Total
5476 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2008-7172 | 1 Yanick Bourbeau | 1 Lightweight News Portal | 2025-04-09 | N/A |
| Lightweight news portal (LNP) 1.0b does not properly restrict access to administrator functionality, which allows remote attackers to gain administrator privileges via direct requests to admin.php with the (1) potd_delete, (2) potd, (3) vote_update, (4) vote, or (5) modifynews actions. | ||||
| CVE-2008-6051 | 1 Metalinks | 1 Metacart | 2025-04-09 | N/A |
| MetaCart Free stores metacart.mdb under the web root with insufficient access control, which allows remote attackers to obtain usernames and passwords via a direct request. | ||||
| CVE-2008-6643 | 1 Lokicms | 1 Lokicms | 2025-04-09 | N/A |
| LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php. | ||||
| CVE-2008-6770 | 1 Peterselie | 1 Yourplace | 2025-04-09 | N/A |
| YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for users.txt. | ||||
| CVE-2008-5980 | 1 Ocean12 Technologies | 1 Mailing List Manager | 2025-04-09 | N/A |
| Ocean12 Mailing List Manager Gold stores sensitive data under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for o12mail.mdb. | ||||
| CVE-2008-5951 | 1 Aspapps | 1 Template Creature | 2025-04-09 | N/A |
| ASP Template Creature stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for workDB/templatemonster.mdb. | ||||
| CVE-2008-6886 | 1 Rsa | 1 Envision | 2025-04-09 | N/A |
| RSA EnVision 3.5.0, 3.5.1, 3.5.2, and 3.7.0 does not properly restrict access to unspecified user profile functionality, which allows remote attackers to obtain the administrator password hash and conduct brute force guessing attacks. | ||||
| CVE-2008-5935 | 1 Factosystem | 1 Factosystem Weblog | 2025-04-09 | N/A |
| Facto stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the password via a direct request for database/facto.mdb. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2007-2815 | 1 Microsoft | 1 Internet Information Services | 2025-04-09 | N/A |
| The "hit-highlighting" functionality in webhits.dll in Microsoft Internet Information Services (IIS) Web Server 5.0 only uses Windows NT ACL configuration, which allows remote attackers to bypass NTLM and basic authentication mechanisms and access private web directories via the CiWebhitsfile parameter to null.htw. | ||||
| CVE-2008-5932 | 1 Codeavalanche | 1 Freeforum | 2025-04-09 | N/A |
| CodeAvalanche FreeForum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the password via a direct request for _private/CAForum.mdb. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2008-5925 | 1 Asp-dev | 1 Xm Events Diary | 2025-04-09 | N/A |
| ASP-DEv XM Events Diary stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for diary.mdb. | ||||
| CVE-2009-0802 | 1 Qbik | 1 Wingate | 2025-04-09 | N/A |
| Qbik WinGate, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. | ||||
| CVE-2009-2705 | 2 Broadcom, Sun | 2 Siteminder, J2ee | 2025-04-09 | N/A |
| CA SiteMinder allows remote attackers to bypass cross-site scripting (XSS) protections for J2EE applications via a request containing non-canonical, "overlong Unicode" in place of blacklisted characters. | ||||
| CVE-2008-6957 | 1 Discuz | 1 Discuz\! | 2025-04-09 | N/A |
| member.php in Crossday Discuz! Board allows remote attackers to reset passwords of arbitrary users via crafted (1) lostpasswd and (2) getpasswd actions, possibly involving predictable generation of the id parameter. | ||||
| CVE-2008-5916 | 1 Git | 1 Git | 2025-04-09 | N/A |
| gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query. | ||||
| CVE-2008-6940 | 1 Turnkeyforms | 1 Web Hosting Directory | 2025-04-09 | N/A |
| TurnkeyForms Web Hosting Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain a database backup via a direct request to admin/backup/db. | ||||
| CVE-2008-7062 | 1 Lovecms | 1 Lovecms | 2025-04-09 | N/A |
| Unrestricted file upload vulnerability in admin/index.php in Download Manager module 1.0 for LoveCMS 1.6.2 Final allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/. | ||||
| CVE-2008-7117 | 1 Webidsupport | 1 Webid | 2025-04-09 | N/A |
| eledicss.php in WeBid auction script 0.5.4 allows remote attackers to modify arbitrary cascading style sheets (CSS) files via a certain request with the file parameter set to style.css. NOTE: this can probably be leveraged for cross-site scripting (XSS) attacks. | ||||
| CVE-2008-7118 | 1 Webidsupport | 1 Webid | 2025-04-09 | N/A |
| WeBid auction script 0.5.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain SQL query logs via a direct request for logs/cron.log. | ||||
| CVE-2008-7219 | 1 Horde | 5 Groupware, Groupware Webmail Edition, Kronolith H3 and 2 more | 2025-04-09 | N/A |
| Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors. | ||||