Web Security Vulnerabilities
The MoboTap Dolphin Web Browser - Fast Private Internet Search app 9.23.0 through 9.23.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...
5.9CVSS
5.1AI Score
0.001EPSS
PHP-Post allows remote attackers to spoof the names of other users by registering with a username containing hex-encoded...
7AI Score
0.002EPSS
amaroK Web Frontend 1.3 stores the globals.inc file under the web root without a .php extension and insufficient access control, which allows remote attackers to obtain the database username and password via a direct request to the...
7.2AI Score
0.003EPSS
Web Wiz Forums 7.9 and 8.0 allows remote attackers to view message titles of a hidden...
7AI Score
0.002EPSS
Jeuce Personal Webserver 2.13 allows remote attackers to cause a denial of service (server crash) via a long GET request, possibly triggering a buffer...
7.3AI Score
0.007EPSS
Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier, when running on Windows systems, allows attackers to cause a denial of service...
6.8AI Score
0.002EPSS
YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to...
6.9AI Score
0.006EPSS
SurfControl SuperScout only filters packets containing both an HTTP GET request and a Host header, which allows local users to bypass filtering by fragmenting packets so that no packet contains both data...
6.7AI Score
0.0004EPSS
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator...
8.8CVSS
8.7AI Score
0.001EPSS
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to /hy-cgi/devices.cgi?cmd=searchlandevice. The crash completely freezes the...
7.5CVSS
7.5AI Score
0.001EPSS
Getahead Direct Web Remoting (DWR) before 1.1.3 allows attackers to cause a denial of service (infinite loop) via unknown vectors related to "crafted...
6.7AI Score
0.003EPSS
Zeus Web Server before 4.3r5 does not use random transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS...
6.8AI Score
0.001EPSS
The admin server in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP request that lacks a method...
6.7AI Score
0.003EPSS
Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to overwrite memory locations in the heap, and discover the contents of memory locations, via a malformed HTTP TRACE request that includes a long URI and many empty headers, related to an "overflow." NOTE: this might...
6AI Score
0.009EPSS
Unspecified vulnerability in Sun Java System Web Server 7.0 Update 6 on Linux allows remote attackers to execute arbitrary code by sending a process memory address and crafted data to TCP port 80, as demonstrated by the vd_sjws2 module in VulnDisco. NOTE: as of 20100106, this disclosure has no...
7.7AI Score
0.009EPSS
Buffer overflow in the SSLv2 support in Zeus Web Server before 4.3r5 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in an invalid Client Hello...
8.4AI Score
0.288EPSS
Cross-site scripting (XSS) vulnerability in Zeus Web Server before 4.3r5, when SSL is enabled for the admin server, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than...
5.9AI Score
0.003EPSS
Stack-based buffer overflow in the WebDAV implementation in webservd in Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long URI in an HTTP OPTIONS...
7.4AI Score
0.954EPSS
Cross-site request forgery (CSRF) vulnerability in authcfg.cgi in Accoria Web Server (aka Rock Web Server) 1.4.7 allows remote attackers to hijack the authentication of administrators for requests that create user...
7.3AI Score
0.001EPSS
Accoria Web Server (aka Rock Web Server) 1.4.7 uses a predictable httpmod-sessionid cookie, which makes it easier for remote attackers to hijack sessions via a modified...
6.8AI Score
0.003EPSS
Directory traversal vulnerability in loadstatic.cgi in Accoria Web Server (aka Rock Web Server) 1.4.7 allows remote attackers to read arbitrary files via a .. (dot dot) in the name...
6.8AI Score
0.003EPSS
SQL injection vulnerability in customize.php in 2daybiz Web Template Software allows remote attackers to execute arbitrary SQL commands via the tid...
8.7AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Accoria Web Server (aka Rock Web Server) 1.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the getenv sample program, (2) the desc parameter to loadstatic.cgi, (3) the name parameter to...
5.9AI Score
0.002EPSS
Format string vulnerability in authcfg.cgi in Accoria Web Server (aka Rock Web Server) 1.4.7 allows remote attackers to have an unspecified impact via format string specifiers in the path (aka Password File)...
7AI Score
0.004EPSS
Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz Web Template Software allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to category.php and the (2) password parameter to...
6.1AI Score
0.001EPSS
Race condition in IBM Web Content Manager (WCM) 7.0.0.1 before CF003 allows remote authenticated users to cause a denial of service (infinite recursive query) via unspecified vectors, related to a StackOverflowError...
6.2AI Score
0.001EPSS
The Remote Filtering component in Websense Web Security and Web Filter before 6.3.3 Hotfix 18 and 7.x before 7.1.1 allows remote attackers to cause a denial of service (daemon exit) via a large volume of...
6.9AI Score
0.002EPSS
The authoring tool in IBM Web Content Manager (WCM) 6.1.5, and 7.0.0.1 before CF003, allows remote authenticated users to bypass intended access restrictions on draft creation by leveraging certain resource editor...
6.2AI Score
0.001EPSS
Race condition in Dr.Web Security Space Pro 6.0.0.03100 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during...
6.9AI Score
0.0004EPSS
The ISAPI Filter plug-in in Websense Enterprise, Websense Web Security, and Websense Web Filter 6.3.3 and earlier, when used in conjunction with a Microsoft ISA or Microsoft Forefront TMG server, allows remote attackers to bypass intended filtering and monitoring activities for web traffic via an.....
6.9AI Score
0.002EPSS
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted...
6.4AI Score
0.276EPSS
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address...
7.8AI Score
0.633EPSS
Multiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and other Divx plugins, allow remote attackers to execute arbitrary code via a (1) negative or (2) large value in a Stream Format (STRF) chunk in an AVI file, which triggers a heap-based buffer...
8AI Score
0.005EPSS
The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted...
6.9AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Web Dorado Spider Video Player (aka WordPress Video Player) plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified...
5.9AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to inject arbitrary web script or HTML via unspecified...
5.8AI Score
0.001EPSS
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid...
8.7AI Score
0.001EPSS
Multiple SQL injection vulnerabilities in Voice Of Web AllMyGuests 0.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) allmyphp_cookie cookie to admin.php or the (2) Username or (3)...
8.8AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the AMG_signin_topic parameter to...
5.9AI Score
0.001EPSS
Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 6.8 allows remote attackers to execute arbitrary code via a long string in a cookie UserID parameter to...
9.8AI Score
0.94EPSS
The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial...
6.1CVSS
6AI Score
0.001EPSS
Easy File Sharing (EFS) Web Server 1.2 stores the (1) option.ini (aka options.ini) file and (2) log directory under the web root with insufficient access control, which allows remote attackers to obtain sensitive information including an SMTP account username and password hash, the server...
6.8AI Score
0.003EPSS
CRLF injection vulnerability in Aprelium Abyss Web Server 1.1.2 and earlier allows remote attackers to inject arbitrary HTTP headers and possibly conduct HTTP Response Splitting attacks via CRLF sequences in the Location...
7.5AI Score
0.002EPSS
Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing...
6.9AI Score
0.001EPSS
The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without...
7.1AI Score
0.002EPSS
Unknown vulnerability in SunOne/iPlanet Web Server SP3 through SP5 on Windows platforms allows remote attackers to cause a denial of...
7AI Score
0.003EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified...
5.7AI Score
0.242EPSS
TIBCO Spotfire Web Application, Web Player Application, Automation Services Application, and Analytics Client Application in Spotfire Analytics Server before 10.1.2; Server before 3.3.3; and Web Player, Automation Services, and Professional before 4.0.2 allow remote attackers to obtain sensitive...
6.2AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in KENT-WEB WEB PATIO 4.04 and earlier might allow remote attackers to inject arbitrary web script or HTML via a crafted...
5.8AI Score
0.001EPSS