CVE-2011-3738

Feng Office 1.7.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by public/upgrade/templates/layout.php and certain other files...

CVE-2011-3714

ClanSphere 2010.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by mods/board/attachment.php...

CVE-2011-3708

Automne 4.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/page-redirect-info.php...

CVE-2011-3722

Coppermine Photo Gallery CPG 1.5.12 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by include/inspekt.php and certain other files...

CVE-2011-3754

CVE-2011-3754 affects Mambo 4.6.5. The vulnerability allows information disclosure via a direct request to a PHP file, where an error message reveals the installation path (e.g., includes/sef.php). Impact is partial confidentiality loss. The technical details do not specify a patch or workaround ...

CVE-2011-3730

CVE-2011-3730 concerns Drupal 7.0, where remote attackers can trigger an information disclosure by requesting a PHP file directly, causing an error message that reveals the installation path. Documentation cites examples such as modules/simpletest/tests/upgrade/drupal-6.upload.database.php and re...

CVE-2011-3718

CMS Made Simple (CMSMS) 1.9.2 is affected by CVE-2011-3718. A remote attacker can obtain sensitive information by directly requesting a PHP file (e.g., modules/TinyMCE/TinyMCE.module.php), resulting in an error message that reveals the installation path. The vulnerability is an information-disclo...

CVE-2011-3715

CVE-2011-3715 affects ClanTiger 1.1.3. Affected component: PHP files (e.g., widgets/statistics/statistics.php) that disclose the installation path in an error message when directly requested. This enables remote information disclosure. Root cause: direct access to certain PHP files leaks path inf...

CVE-2011-3729

dotproject 2.1.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by style/dp-grey-theme/footer.php and certain other files...

CVE-2011-3699

John Lim ADOdb Library for PHP 5.11 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/test-active-record.php and certain other files...

Path traversal

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the 1 README, 2 ChangeLog, and 3 LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file...

CVE-2011-0986

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the 1 README, 2 ChangeLog, and 3 LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file...

Unrestricted file upload

Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file...

CVE-2010-4353

Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file...

CVE-2010-4353

Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file...

CVE-2011-0316

The Administrative Console component in IBM WebSphere Application Server WAS 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request...

CVE-2010-4608

Habari 0.6.5 allows remote attackers to obtain sensitive information via a direct request to 1 header.php and 2 commentsitems.php in system/admin/, which reveals the installation path in an error message...

CVE-2010-4611

Html-edit CMS 3.1.8 allows remote attackers to obtain sensitive information via a direct request to 1 pages.php and 2 menu.php in includes/corefiles and 3 extensions/login/frontend/pages/antihacker.php, which reveals the installation path in an error message...

CVE-2010-4608

CVE-2010-4608 affects Habari 0.6.5 and enables remote information disclosure through direct requests to system/admin/header.php and system/admin/comments_items.php, with the error message revealing the installation path. Multiple connected sources corroborate the issue. No concrete remediation or...

Improper access control

Web Wiz NewsPad stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/NewsPad.mdb...