NVD2007

Reviews

Shared by: vivi07

Tags

Stats

views:: 0
rating:: not rated
reviews:: 0
posted:: 11/8/2009
language:: English
pages:: 0

CVE number CVE-2007-0234 Score 0 CVE-2007-0253 7 CVE-2007-0279 7 CVE-2007-0292 7 CVE-2007-0295 3.3 CVE-2007-0525 7 Severity Description ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-20070243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent Low accidental usage. ** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. High Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, High and (5) OHS07. Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: High EM05 might be related to CVE-2007-0222. Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01. Low Multiple buffer overflows in Nickolas Grigoriadis Mini Web server (MiniWebsvr) before 0.05 have unknown impact and attack vectors. High Loss Type AVAIL AVAIL AVAIL AVAIL AVAIL AVAIL CVE-2007-0621 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-20066456. Reason: This candidate is a duplicate of CVE-2006-6456. It was assigned for a targeted zero-day attack, but further analysis revealed it was for an older issue. Notes: All CVE users should reference CVE-2006-6456 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. AVAIL ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-20070396. Reason: This candidate is a duplicate of CVE-2007-0396. Notes: All CVE users should reference CVE-2007-0396 instead of this candidate. All references and descriptions in this candidate have been removed to prevent 0 Low AVAIL accidental usage. Multiple unspecified vulnerabilities in Ian Bezanson DropBox before 0.0.4 beta have unknown impact and attack vectors, possibly 7 High AVAIL related to a variable extraction vulnerability. Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows contextdependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow." 5.6 Medium AVAIL Buffer overflow in the parsecmd function in bftpd before 1.8 has unknown impact and attack 2.3 Low AVAIL vectors related to the confstr variable. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-20071861. Reason: This candidate is a duplicate of CVE-2007-1861. Notes: All CVE users should reference CVE-2007-1861 instead of this candidate. All references and descriptions in this candidate have been removed to prevent 0 Low AVAIL accidental usage. The Terminal Server in Microsoft Windows 2003 Server, when using TLS, allows remote attackers to bypass SSL and self-signed certificate requirements, downgrade the server security, and possibly conduct man-in-themiddle attacks via unspecified vectors, as demonstrated using the Remote Desktop Protocol (RDP) 6.0 client. NOTE: a third party claims that the vendor may have fixed this in 7 High AVAIL approximately 2006. 0 Low CVE-2007-0818 CVE-2007-0974 CVE-2007-1886 CVE-2007-2051 CVE-2007-2436 CVE-2007-2593 CVE-2007-0054 7 High CVE-2007-0056 Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cartpath/admin/salesadmin.php. AVAIL 7 High CVE-2007-0083 5.6 CVE-2007-0106 5.6 CVE-2007-0110 7 CVE-2007-0119 7 CVE-2007-0121 7 AVAIL Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Medium Klan. AVAIL Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. Medium AVAIL Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message. High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) High AVAIL mkpw.pl, or (3) mkpw.cgi. Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML High AVAIL via the q parameter. CVE-2007-0136 Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. 5.6 Medium AVAIL Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or Medium HTML via unspecified vectors. AVAIL Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. Medium AVAIL Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML High AVAIL via the ordernum parameter. Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) deleteannounce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) Low AVAIL client-results.php. Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. High AVAIL Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter. High AVAIL CVE-2007-0137 5.6 CVE-2007-0141 5.6 CVE-2007-0144 7 CVE-2007-0146 3.4 CVE-2007-0175 7 CVE-2007-0176 7 CVE-2007-0177 CVE-2007-0183 CVE-2007-0186 CVE-2007-0191 CVE-2007-0204 CVE-2007-0225 Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or 5.6 Medium HTML via unspecified vectors. AVAIL Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party 5.6 Medium information. AVAIL Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE7 High AVAIL 2006-3550. Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third 7 High AVAIL party information, Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg 7 High AVAIL parameter. CVE-2007-0231 CVE-2007-0249 CVE-2007-0258 CVE-2007-0265 CVE-2007-0275 CVE-2007-0302 CVE-2007-0308 CVE-2007-0331 Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments 5.6 Medium field. AVAIL Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML 7 High AVAIL via the o parameter. Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to 5.6 Medium indexes/newscomments.asp. AVAIL Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01. 2.8 Low AVAIL Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx. 5.6 Medium AVAIL Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or 7 High AVAIL HTML via Wiki Page titles. Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynamiques 2.1 allows remote attackers to inject arbitrary web script or HTML by using the ajouter=1 query string and 7 High AVAIL the add menu. CVE-2007-0341 Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992. 5.6 Medium AVAIL Cross-site scripting (XSS) vulnerability in (1) index.php and (2) login.php in myBloggie 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO string. 7 High AVAIL Cross-site scripting (XSS) vulnerability in the RSS feed component in FreshReader before 1.0.07010600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to tag attributes. 7 High AVAIL Cross-site scripting (XSS) vulnerability in adminsearch.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in nicecoder.com INDEXU 5.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to (a) suggest_category.php; the (2) u parameter to (b) user_detail.php; the (3) friend_name, (4) friend_email, (5) error_msg, (6) my_name, (7) my_email, and (8) id parameters to (c) tell_friend.php; the (9) error_msg, (10) email, (11) name, and (12) subject parameters to (d) sendmail.php; the (13) email, (14) error_msg, and (15) username parameters to (e) send_pwd.php; the (16) keyword parameter to (f) search.php; the (17) error_msg, (18) username, (19) password, (20) password2, and (21) email parameters to (g) register.php; the (22) url, (23) contact_name, and (24) email parameters to (h) power_search.php; the (25) path and (26) total parameters to (i) new.php; the (27) query parameter to (j) modify.php; the (28) error_msg parameter to (k) login.php; the (29) error_msg and (30) email parameters to (l) mailing_list.php; the (31) gateway parameter to (m) upgrade.php; and another unspecified AVAIL vector. CVE-2007-0353 CVE-2007-0362 CVE-2007-0363 CVE-2007-0364 7 High CVE-2007-0365 Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.009 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is probably a different vulnerability than CVE-2006-5830. 7 High AVAIL Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Cross-site scripting (XSS) vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2007-0376 7 High CVE-2007-0379 AVAIL 7 High CVE-2007-0384 AVAIL 5.6 Medium CVE-2007-0390 CVE-2007-0398 CVE-2007-0399 CVE-2007-0400 CVE-2007-0402 AVAIL Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML 7 High AVAIL via the tag parameter. Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) 7 High AVAIL Sujet or (2) Pseudo field. Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action. 4.2 Medium AVAIL Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the 7 High AVAIL keyword parameter. Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter. 7 High AVAIL CVE-2007-0407 CVE-2007-0477 CVE-2007-0483 CVE-2007-0514 CVE-2007-0526 CVE-2007-0537 CVE-2007-0542 Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 (beta) allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-20070308. NOTE: it is possible that a separate 7 High AVAIL "WikiPage titles" issue was also fixed. Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.10, 2.3 before 2.3.31 (aka Max Media Manager before 0.3.31-alphapr2), and phpAdsNew/phpPgAds before 2.0.9pr1 allows remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in admin-search.php and (2) affiliatesearch.php. NOTE: this issue may overlap CVE2007-0363. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitachi Web Server, uCosminexus, and Cosminexus products before 20070124 allow remote attackers to inject arbitrary web script or HTML via (1) HTTP 7 High AVAIL Expect headers or (2) image maps. Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the URL (PATH_INFO) to (1) articles/edit.php, (2) articles/list.php, (3) blogs/list_blogs.php, or (4) blogs/rankings.php. 2.3 Low AVAIL The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE5.6 Medium 2007-0478. AVAIL Cross-site scripting (XSS) vulnerability in show.php in 212cafe Guestbook 4.00 beta allows remote attackers to inject arbitrary web 7 High AVAIL script or HTML via the user parameter. CVE-2007-0544 CVE-2007-0549 CVE-2007-0550 CVE-2007-0552 CVE-2007-0553 CVE-2007-0565 CVE-2007-0567 CVE-2007-0579 CVE-2007-0592 Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject 4.2 Medium field, a different vector than CVE-2006-2949. AVAIL Cross-site scripting (XSS) vulnerability in list3.php in 212cafeBoard 6.30 Beta allows remote attackers to inject arbitrary web script or 7 High AVAIL HTML via the user parameter. Cross-site scripting (XSS) vulnerability in search.php in 212cafeBoard 0.08 Beta allows remote attackers to inject arbitrary web script or 7 High AVAIL HTML via keyword parameter. Cross-site scripting (XSS) vulnerability in install/default/error404.html in Oh no! Not another CMS (Onnac) 0.0.8.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the error_url parameter. 7 High AVAIL Multiple cross-site scripting (XSS) vulnerabilities in index.inc.php in PHProxy before 0.5 beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) data[realm] and (2) _url parameters, different vectors than CVE-2004-2604. NOTE: some of these details are obtained from third party 7 High AVAIL information. CGI-Rescue Shopping Basket Professional 7.50 and earlier allows remote attackers to inject arbitrary operating system commands via 7 High AVAIL unspecified vectors. Cross-site scripting (XSS) vulnerability in admin.php in Interactive-Scripts.Com PHP Membership Manager 1.5 allows remote attackers to inject arbitrary web script or HTML 7 High AVAIL via the _p parameter. Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information. 5.6 Medium AVAIL Cross-site scripting (XSS) vulnerability in EzDatabase 2.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to admin/login.php and the Admin Panel Database. 5.6 Medium AVAIL CVE-2007-0604 Cross-site scripting (XSS) vulnerability in Movable Type (MT) before 3.34 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the MTCommentPreviewIsStatic tag, which can open the "comment entry screen," a different vulnerability than CVE-2007-0231. 7 High AVAIL Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party AVAIL information. Multiple cross-site scripting (XSS) vulnerabilities in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) inc.page.php and (2) AVAIL inc.text.php. Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Access Manager 6.1, 6.2, 6 2005Q1 (6.3), and 7 2005Q4 (7.0) before 20070129 allow remote attackers to inject arbitrary web script or HTML via the (1) goto or (2) gx-charset parameter. NOTE: some of these details are obtained from AVAIL third party information. Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue was originally disputed before the extract behavior was identified in post-disclosure analysis. Also, the original report identified "Open Conference Systems," but this was an error. AVAIL Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values." AVAIL CVE-2007-0610 7 High CVE-2007-0611 7 High CVE-2007-0628 7 High CVE-2007-0649 3.4 Low CVE-2007-0660 7 High CVE-2007-0696 5.6 CVE-2007-0763 7 CVE-2007-0767 7 CVE-2007-0768 5.6 CVE-2007-0769 7 CVE-2007-0804 7 CVE-2007-0807 7 Cross-site scripting (XSS) vulnerability in error messages in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, different vectors than Medium CVE-2007-0611. AVAIL Cross-site scripting (XSS) vulnerability in the news comment functionality in F3Site 2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the Autor field. High AVAIL Cross-site scripting (XSS) vulnerability in the core in Phorum before 5.1.18 allows remote attackers to inject arbitrary web script or HTML High AVAIL via unspecified vectors. Multiple cross-site scripting (XSS) vulnerabilities in the Contact Details functionality in Yahoo! Messenger 8.1.0.209 and earlier allow user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG element to the (1) First Name, (2) Last Name, and (3) Nickname fields. NOTE: some of these details are obtained from third party information. Medium AVAIL ** DISPUTED ** Cross-site scripting (XSS) vulnerability in register.php in Phorum 5.1.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the vendor disputes this vulnerability, stating that "The characters are escaped properly." High AVAIL Directory traversal vulnerability in admin/subpages.php in GGCMS 1.1.0 RC1 and earlier allows remote attackers to inject arbitrary PHP code into arbitrary files via ".." sequences in the subpageName parameter, as demonstrated by injecting PHP code into a High AVAIL template file. Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title (aka room name) that is not properly handled by the "who's online" feature. High AVAIL CVE-2007-0834 CVE-2007-0840 CVE-2007-0846 CVE-2007-0852 CVE-2007-0871 CVE-2007-0873 CVE-2007-0874 CVE-2007-0885 Cross-site scripting (XSS) vulnerability in FlashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via the user name field when the user joins a chat room, a different vulnerability than CVE-2007-0807. NOTE: the provenance of this information is unknown; the details are obtained solely from 7 High third party information. Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the search class. NOTE: it is possible that this issue overlaps CVE-20065.6 Medium 4543.3 or CVE-2006-4454. Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to inject arbitrary HTML or web script 5.6 Medium via the name parameter. Cross-site scripting (XSS) vulnerability in DevTrack 6.x allows remote attackers to inject arbitrary web script or HTML via the "Keyword search" form field and unspecified other form fields that populate a public saved query. NOTE: the provenance of this information is unknown; the details are obtained solely from 7 High third party information. Unrestricted file upload vulnerability in eXtremePow eXtreme File Hosting allows remote attackers to upload arbitrary PHP code via a filename with a double extension such as 7 High (1) .rar.php or (2) .zip.php. nabopoll 1.1.2 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) config_edit.php, (2) template_edit.php, or (3) survey_edit.php in admin/. 7 High Allons_voter 1.0 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) admin_ajouter.php or (2) admin_supprimer.php. NOTE: this could be leveraged to conduct cross-site scripting (XSS) 7 High attacks. Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML 7 High via the id parameter. AVAIL AVAIL AVAIL AVAIL AVAIL AVAIL AVAIL AVAIL CVE-2007-0896 Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a "