CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2007

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2007-5943 16 2007-11-14 2018-10-15
5.0
None Remote Low Not required Partial None None
Simple Machines Forum (SMF) 1.1.4 allows remote attackers to read a message in private forums by using the advanced search module with the "show results as messages" option, then searching for possible keywords contained in that message.
202 CVE-2007-5942 +Info 2007-11-14 2017-07-29
4.0
None Remote Low ??? Partial None None
Bandersnatch 0.4 allows remote attackers to obtain sensitive information via a malformed request for index.php with (1) a certain func parameter value; or (2) certain func, jid, page, and limit parameter values; which reveals the path in various error messages.
203 CVE-2007-5941 119 DoS Exec Code Overflow 2007-11-14 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the SWCtl.SWCtl ActiveX control in Adobe Shockwave allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long argument to the ShockwaveVersion method.
204 CVE-2007-5940 59 Exec Code 2007-11-13 2011-03-08
4.6
None Local Low Not required Partial Partial Partial
feynmf.pl in feynmf 1.08, as used in TeXLive 2007, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the feynmf$$.pl temporary file.
205 CVE-2007-5937 119 Exec Code Overflow 2007-11-13 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in dvi2xx.c in dviljk in teTeX and TeXlive 2007 and earlier might allow user-assisted attackers to execute arbitrary code via a crafted DVI input file.
206 CVE-2007-5936 264 +Info 2007-11-13 2018-10-15
3.6
None Local Low Not required Partial Partial None
dvips in teTeX and TeXlive 2007 and earlier allows local users to obtain sensitive information and modify certain data by creating certain temporary files before they are processed by dviljk, which can then be read or modified in place.
207 CVE-2007-5935 119 Exec Code Overflow 2007-11-13 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in hpc.c in dvips in teTeX and TeXlive 2007 and earlier allows user-assisted attackers to execute arbitrary code via a DVI file with a long href tag.
208 CVE-2007-5934 200 +Info 2007-11-13 2011-03-08
4.3
None Remote Medium Not required Partial None None
The LOB functionality in PEAR MDB2 before 2.5.0a1 interprets a request to store a URL string as a request to retrieve and store the contents of the URL, which might allow remote attackers to use MDB2 as an indirect proxy or obtain sensitive information via a URL into a form field in an MDB2 application, as demonstrated by a file:// URL or a URL for an intranet web site.
209 CVE-2007-5933 20 DoS 2007-11-13 2011-08-10
7.8
None Remote Low Not required None None Complete
Pioneers (formerly gnocatan) before 0.11.3 allows remote attackers to cause a denial of service (crash) by triggering a delete operation while the Session object is still being used, as demonstrated by causing a "Broken pipe" error.
210 CVE-2007-5932 79 XSS 2007-11-10 2017-07-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Fatwire Content Server (CS) CMS 6.3.0 allow remote attackers to inject arbitrary web script or HTML via unspecified form fields related to the (1) search function, (2) advanced search function, and possibly other components.
211 CVE-2007-5931 264 2007-11-10 2017-07-29
5.0
None Remote Low Not required Partial None None
The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
212 CVE-2007-5930 79 XSS 2007-11-10 2017-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the web interface in Cerberus FTP Server before 2.46 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
213 CVE-2007-5929 119 DoS Exec Code Overflow 2007-11-10 2017-07-29
9.0
None Remote Low ??? Complete Complete Complete
Buffer overflow in OpenBase 10.0.5 and earlier might allow remote authenticated users to execute arbitrary code or cause a denial of service (daemon crash) by creating a stored procedure with a long name and invoking this procedure, which triggers heap corruption.
214 CVE-2007-5928 119 Overflow 2007-11-10 2008-09-05
9.0
None Remote Low ??? Complete Complete Complete
OpenBase 10.0.5 and earlier allows remote authenticated users to trigger a free of an arbitrary memory location via long strings in a SELECT statement. NOTE: this might be a buffer overflow, but it is not clear.
215 CVE-2007-5927 22 Exec Code Dir. Trav. 2007-11-10 2008-09-05
9.0
None Remote Low ??? Complete Complete Complete
Directory traversal vulnerability in OpenBase 10.0.5 and earlier allows remote authenticated users to create files with arbitrary contents via a .. (dot dot) in the first argument to the GlobalLog stored procedure. NOTE: this can be leveraged to execute arbitrary code using CVE-2007-5926.
216 CVE-2007-5926 20 Exec Code 2007-11-10 2017-07-29
9.0
None Remote Low ??? Complete Complete Complete
OpenBase 10.0.5 and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to the (1) AsciiBackup, (2) OEMLicenseInstall, and possibly other stored procedures.
217 CVE-2007-5925 20 DoS 2007-11-10 2018-10-03
4.0
None Remote Low ??? None None Partial
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
218 CVE-2007-5924 79 XSS 2007-11-10 2011-03-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web Server (HTTP) task in IBM Lotus Domino before 6.5.6 FP2, and 7.x before 7.0.2 FP2, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
219 CVE-2007-5923 79 XSS 2007-11-10 2021-04-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in forms/smpwservices.fcc in CA (formerly Computer Associates) eTrust SiteMinder Agent allows remote attackers to inject arbitrary web script or HTML via the SMAUTHREASON parameter, a different vector than CVE-2005-2204.
220 CVE-2007-5922 200 +Info 2007-11-10 2018-10-15
5.0
None Remote Low Not required Partial None None
The modules/mdop.m in the Cypress 1.0k script for BitchX, as downloaded from a distribution site in November 2007, contains an externally introduced backdoor that e-mails sensitive information (hostnames, usernames, and shell history) to a fixed address.
221 CVE-2007-5921 DoS 2007-11-10 2018-10-30
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in the ioctl interface in the Solaris Volume Manager (SVM) in Sun Solaris 9 and 10 allows local users to cause a denial of service (panic) via unspecified vectors, a different vulnerability than CVE-2004-1346.
222 CVE-2007-5920 22 Dir. Trav. Bypass 2007-11-10 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
index.php in Domenico Mancini PicoFlat CMS before 0.4.18 allows remote attackers to include certain files via unspecified vectors, possibly due to a directory traversal vulnerability. NOTE: this can be leveraged to bypass authentication and upload files by including pico_insert.php or unspecified other administrative scripts. NOTE: some of these details are obtained from third party information.
223 CVE-2007-5919 264 +Info 2007-11-10 2018-10-15
5.0
None Remote Low Not required Partial None None
MyWebFTP, possibly 5.3.2, stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain an MD5 password hash via a direct request for pass/pass.txt.
224 CVE-2007-5918 352 CSRF 2007-11-10 2018-10-15
6.0
None Remote Medium ??? Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in edit.php in the MS TopSites add-on for PHP-Nuke does not verify that the uname parameter matches the current account, which allows remote authenticated users to change arbitrary accounts or change the SiteTitleName field as an arbitrary user via a modified uname value in an edit action to modules.php.
225 CVE-2007-5917 352 CSRF 2007-11-10 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin/admin_account.php in Skalinks 1.5 and earlier allows remote attackers to add arbitrary privileged accounts as administrators via the admin_name, admin_password, admin_type, and Add_admin parameters.
226 CVE-2007-5916 89 Exec Code Sql 2007-11-10 2018-10-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the login page in phphelpdesk 0.6.16 allows remote attackers to execute arbitrary SQL commands via unspecified parameters related to the "login procedures."
227 CVE-2007-5915 22 Dir. Trav. 2007-11-10 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in phphelpdesk 0.6.16 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the whattodo parameter.
228 CVE-2007-5914 94 Exec Code 2007-11-10 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PHP code via the DEBUG parameter, which can be executed by accessing config.inc.php. NOTE: this can be exploited by unauthenticated remote attackers by leveraging CVE-2007-5913.
229 CVE-2007-5913 287 2007-11-10 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for JBC Explorer via the login and password parameters.
230 CVE-2007-5912 89 Exec Code Sql 2007-11-10 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in mailer.php in jPORTAL 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
231 CVE-2007-5911 119 Exec Code Overflow 2007-11-10 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple stack-based buffer overflows in the AxMetaStream ActiveX control in AxMetaStream.dll 3.3.2.26 in Viewpoint Media Player 3.2 allow remote attackers to execute arbitrary code via a long string argument to the (1) BroadcastKey, (2) BroadcastKeyFileURL, (3) Component, (4) ComponentClassID, (5) ComponentFileName, (6) ExtraProperty, (7) Properties, (8) RequiredVersions, (9) Source, or (10) XMLText method.
232 CVE-2007-5910 119 Exec Code Overflow 2007-11-10 2011-03-08
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Autonomy (formerly Verity) KeyView Viewer, Filter, and Export SDK before 9.2.0.12, as used by ActivePDF DocConverter, wp6sr.dll in IBM Lotus Notes 8.0 and before 7.0.3, Symantec Mail Security, and other products, allows remote attackers to execute arbitrary code via a crafted WordPerfect (WPD) file.
233 CVE-2007-5909 119 Exec Code Overflow 2007-11-10 2018-10-15
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView Viewer, Filter, and Export SDK before 9.2.0.12, as used by ActivePDF DocConverter, IBM Lotus Notes before 7.0.3, Symantec Mail Security, and other products, allow remote attackers to execute arbitrary code via a crafted (1) AG file to kpagrdr.dll, (2) AW file to awsr.dll, (3) DLL or (4) EXE file to exesr.dll, (5) DOC file to mwsr.dll, (6) MIF file to mifsr.dll, (7) SAM file to lasr.dll, or (8) RTF file to rtfsr.dll. NOTE: the WPD (wp6sr.dll) vector is covered by CVE-2007-5910.
234 CVE-2007-5908 DoS Exec Code Overflow 2007-11-09 2008-09-10
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Buffer overflow in the (1) sysfs_show_available_clocksources and (2) sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier might allow local users to cause a denial of service or execute arbitrary code via crafted clock source names. NOTE: follow-on analysis by Linux developers states that "There is no way for unprivileged users (or really even the root user) to add new clocksources."
235 CVE-2007-5907 264 DoS 2007-11-09 2017-09-29
4.7
None Local Medium Not required None None Complete
Xen 3.1.1 does not prevent modification of the CR4 TSC from applications, which allows pv guests to cause a denial of service (crash).
236 CVE-2007-5906 DoS 2007-11-09 2008-09-05
4.7
None Local Medium Not required None None Complete
Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints.
237 CVE-2007-5905 255 2007-11-15 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Adobe ColdFusion 8 and MX 7 allows remote attackers to hijack sessions via unspecified vectors that trigger establishment of a session to a ColdFusion application in which the (1) CFID or (2) CFTOKEN cookies have empty values, possibly due to a session fixation vulnerability.
238 CVE-2007-5904 119 DoS Exec Code Overflow 2007-11-09 2018-10-15
6.8
None Local Network High Not required Complete Complete Complete
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.
239 CVE-2007-5900 264 Bypass 2007-11-20 2018-10-15
6.9
None Local Medium Not required Complete Complete Complete
PHP before 5.2.5 allows local users to bypass protection mechanisms configured through php_admin_value or php_admin_flag in httpd.conf by using ini_set to modify arbitrary configuration variables, a different issue than CVE-2006-4625.
240 CVE-2007-5899 200 +Info 2007-11-20 2018-10-15
4.3
None Remote Medium Not required Partial None None
The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID.
241 CVE-2007-5898 2007-11-20 2018-10-15
6.4
None Remote Low Not required Partial Partial None
The (1) htmlentities and (2) htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465.
242 CVE-2007-5897 119 DoS Exec Code Overflow 2007-11-08 2018-10-15
8.5
None Remote Medium ??? Complete Complete Complete
Buffer overflow in MDSYS.SDO_CS in Oracle Database Server 8iR3, 9iR1, 9iR2 up to 9.2.0.6, and 10gR1 up to 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via the TRANSFORM function. NOTE: this issue might already be covered by CVE-2007-5515, CVE-2007-5509, or CVE-2007-5505, but there are insufficient details to be sure.
243 CVE-2007-5896 399 DoS 2007-11-08 2017-07-29
7.1
None Remote Medium Not required None None Complete
Mozilla Firefox 2.0.0.9 allows remote attackers to cause a denial of service (CPU consumption and crash) via an iframe with Javascript that sets the document.location to contain a leading NULL byte (\x00) and a (1) res://, (2) about:config, or (3) file:/// URI.
244 CVE-2007-5893 20 DoS 2007-11-08 2017-07-29
5.0
None Remote Low Not required None None Partial
HTTPSocket.cpp in the C++ Sockets Library before 2.2.5 allows remote attackers to cause a denial of service (crash) via an HTTP request with a missing protocol version number, which triggers an exception. NOTE: some of these details were obtained from third party information.
245 CVE-2007-5892 119 Exec Code Overflow 2007-11-08 2017-07-29
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the pdg2.dll ActiveX control in SSReader 4.0 and earlier allow remote attackers to execute arbitrary code via a long argument to the Register method. NOTE: some details were obtained from third party sources.
246 CVE-2007-5891 79 XSS 2007-11-08 2017-07-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Edition and OpManager 7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) requestid, (2) fileid, (3) woMode, and (2) woID parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
247 CVE-2007-5890 Dir. Trav. 2007-11-08 2008-11-15
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in index.php in easyGB 2.1.1 allows remote attackers to include arbitrary files via the DatabaseType parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
248 CVE-2007-5889 Exec Code File Inclusion 2007-11-08 2018-10-15
10.0
None Remote Low Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in IDMOS 1.0 Alpha (aka Phoenix) allow remote attackers to execute arbitrary PHP code via a URL in the site_absolute_path parameter to (1) admin.php, (2) menu_add.php, and (3) menu_operation.php in administrator/, different vectors than CVE-2007-5294.
249 CVE-2007-5888 79 XSS 2007-11-07 2017-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in displayecard.php in Coppermine Photo Gallery (CPG) before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the data parameter.
250 CVE-2007-5887 89 Exec Code Sql 2007-11-07 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in boards/printer.asp in ASP Message Board 2.2.1c allows remote attackers to execute arbitrary SQL commands via the id parameter.
Total number of vulnerabilities : 422   Page : 1 2 3 4 5 (This Page)6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.