7117 | 1 Webidsupport | 1 Webid | 2017-09-29 | 5.0 MEDIUM | N/A |
| eledicss.php in WeBid auction script 0.5.4 allows remote attackers to modify arbitrary cascading style sheets (CSS) files via a certain request with the file parameter set to style.css. NOTE: this can probably be leveraged for cross-site scripting (XSS) attacks. | |||||
| CVE-2008-7115 | 1 Belkin | 2 F5d7632-4, Wireless G Router | 2017-09-29 | 10.0 HIGH | N/A |
| The web interface to the Belkin Wireless G router and ADSL2 modem F5D7632-4V6 with firmware 6.01.08 allows remote attackers to bypass authentication and gain administrator privileges via a direct request to (1) statusprocess.exe, (2) system_all.exe, or (3) restore.exe in cgi-bin/. NOTE: the setup_dns.exe vector is already covered by CVE-2008-1244. | |||||
| CVE-2008-7080 | 1 Phpclassifiedsscript | 1 Php Classifieds Script | 2017-09-29 | 5.0 MEDIUM | N/A |
| Team PHP PHP Classifieds Script stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database credentials via a direct request for admin/backup/datadump.sql. | |||||
| CVE-2008-7076 | 1 Kalptaru Infotech | 1 Stararticles | 2017-09-29 | 6.5 MEDIUM | N/A |
| Unrestricted file upload vulnerability in user.modify.profile.php in Kalptaru Infotech Ltd. Star Articles 6.0 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a profile photo, then accessing it via a direct request to the file in authorphoto/. | |||||
| CVE-2008-7066 | 1 2enetworx | 1 Openforum | 2017-09-29 | 7.5 HIGH | N/A |
| OpenForum 0.66 Beta allows remote attackers to bypass authentication and reset passwords of other users via a direct request with the update parameter set to 1 and modified user and password parameters. | |||||
| CVE-2008-7062 | 1 Lovecms | 1 Lovecms | 2017-09-29 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in admin/index.php in Download Manager module 1.0 for LoveCMS 1.6.2 Final allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/. | |||||
| CVE-2008-7056 | 1 Grayscalecms | 1 Bandsite Cms | 2017-09-29 | 5.0 MEDIUM | N/A |
| BandSite CMS 1.1.4 does not perform access control for adminpanel/phpmydump.php, which allows remote attackers to obtain copies of the database via a direct request. | |||||