149 matches found
DSA-1374-1 jffnms - several vulnerabilities
Bulletin has no description...
Remote file inclusion
Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the scriptroot parameter to 1 delete.php, 2 edit.php, or 3 inc/common.inc.php; or 4 database.php, 5 entries.php, 6 index.php, 7 logout.php, or 8 settings.ph...
CVE-2007-4290
Multiple PHP remote file inclusion vulnerabilities in Guestbook Script 1.9 allow remote attackers to execute arbitrary PHP code via a URL in the scriptroot parameter to 1 delete.php, 2 edit.php, or 3 inc/common.inc.php; or 4 database.php, 5 entries.php, 6 index.php, 7 logout.php, or 8 settings.ph...
Design/Logic Flaw
Joomla! 1.0.12 allows remote attackers to obtain sensitive information via a direct request for 1 Stat.php 2 OutputFilter.php, 3 OutputCache.php, 4 Modifier.php, 5 Reader.php, and 6 TemplateCache.php in includes/patTemplate/patTemplate/; 7 includes/Cache/Lite/Output.php; and other unspecified...
CVE-2007-3591
Unspecified vulnerability in Profile.php in Elite Bulletin Board before 1.0.10 allows remote attackers to modify profile information via unspecified vectors related to "a remote form," probably related to direct requests and missing authorization checks...
CVE-2007-3591
Unspecified vulnerability in Profile.php in Elite Bulletin Board before 1.0.10 allows remote attackers to modify profile information via unspecified vectors related to "a remote form," probably related to direct requests and missing authorization checks...
CVE-2007-2776
AlstraSoft Template Seller Pro 3.25 and earlier sends a redirect to the web browser but does not exit when administrative credentials are missing, which allows remote attackers to inject a credential variable setting and obtain administrative access via a direct request to admin/changeinfo.php...
Design/Logic Flaw
The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server...
CVE-2007-2696
The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server...
Improper access control
1 LedgerSMB and 2 DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0...
DEBIAN-CVE-2007-1923
1 LedgerSMB and 2 DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0...
PT-2007-3268 · Dws Systems +2 · Sql-Ledger +2
Name of the Vulnerable Software and Affected Versions: LedgerSMB versions prior to 1.3.0 DWS Systems SQL-Ledger affected versions not specified Description: The issue allows remote attackers to access restricted functionality via direct requests, as access control lists are implemented by changin...
CVE-2007-1789
Flyspray 0.9.9 allows remote attackers to obtain sensitive information private project summaries via direct requests...
CVE-2007-1789
Flyspray 0.9.9 allows remote attackers to obtain sensitive information private project summaries via direct requests...
Information disclosure
Flyspray 0.9.9 allows remote attackers to obtain sensitive information private project summaries via direct requests...
CVE-2007-1789
Flyspray 0.9.9 allows remote attackers to obtain sensitive information private project summaries via direct requests...
Code injection
Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to gain privileges via direct requests with modified arguments in 1 the userpermissions parameter to addusers.php, and unspecified parameters to 2 addblog.php, 3 editblog.php, 4 editlinks.php, 5 editusers.php, and 6...
Improper access control
The projectissueaccess function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests...
CVE-2006-6943
PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to a scripts/checklang.php and b themes/darkblueorange/layout.inc.php; and via the 1 lang, 2 target, 3 db, 4 goto, 5 table, and 6 tblgroup array arguments to c index.php, and the 7 back argument t...
CVE-2006-6933
Easy Chat Server 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download certain files via direct requests to files such as 1 ServerKey.pem and 2 AcceptIP.txt. NOTE: The provenance of this information is unknown; the details...