CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
7851 CVE-2007-5949 79 XSS 2007-11-14 2017-07-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Service Desk 6.2 allows remote authenticated users to inject arbitrary web script or HTML via the Description parameter in a Maximo change action.
7852 CVE-2007-5936 264 +Info 2007-11-13 2018-10-15
3.6
None Local Low Not required Partial Partial None
dvips in teTeX and TeXlive 2007 and earlier allows local users to obtain sensitive information and modify certain data by creating certain temporary files before they are processed by dviljk, which can then be read or modified in place.
7853 CVE-2007-5851 264 2007-12-19 2017-07-29
3.6
None Local Low Not required Partial Partial None
iChat in Apple Mac OS X 10.4.11 allows network-adjacent remote attackers to automatically initiate a video connection to another user via unknown vectors.
7854 CVE-2007-5833 79 XSS 2007-11-05 2018-10-15
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarket Business Directory System allow remote authenticated users to inject arbitrary web script or HTML via (1) user info (account details) or (2) a post.
7855 CVE-2007-5731 22 Dir. Trav. 2007-10-30 2017-09-29
3.5
None Remote Medium ??? Partial None None
Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, a related issue to CVE-2007-5461.
7856 CVE-2007-5621 79 XSS 2007-10-22 2017-07-29
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.
7857 CVE-2007-5461 22 Dir. Trav. 2007-10-15 2019-03-25
3.5
None Remote Medium ??? Partial None None
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
7858 CVE-2007-5442 264 2007-10-14 2018-10-15
3.5
None Remote Medium ??? None Partial None
CMS Made Simple 1.1.3.1 does not check the permissions assigned to users who attempt uploads, which allows remote authenticated users to upload unspecified files via unknown vectors.
7859 CVE-2007-5403 79 XSS 2008-01-09 2017-07-29
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Layton HelpBox 3.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Forename, (2) Surname, (3) Telephone, and (4) Fax fields to writeenduserenduser.asp; the (5) Filter field to statsrequestypereport.asp; and the (6) sys_request_id parameter to requestattach.asp; and allow remote authenticated users to inject arbitrary web script or HTML via the (7) Asset, (8) Location, and (9) Problem fields to editrequestenduser.asp; the (10) Asset, (11) Asset Location, (12) Problem Desc, and (13) Solution Desc fields to editrequestuser.asp; and the (14) End User and (15) Description fields to usersearchrequests.asp. NOTE: vectors 5 and 6 do not require authentication to exploit.
7860 CVE-2007-5319 DoS 2007-10-09 2017-09-29
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors.
7861 CVE-2007-5228 79 XSS 2007-10-05 2017-07-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the subscription functionality in the Project issue tracking module before 4.7.x-1.5, 4.7.x-2.x before 4.7.x-2.5, and 5.x-1.x before 5.x-1.1 for Drupal allows remote authenticated users with project create or edit permissions to inject arbitrary web script or HTML via unspecified vectors involving a (1) individual or (2) overview form.
7862 CVE-2007-5207 59 2007-10-04 2017-07-29
3.3
None Local Medium Not required None Partial Partial
guilt 0.27 allows local users to overwrite arbitrary files via a symlink attack on a guilt.log.[PID] temporary file.
7863 CVE-2007-5200 59 2007-10-14 2018-10-30
3.3
None Local Medium Not required None Partial Partial
hugin, as used on various operating systems including SUSE openSUSE 10.2 and 10.3, allows local users to overwrite arbitrary files via a symlink attack on the hugin_debug_optim_results.txt temporary file.
7864 CVE-2007-4977 79 XSS 2007-09-19 2018-10-15
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in mode.php in Coppermine Photo Gallery (CPG) 1.4.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the referer parameter.
7865 CVE-2007-4927 20 DoS 2007-09-18 2018-10-15
3.5
None Remote Medium ??? None None Partial
axis-cgi/buffer/command.cgi on the AXIS 207W camera allows remote authenticated users to cause a denial of service (reboot) via many requests with unique buffer names in the buffername parameter in a start action.
7866 CVE-2007-4888 2007-09-14 2008-11-15
3.5
None Remote Medium ??? Partial None None
The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user's view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints the content attribute of the doc variable.
7867 CVE-2007-4826 DoS 2007-09-12 2017-07-29
3.5
None Remote Medium ??? None None Partial
bgpd in Quagga before 0.99.9 allows explicitly configured BGP peers to cause a denial of service (crash) via a malformed (1) OPEN message or (2) a COMMUNITY attribute, which triggers a NULL pointer dereference. NOTE: vector 2 only exists when debugging is enabled.
7868 CVE-2007-4741 79 XSS 2007-09-06 2008-09-05
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Claroline before 1.8.6 allows remote authenticated administrators to inject arbitrary web script or HTML via the sort parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
7869 CVE-2007-4717 79 XSS 2007-09-05 2011-03-08
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.6 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) dir parameter in admin/adminusers.php, the (2) action parameter in admin/advancedUserSearch.php, and the (3) view parameter in admin/campusProblem.php.
7870 CVE-2007-4590 2007-08-29 2018-10-30
3.3
None Local Medium Not required None Partial Partial
The get_system_info command in Ignite-UX C.7.0 through C.7.3, and DynRootDisk (DRD) A.1.0.16.417 through A.2.0.0.592, on HP-UX B.11.11, B.11.23, and B.11.31 does not inform local users of networking changes made by the command, which has unknown impact and attack vectors.
7871 CVE-2007-4523 Sql XSS 2007-08-25 2018-10-15
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Ripe Website Manager 0.8.9 and earlier allow remote authenticated users to inject arbitrary web script or HTML via one or more of the following vectors: the (1) id parameter to (a) pages/delete_page.php, (b) navigation/delete_menu.php, and (c) navigation/delete_item.php in admin/; the (2) menu_id, (3) name, (3) page_id, and (4) url parameters in (d) admin/navigation/do_new_item.php; the (5) new_menuname parameter in (e) admin/navigation/do_new_nav.php; and (6) area1, name, and url parameters to (f) admin/pages/do_new_page.php, probably involving the Title or textarea field as reachable through admin/pages/new_page.php. NOTE: the original disclosure does not precisely state which vectors are associated with SQL injection versus XSS.
7872 CVE-2007-4462 2007-08-21 2008-09-05
3.3
None Local Medium Not required None Partial Partial
lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite arbitrary files via a symlink attack on the gettextization.failed.po temporary file.
7873 CVE-2007-4427 2007-08-20 2008-11-15
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the login page redirection logic in the Cache' Server Page (CSP) implementation in InterSystems Cache' 2007.1.0.369.0 and 2007.1.1.420.0 allows remote authenticated users to modify data on a server, related to encoding of certain parameter values by this redirection logic, aka MAK2116.
7874 CVE-2007-4413 2007-08-18 2018-10-15
3.5
None Remote Medium ??? None Partial None
Direct static code injection vulnerability in admincp/user_help.php in Headstart Solutions DeskPRO 3.0.2 allows remote authenticated users to inject arbitrary PHP code into an unspecified file via a new_entry value in the do parameter.
7875 CVE-2007-4412 XSS 2007-08-18 2018-10-15
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Headstart Solutions DeskPRO 3.0.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters to (1) techs.php, (2) ticket_category.php, (3) ticket_priority.php, (4) ticket_workflow.php, (5) ticket_escalate.php, (6) fields_ticket.php, (7) ticket_rules_web.php, (8) ticket_displayfields.php, (9) ticket_rules_mail.php, (10) fields_user.php, (11) fields_faq.php, and (12) user_help.php, in (a) admincp/ and (b) possibly a directory on the "User side."
7876 CVE-2007-4309 2007-08-13 2008-09-05
3.5
None Remote Medium ??? Partial None None
IBM Lotus Notes 5.x through 7.0.2 allows user-assisted remote authenticated administrators to obtain a cleartext notes.id password by setting the notes.ini (1) KFM_ShowEntropy and (2) Debug_Outfile debug variables, a different vulnerability than CVE-2005-2696.
7877 CVE-2007-4280 DoS 2007-08-09 2017-07-29
3.5
None Remote Medium ??? None None Partial
The Skinny channel driver (chan_skinny) in Asterisk Open Source before 1.4.10, AsteriskNOW before beta7, Appliance Developer Kit before 0.7.0, and Appliance s800i before 1.0.3 allows remote authenticated users to cause a denial of service (application crash) via a CAPABILITIES_RES_MESSAGE packet with a capabilities count larger than the capabilities_res_message array population.
7878 CVE-2007-4204 +Info 2007-08-08 2017-07-29
3.5
None Remote Medium ??? Partial None None
Hitachi Groupmax Collaboration - Schedule, as used in Groupmax Collaboration Portal 07-32 through 07-32-/B, uCosminexus Collaboration Portal 06-32 through 06-32-/B, and Groupmax Collaboration Web Client - Mail/Schedule 07-32 through 07-32-/A, can assign schedule data to the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information.
7879 CVE-2007-4129 59 2007-11-08 2017-09-29
3.3
None Local Medium Not required None Partial Partial
CoolKey 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files in the /tmp/.pk11ipc1/ directory.
7880 CVE-2007-4113 2007-07-31 2008-11-15
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in Advanced Webhost Billing System (AWBS) before 2.6.0 allows remote authenticated users to obtain configuration data about other dedicated servers via unspecified vectors.
7881 CVE-2007-3921 59 2007-11-08 2017-07-29
3.3
None Local Medium Not required None Partial Partial
gforge 3.1 and 4.5.14 allows local users to truncate arbitrary files via a symlink attack on temporary files.
7882 CVE-2007-3830 XSS 2007-07-17 2012-10-31
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to inject arbitrary web script or HTML via the reminder parameter.
7883 CVE-2007-3818 +Priv XSS 2007-07-17 2012-10-31
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with "administer blocks" permission to inject arbitrary JavaScript and gain privileges via "the message displayed above the default user login block."
7884 CVE-2007-3782 264 +Priv 2007-07-15 2018-10-15
3.5
None Remote Medium ??? None Partial None
MySQL Community Server before 5.0.45 allows remote authenticated users to gain update privileges for a table in another database via a view that refers to this external table.
7885 CVE-2007-3559 XSS 2007-07-04 2017-07-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant.
7886 CVE-2007-3269 XSS 2007-06-19 2018-10-16
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 before 20070611 allow remote attackers to inject arbitrary web script or HTML via (1) the URI in a GET request or (2) the Title field of a visitor comment, and (3) allow remote authenticated users to inject arbitrary web script or HTML via a message to another user. NOTE: vector (2) might overlap CVE-2006-3571.1.
7887 CVE-2007-3254 XSS 2007-06-27 2018-10-16
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server.
7888 CVE-2007-2909 XSS 2007-05-30 2012-11-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update.
7889 CVE-2007-2837 2007-07-03 2017-07-29
3.6
None Local Low Not required None Partial Partial
The (1) getRule and (2) getChains functions in server/rules.cpp in fireflierd (fireflier-server) in FireFlier 1.1.6 allow local users to overwrite arbitrary files via a symlink attack on the /tmp/fireflier.rules temporary file.
7890 CVE-2007-2746 +Info 2007-05-17 2011-03-08
3.5
None Remote Medium ??? Partial None None
The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain Black WebGUI before 7.3.14 does not properly use data structures containing privilege information, which allows remote authenticated users to obtain sensitive information or possibly have other unspecified impact.
7891 CVE-2007-2703 2007-05-16 2018-10-30
3.6
None Remote High ??? Partial Partial None
BEA WebLogic Portal 9.2 GA can corrupt a visitor entitlements role if an administrator provides a long role description, which might allow remote authenticated users to access privileged resources.
7892 CVE-2007-2702 XSS 2007-05-16 2018-10-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the GroupSpace application in BEA WebLogic Portal 9.2 GA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to the rich text editor.
7893 CVE-2007-2693 +Info 2007-05-16 2019-12-17
3.5
None Remote Medium ??? Partial None None
MySQL before 5.1.18 allows remote authenticated users without SELECT privileges to obtain sensitive information from partitioned tables via an ALTER TABLE statement.
7894 CVE-2007-2683 Exec Code Overflow 2007-05-15 2017-10-11
3.5
None Local High ??? Partial Partial Partial
Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion.
7895 CVE-2007-2450 79 XSS 2007-06-14 2019-03-25
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.
7896 CVE-2007-1947 Exec Code Bypass 2007-04-11 2018-10-16
3.5
None Remote Medium ??? None Partial None
Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.04 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome by overwriting the toString function via a certain function declaration, related to incorrect identification of anonymous JavaScript functions, a different issue than CVE-2007-1878.
7897 CVE-2007-1828 XSS 2007-04-03 2011-03-08
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the QUERY_STRING corresponding to drop downs or (2) various forms.
7898 CVE-2007-1742 2007-04-13 2008-11-13
3.7
None Local High Not required Partial Partial Partial
suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."
7899 CVE-2007-1732 79 XSS 2007-03-28 2016-11-22
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor.
7900 CVE-2007-1716 +Priv 2007-03-27 2017-10-11
3.4
None Local High ??? Partial Partial Partial
pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.