[CLOSE] OSVDB ID : 18293 - Disclosed: 2005-07-15

Description:

By default, many Belkin 54G wireless routers using a default ssid of "belkin54g" are preconfigured with a default password. The "admin" account has a null password which is publicly known and documented. This allows attackers to trivially access the program or system as the routers come preconfigured with remote telnet access enabled.

[CLOSE] OSVDB ID : 13002 - Disclosed: 2005-01-01

Description:

AWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstats.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.

[CLOSE] OSVDB ID : 40621 - Disclosed: 2007-10-17

Description:

Simple PHP Blog contains a flaw that allows a remote Cross-Site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps and/or confirmation for sensitive transactions to delete posts. By using a crafted URL (e.g. a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 382 - Disclosed: 1999-07-17

Description:

By default, PostgresSQL installs without a default password for the postgres user account. This username and password combination is publicly known and documented. This allows attackers to trivially access the program or system with administrative priveleges.

[CLOSE] OSVDB ID : 65465 - Disclosed: 2010-06-06

Description:

WMS-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'printpage.asp' script not properly sanitizing user-supplied input to the 'psPrice', 'pr' and 'sbr' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 3092 - Disclosed: 1994-01-01

Description:

A potentially interesting file, directory or CGI was found on the web server. While there is no known vulnerability or exploit associated with this, it may contain sensitive information which can be disclosed to unauthenticated remote users, or aid in more focused attacks.

[CLOSE] OSVDB ID : 877 - Disclosed: 2003-01-20

Description:

RFC compliant web servers support the TRACE HTTP method, which contains a flaw that may lead to an unauthorized information disclosure. The TRACE method is used to debug web server connections and allows the client to see what is being received at the other end of the request chain. Enabled by default in all major web servers, a remote attacker may abuse the HTTP TRACE functionality, i.e. cross-site scripting (XSS), which will disclose sensitive configuration information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 821 - Disclosed: 2002-09-12

Description:

By default, Linksys routers install with a default password. The administrative account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 21307 - Disclosed: 2005-11-23

Description:

OvBB contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the thread.php script not properly sanitizing user-supplied input to the 'threadid' variable. Followup research along with vendor dispute indicates this issue can not be used to manipulate SQL queries. It is believed that non-numeric input may cause an SQL error giving the appearance of injection capability.

[CLOSE] OSVDB ID : 44643 - Disclosed: 2008-04-23

Description:

A buffer overflow exists in HD Audio Codec Driver. RTKVHDA.sys and RTKVHDA64.sys fail to validate IOCTL requests resulting in an integer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 75811 - Disclosed: 2011-04-05

Description:

By default, Ducati Diavel motorcycles install with a default ignition password. The bike can be started using a manufacturer default PIN, set to the last 4 numbers of the Vehicle Identification Number (VIN), which is publicly known and documented. This allows attackers to trivially access the bicycle and enjoy the 162 horsepower and wind blowing through your hair.

[CLOSE] OSVDB ID : 28946 - Disclosed: 2006-09-19

Description:

A remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphic, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 71172 - Disclosed: 2011-03-14

Description:

Nucleus CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'user' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 16866 - Disclosed: 2005-05-26

Description:

A remote overflow exists in Terminator 3: War of the Machines. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long CD-key hash, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 28364 - Disclosed: 2006-08-28

Description:

Cybozu Garoon contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the phonemessage Facility not properly sanitizing user-supplied input to the 'uid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 592 - Disclosed: 2002-09-12

Description:

By default, Zyxel routers install with a default password. The administrative account has a password of 1234 which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 24745 - Disclosed: 2006-04-18

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.

[CLOSE] OSVDB ID : 4030 - Disclosed: 2004-04-20

Description:

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.

[CLOSE] OSVDB ID : 27502 - Disclosed: 2006-06-16

Description:

Nucleus has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the action.php, media.php, server.php and api_metaweblog.inc.php scripts not properly sanitizing user input supplied to the 'DIR_LIBS' variable. However, subsequent evaluation by another researcher indicates the DIR_LIBS variable is previously defined by config.php and not user controlled.

[CLOSE] OSVDB ID : 18679 - Disclosed: 2005-08-08

Description:

DVBBS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variable upon submission to the 'dispbbs.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 76929 - Disclosed: 2011-08-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 12184 - Disclosed: 2004-11-28

Description:

PHP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes certain HTTP requests with crafted arguments, which will disclose PHP version and another sensitive information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 49243 - Disclosed: 2008-10-23

Description:

Microsoft Windows Server Service contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is triggered when a crafted RPC request is handled. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 23246 - Disclosed: 2006-02-16

Description:

By default, some Kyocera printers install with an default password. The 'admin' account has an empty password, which is publicly known and documented. This allows attackers to trivially access the system.

[CLOSE] OSVDB ID : 3233 - Disclosed: 1994-01-01

Description:

A default file, directory or CGI program which installed by default with the web server or installed software was found. While there is no known vulnerability or exploit associated with this, default files often reveal sensitive information or contain unknown or undisclosed vulnerabilities. The presence of such files may also reveal information about the web server version or operating system.

[CLOSE] OSVDB ID : 63032 - Disclosed: 2010-03-17

Description:

CKForms Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'fid' parameter (when "option" is set to "com_ckforms", "controller" is set to "ckdata", and "layout" is set to "detail"). This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 13920 - Disclosed: 2005-02-08

Description:

PHP=Fusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered to the 'viewthread.php' script not properly sanitizing user-supplied input to the 'forum_id' or 'forum_cat' parameters. This will allow remote attackers to view protected forum information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 30768 - Disclosed: 2000-09-15

Description:

By default, APC installs with a default password on the integrated HTTP server (TCP Port 3052). The 'apc' account has a password of 'apc' which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 55895 - Disclosed: 2009-07-14

Description:

(Description Provided by CVE) : The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

[CLOSE] OSVDB ID : 55907 - Disclosed: 2009-07-14

Description:

(Description Provided by CVE) : The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

[CLOSE] OSVDB ID : 63031 - Disclosed: 2010-03-17

Description:

CKForms Component for Joomla! contains a flaw that may allow a remote attacker to disclose potentially sensitive information. The issue is due to the 'index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../)and URL-encoded NULL bytes, supplied to the 'controller' parameter (when "option" is set to "com_ckforms"). This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 13832 - Disclosed: 2005-02-14

Description:

AWStats contains a flaw that may allow a malicious user to issue arbitrary commands under the webserver privileges. The issue is triggered when passing perl commands to the 'PluginMode' variable of the awstats.pl script via a colon (:) character. It is possible that the flaw may allow execution of arbitrary commands resulting in a loss of integrity.

[CLOSE] OSVDB ID : 14988 - Disclosed: 2004-03-26

Description:

XMB Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple user supplied arguments upon submission to the forumdisplay.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 397 - Disclosed: 1994-01-01

Description:

Web Servers contains a flaw that may allow a remote attacker to upload arbitrary files. The issue is triggered when the HTTP method 'PUT' is allowed. It is possible that the flaw may allow a remote attacker to upload arbitrary files resulting in a loss of integrity.

[CLOSE] OSVDB ID : 132 - Disclosed: 1997-10-04

Description:

By default, HP Jet Direct printers install without a password. This lack of password is publicly known and documented. This allows attackers to trivially access the system.

[CLOSE] OSVDB ID : 13834 - Disclosed: 2005-02-14

Description:

(Description Provided by CVE) : awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter.

[CLOSE] OSVDB ID : 13621 - Disclosed: 2005-02-08

Description:

Microsoft Outlook Web Access contains a flaw within owalogon.asp that may allow a malicious user to perform account enumeration. The issue is triggered when an attacker sends a specially crafted URL to a user who is using Outlook Web Access, which redirects them to a predefined site. It is possible that the flaw may allow account enumeration from the URL resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 25257 - Disclosed: 2006-05-04

Description:

Big Webmaster Guestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name', 'mail', 'site', 'city', 'state' and 'country' fields upon submission to the 'addguest.cgi' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12627 - Disclosed: 2004-12-27

Description:

PHProxy contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the error variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 22111 - Disclosed: 2005-12-30

Description:

AdesGuestbook contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'totalRows_rsRead' variable upon submission to the 'read.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.