[CLOSE] OSVDB ID : 33868 - Disclosed: 2007-02-28

Description:

HyperBook Guestbook contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when requesting data/gbconfiguration.dat directly, which will disclose the administrator's MD5 password hash to a remote attacker.

[CLOSE] OSVDB ID : 18293 - Disclosed: 2005-07-15

Description:

By default, many Belkin 54G wireless routers using a default ssid of "belkin54g" are preconfigured with a default password. The "admin" account has a null password which is publicly known and documented. This allows attackers to trivially access the program or system as the routers come preconfigured with remote telnet access enabled.

[CLOSE] OSVDB ID : 13002 - Disclosed: 2005-01-01

Description:

AWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstats.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.

[CLOSE] OSVDB ID : 20954 - Disclosed: 2005-11-18

Description:

VP-ASP Shopping Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "UserName" variable upon submission to the shopadmin.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 382 - Disclosed: 1999-07-17

Description:

By default, PostgresSQL installs without a default password for the postgres user account. This username and password combination is publicly known and documented. This allows attackers to trivially access the program or system with administrative priveleges.

[CLOSE] OSVDB ID : 40621 - Disclosed: 2007-10-17

Description:

Simple PHP Blog contains a flaw that allows a remote Cross-Site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps and/or confirmation for sensitive transactions to delete posts. By using a crafted URL (e.g. a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 65465 - Disclosed: 2010-06-06

Description:

WMS-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'printpage.asp' script not properly sanitizing user-supplied input to the 'psPrice', 'pr' and 'sbr' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 3092 - Disclosed: 1994-01-01

Description:

A potentially interesting file, directory or CGI was found on the web server. While there is no known vulnerability or exploit associated with this, it may contain sensitive information which can be disclosed to unauthenticated remote users, or aid in more focused attacks.

[CLOSE] OSVDB ID : 16089 - Disclosed: 2005-02-09

Description:

AWStats contains several flaws that may allow a malicious user to execute arbitrary code. The issue is triggered when providing shell meta-characters to the "pluginmode", "loadplugin", or "noloadplugin" variables of the awstats.pl script. It is possible that the flaw may allow execution of arbitrary commands under the web server privileges resulting in a loss of integrity.

[CLOSE] OSVDB ID : 877 - Disclosed: 2003-01-20

Description:

RFC compliant web servers support the TRACE HTTP method, which contains a flaw that may lead to an unauthorized information disclosure. The TRACE method is used to debug web server connections and allows the client to see what is being received at the other end of the request chain. Enabled by default in all major web servers, a remote attacker may abuse the HTTP TRACE functionality, i.e. cross-site scripting (XSS), which will disclose sensitive configuration information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 67895 - Disclosed: 2010-09-03

Description:

SmarterStats contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'url' parameter upon submission to the 'UserControls/Popups/frmHelp.aspx' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 13920 - Disclosed: 2005-02-08

Description:

PHP=Fusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered to the 'viewthread.php' script not properly sanitizing user-supplied input to the 'forum_id' or 'forum_cat' parameters. This will allow remote attackers to view protected forum information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 821 - Disclosed: 2002-09-12

Description:

By default, Linksys routers install with a default password. The administrative account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 28364 - Disclosed: 2006-08-28

Description:

Cybozu Garoon contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the phonemessage Facility not properly sanitizing user-supplied input to the 'uid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 14238 - Disclosed: 2005-02-25

Description:

A REMOTE overflow exists in BadBlue http Server. The BadBlue http Server fails to validate the mfcisapicommand parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

[CLOSE] OSVDB ID : 21307 - Disclosed: 2005-11-23

Description:

OvBB contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the thread.php script not properly sanitizing user-supplied input to the 'threadid' variable. Followup research along with vendor dispute indicates this issue can not be used to manipulate SQL queries. It is believed that non-numeric input may cause an SQL error giving the appearance of injection capability.

[CLOSE] OSVDB ID : 4030 - Disclosed: 2004-04-20

Description:

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.

[CLOSE] OSVDB ID : 74964 - Disclosed: 2011-03-07

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 44643 - Disclosed: 2008-04-23

Description:

A buffer overflow exists in HD Audio Codec Driver. RTKVHDA.sys and RTKVHDA64.sys fail to validate IOCTL requests resulting in an integer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 16856 - Disclosed: 2005-05-25

Description:

Mailutils contains a flaw that may allow a remote denial of service. The issue is triggered when a FETCH command with a very large sequence range is sent to the imap4d server, and will result in loss of availability for the platform.

[CLOSE] OSVDB ID : 75811 - Disclosed: 2011-04-05

Description:

By default, Ducati Diavel motorcycles install with a default ignition password. The bike can be started using a manufacturer default PIN, set to the last 4 numbers of the Vehicle Identification Number (VIN), which is publicly known and documented. This allows attackers to trivially access the bicycle and enjoy the 162 horsepower and wind blowing through your hair.

[CLOSE] OSVDB ID : 28946 - Disclosed: 2006-09-19

Description:

A remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphic, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 17910 - Disclosed: 2005-07-14

Description:

(Description Provided by CVE) : Sophos Anti-Virus 5.0.1, with "Scan inside archive files" enabled, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a Bzip2 archive with a large 'Extra field length' value.

[CLOSE] OSVDB ID : 71172 - Disclosed: 2011-03-14

Description:

Nucleus CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'user' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 16866 - Disclosed: 2005-05-26

Description:

A remote overflow exists in Terminator 3: War of the Machines. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long CD-key hash, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 18291 - Disclosed: 2002-01-24

Description:

SquirrelMail contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the URIs and HTML tags for scripts within an email message upon submission to the compose.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 592 - Disclosed: 2002-09-12

Description:

By default, Zyxel routers install with a default password. The administrative account has a password of 1234 which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 24745 - Disclosed: 2006-04-18

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.

[CLOSE] OSVDB ID : 12184 - Disclosed: 2004-11-28

Description:

PHP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes certain HTTP requests with crafted arguments, which will disclose PHP version and another sensitive information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 27502 - Disclosed: 2006-06-16

Description:

Nucleus has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the action.php, media.php, server.php and api_metaweblog.inc.php scripts not properly sanitizing user input supplied to the 'DIR_LIBS' variable. However, subsequent evaluation by another researcher indicates the DIR_LIBS variable is previously defined by config.php and not user controlled.

[CLOSE] OSVDB ID : 89337 - Disclosed: 2013-01-17

Description:

IP.Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'img' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 3233 - Disclosed: 1994-01-01

Description:

A default file, directory or CGI program which installed by default with the web server or installed software was found. While there is no known vulnerability or exploit associated with this, default files often reveal sensitive information or contain unknown or undisclosed vulnerabilities. The presence of such files may also reveal information about the web server version or operating system.

[CLOSE] OSVDB ID : 21221 - Disclosed: 2005-11-29

Description:

Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the remote image url upon submission to the "Add Image From Web" feature. This could allow a user to create a specially crafted page that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 49243 - Disclosed: 2008-10-23

Description:

Microsoft Windows Server Service contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is triggered when a crafted RPC request is handled. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 18679 - Disclosed: 2005-08-08

Description:

DVBBS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variable upon submission to the 'dispbbs.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 13832 - Disclosed: 2005-02-14

Description:

AWStats contains a flaw that may allow a malicious user to issue arbitrary commands under the webserver privileges. The issue is triggered when passing perl commands to the 'PluginMode' variable of the awstats.pl script via a colon (:) character. It is possible that the flaw may allow execution of arbitrary commands resulting in a loss of integrity.

[CLOSE] OSVDB ID : 70 - Disclosed: 1990-01-01

Description:

(Description Provided by CVE) : A service or application has a backdoor password that was placed there by the developer.

[CLOSE] OSVDB ID : 76929 - Disclosed: 2011-08-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 30768 - Disclosed: 2000-09-15

Description:

By default, APC installs with a default password on the integrated HTTP server (TCP Port 3052). The 'apc' account has a password of 'apc' which is publicly known and documented. This allows attackers to trivially access the program or system.

[CLOSE] OSVDB ID : 13621 - Disclosed: 2005-02-08

Description:

Microsoft Outlook Web Access contains a flaw within owalogon.asp that may allow a malicious user to perform account enumeration. The issue is triggered when an attacker sends a specially crafted URL to a user who is using Outlook Web Access, which redirects them to a predefined site. It is possible that the flaw may allow account enumeration from the URL resulting in a loss of confidentiality.