Primary Vendor -- Product | Description | | CVSS Score | Source & Patch Info | A-Blog -- A-Blog
| Multiple PHP remote file inclusion vulnerabilities in A-Blog 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) open_box, (2) middle_box, and (3) close_box parameters in (a) sources/myaccount.php; the (4) navigation_end parameter in (b) navigation/search.php and (c) navigation/donation.php; and the (6) navigation_start and (7) navigation_middle parameters in navigation/donation.php, (d) navigation/latestnews.php, and (e) navigation/links.php; different vectors than CVE-2006-5092. | | 7.0 | CVE-2006-5135 OTHER-REF BID XF
| Andreas Gohr -- DokuWiki
| lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) w and (2) h parameters, which are not filtered when invoking convert. | | 7.0 | CVE-2006-5099 OTHER-REF GENTOO SECUNIA SECUNIA FRSIRT
| Apple -- Mac OS X NeXT -- OpenStep
| The Mach kernel, as used in operating systems including (1) Mac OS X 10.4 through 10.4.7 and (2) OpenStep before 4.2, allows local users to gain privileges via a parent process that forces an exception in a setuid child and uses Mach exception ports to modify the child's thread context and task address space in a way that causes the child to call a parent-controlled function. | | 7.0 | CVE-2006-4392 BUGTRAQ OTHER-REF APPLE CERT-VN SECTRACK CERT BID FRSIRT SECUNIA XF
| Apple -- Mac OS X
| A logic error in LoginWindow in Apple Mac OS X 10.4 through 10.4.7, allows network accounts without GUIds to bypass service access controls and log into the system using loginwindow via unknown vectors. | | 7.0 | CVE-2006-4394 APPLE CERT CERT-VN BID FRSIRT SECTRACK SECUNIA XF
| Baumedia -- Newswriter
| PHP remote file inclusion vulnerability in include/editfunc.inc.php in Sebastian Baumann and Philipp Wolfer Newswriter SW 1.42 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the NWCONF_SYSTEM[server_path] parameter. | | 7.0 | CVE-2006-5102 OTHER-REF BID XF
| bbsNew -- bbsNew
| PHP remote file inclusion vulnerability in index2.php in bbsNew 2.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the right parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | | 7.0 | CVE-2006-5103 BID
| Comdev -- Comdev CSV Importer
| PHP remote file inclusion vulnerability in include.php in Comdev CSV Importer 3.1 and possibly 4.1, as used in (1) Comdev Contact Form 3.1, (2) Comdev Customer Helpdesk 3.1, (3) Comdev Events Calendar 3.1, (4) Comdev FAQ Support 3.1, (5) Comdev Guestbook 3.1, (6) Comdev Links Directory 3.1, (7) Comdev News Publisher 3.1, (8) Comdev Newsletter 3.1, (9) Comdev Photo Gallery 3.1, (10) Comdev Vote Caster 3.1, (11) Comdev Web Blogger 3.1, and (12) Comdev eCommerce 3.1, allows remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter. NOTE: it has been reported that 4.1 versions might also be affected. | | 7.0 | CVE-2006-5101 BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT FRSIRT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA
| ConPresso -- ConPresso CMS
| Multiple cross-site scripting (XSS) vulnerabilities in Bartels Schoene ConPresso before 4.0.5a allow remote attackers to inject arbitrary web script or HTML via (1) the nr parameter in detail.php, (2) the msg parameter in db_mysql.inc.php, and (3) the pos parameter in index.php. | | 7.0 | CVE-2006-5127 BUGTRAQ OTHER-REF OTHER-REF BID XF
| ConPresso -- ConPresso CMS
| SQL injection vulnerability in index.php in Bartels Schoene ConPresso before 4.0.5a allows remote attackers to execute arbitrary SQL commands via the nr parameter. | | 7.0 | CVE-2006-5128 BUGTRAQ OTHER-REF OTHER-REF BID XF
| DeluxeBB -- DeluxeBB
| PHP remote file inclusion vulnerability in cp/sig.php in DeluxeBB 1.09 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the templatefolder parameter. | | 7.0 | CVE-2006-5154 OTHER-REF BID FRSIRT SECUNIA
| Devellion -- CubeCart
| Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4) the order_id parameter in admin/print_order.php. | | 7.0 | CVE-2006-5107 BUGTRAQ BID XF
| Devellion -- CubeCart
| Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and (5) certain language parameters in admin/nav.php; the (6) image parameter in admin/image.php; the (7) site_name, (8) la_adm_header, (9) charset, and (10) certain other parameters in admin/header.inc.php; the (12) la_pow_by parameter in footer.inc.php; and the (13) site_name parameter and (14) certain other parameters in header.inc.php. | | 7.0 | CVE-2006-5108 BUGTRAQ BID FRSIRT SECUNIA XF
| Forum One -- SyntaxCMS
| Multiple PHP remote file inclusion vulnerabilities in SyntaxCMS 1.1.1 through 1.3 allow remote attackers to execute arbitrary PHP code via a URL in (1) the init_path parameter to admin/testing/tests/0030_init_syntax.php, or (2) an unspecified parameter to admin/testing/index.php. NOTE: the 0004_init_urls.php vector is already covered by CVE-2006-5055. | | 7.0 | CVE-2006-5105 OTHER-REF SECUNIA
| Forum82 -- Forum82
| Multiple PHP remote file inclusion vulnerabilities in Forum82 2.5.2b and earlier allow remote attackers to execute arbitrary PHP code via a URL in the repertorylevel parameter including scripts in /forum/ including (1) search.php, (2) message.php, (3) member.php, (4) mail.php, (5) lostpassword.php, (6) gesfil.php, (7) forum82lib.php3, and other unspecified scripts. | | 7.0 | CVE-2006-5148 OTHER-REF BID FRSIRT SECUNIA
| HP -- HP-UX
| Unspecified vulnerability in HP Ignite-UX server before C.6.9.150 for HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to "gain root access" via unspecified vectors. | | 10.0 | CVE-2006-5151 HP BID SECTRACK XF
| InterVations -- NaviCOPA Web Server
| Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request. | | 7.0 | CVE-2006-5112 OTHER-REF BID FRSIRT SECUNIA XF
| Jelsoft -- VBulletin
| SQL injection vulnerability in global.php in Jelsoft vBulletin 2.x allows remote attackers to execute arbitrary SQL commands via the templatesused parameter. | | 7.0 | CVE-2006-5104 BUGTRAQ BID XF
| Joshua Muheim -- phpMyWebmin
| Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim phpMyWebmin 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) target and (2) action parameters in window.php, and possibly the (3) target parameter in home.php. | | 7.0 | CVE-2006-5124 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF
| Kevin A. Gordon -- Open Geo Targeting
| PHP remote file inclusion vulnerability in script.php in Kevin A. Gordon Open Geo Targeting (aka geotarget) allows remote attackers to execute arbitrary PHP code via a URL in the anp_path parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | | 7.0 | CVE-2006-5141 BID
| Lappy512 -- PHP Krazy Image Host Script
| SQL injection vulnerability in display.php in Lappy512 PHP Krazy Image Host Script (phpkimagehost) 0.7a allows remote attackers to execute arbitrary SQL commands via the id parameter. | | 7.0 | CVE-2006-5140 OTHER-REF BID XF
| McAfee -- ePolicy Orchestrator McAfee -- ProtectionPilot
| Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a request to /spipe/pkg/ with a long source header. | | 10.0 | CVE-2006-5156 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID SECUNIA
| Microsoft -- Internet Explorer
| Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL that is returned in a large HTTP 404 error message without an explicit charset, a related issue to CVE-2006-0032. | | 7.0 | CVE-2006-5152 BUGTRAQ BUGTRAQ BUGTRAQ
| MyPhotos -- MyPhotos
| ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in MyPhotos 0.1.3b beta allows remote attackers to execute arbitrary PHP code via the includesdir parameter. NOTE: this issue is disputed by CVE on 20060927, since the includesdir is defined before being used when the product is installed according to the provided instructions. | | 7.0 | CVE-2006-5095 BUGTRAQ MLIST
| net2ftp -- net2ftp
| PHP remote file inclusion vulnerability in index.php in net2ftp allows remote attackers to execute arbitrary PHP code via a URL in the application_rootdir parameter. | | 7.0 | CVE-2006-5097 BUGTRAQ XF
| NetWin -- WebNEWS
| PHP remote file inclusion vulnerability in parse/parser.php in WEB//NEWS (aka webnews) 1.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the WN_BASEDIR parameter. | | 7.0 | CVE-2006-5100 BUGTRAQ OTHER-REF FRSIRT SECUNIA XF
| Olate -- OlateDownload
| Cross-site scripting (XSS) vulnerability in userupload.php in OlateDownload 3.4.0 allows remote attackers to inject arbitrary web script or HTML via the description_small parameter. | | 7.0 | CVE-2006-5144 BUGTRAQ BID XF
| Olate -- OlateDownload
| Multiple SQL injection vulnerabilities in OlateDownload 3.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter in details.php or the (2) query parameter in search.php. | | 7.0 | CVE-2006-5145 BUGTRAQ BID XF
| OpenBiblio -- OpenBiblio
| Multiple PHP remote file inclusion vulnerabilities in (1) shared/header.php and (2) shared/help.php in OpenBiblio before 0.5.2 allow remote attackers to execute arbitrary PHP code via unspecified vectors. | | 7.0 | CVE-2006-5149 OTHER-REF BID FRSIRT SECUNIA
| OpenBiblio -- OpenBiblio
| SQL injection vulnerability in the reports system in OpenBiblio before 0.5.2 allows remote attackers with report privileges to execute arbitrary SQL commands via unspecified vectors. | | 7.0 | CVE-2006-5150 OTHER-REF BID FRSIRT SECUNIA
| Paul Schudar -- Tagmin Control Center
| PHP remote file inclusion vulnerability in index.php in Tagmin Control Center in TagIt! Tagboard 2.1.B Build 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. | | 7.0 | CVE-2006-5093 OTHER-REF BID OTHER-REF SECUNIA XF FRSIRT
| PHP Invoice -- PHP Invoice
| Cross-site scripting (XSS) vulnerability in home.php in PHP Invoice 2.2 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2006-5074. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | | 7.0 | CVE-2006-5110 FRSIRT SECUNIA XF
| PHP Web Scripts -- Easy Banner Free
| PHP remote file inclusion vulnerability in functions.php in PHP Web Scripts Easy Banner Free allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter. | | 7.0 | CVE-2006-5166 BUGTRAQ BID XF
| phpMyAgenda -- phpMyAgenda
| Multiple PHP remote file inclusion vulnerabilities in phpMyAgenda 3.0 Final and earlier allow remote attackers to execute arbitrary PHP code via a URL in the rootagenda parameter to (1) agendaplace.php3, (2) agendaplace2.php3, (3) infoevent.php3, and (4) agenda2.php3, different vectors than CVE-2006-2009. | | 7.0 | CVE-2006-5132 BUGTRAQ OTHER-REF OTHER-REF OSVDB OSVDB OSVDB OSVDB
| PHProjekt -- PHProjekt
| Multiple PHP remote file inclusion vulnerabilities in Albrecht Guenther PHProjekt 5.1.x before 5.1.2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lib_path or (2) lang_path parameter in unspecified files, related to code changes intended to fix inclusion, a different vulnerability than CVE-2002-0451, CVE-2006-4204, and CVE-2006-4609. | | 7.0 | CVE-2006-5123 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF
| PHPSelect -- Web Development Division
| PHP remote file inclusion vulnerability in index.php3 in the PDD package for PHPSelect Web Development Division allows remote attackers to execute arbitrary PHP code via a URL in the Application_Root parameter. | | 7.0 | CVE-2006-5118 BUGTRAQ BID XF
| PostNuke Software Foundation -- PostNuke
| SQL injection vulnerability in modules/Downloads/admin.php in the Admin section of PostNuke 0.762 allows remote attackers to execute arbitrary SQL commands via the hits parameter. | | 7.0 | CVE-2006-5121 BUGTRAQ XF
| PowerPortal -- PowerPortal
| PHP remote file inclusion vulnerability in index.php in John Himmelman (aka DaRk2k1) PowerPortal 1.3a allows remote attackers to execute arbitrary PHP code via a URL in the file_name[] parameter. | | 7.0 | CVE-2006-5126 OTHER-REF BID XF SECUNIA
| Salims Softhouse -- JAF CMS
| Multiple cross-site scripting (XSS) vulnerabilities in ph03y3nk just another flat file (JAF) CMS 4.0 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) the message parameter, and possibly other parameters, in module/shout/jafshout.php (aka the shoutbox); and (2) the message body in a forum post in module/forum/topicwin.php, related to the name, email, title, date, ldate, and lname variables. | | 7.0 | CVE-2006-5129 BUGTRAQ BID SECUNIA
| Salims Softhouse -- JAF CMS
| Multiple cross-site scripting (XSS) vulnerabilities in ph03y3nk just another flat file (JAF) CMS 4.0 RC1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) url, (3) title, and (4) about parameters in a forum post. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | | 7.0 | CVE-2006-5130 SECUNIA
| Salims Softhouse -- JAF CMS
| module/shout/jafshout.php (aka the shoutbox) in ph03y3nk just another flat file (JAF) CMS 4.0 RC1 allows remote attackers to execute arbitrary code within sections bounded by "", possibly due to a static code injection vulnerability involving admin/data_inc.php. | | 7.0 | CVE-2006-5131 BUGTRAQ SECUNIA
| SAP -- Internet Transaction Server
| Multiple cross-site scripting (XSS) vulnerabilities in wgate in SAP Internet Transaction Server (ITS) 6.1 and 6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) ~urlmime or (2) ~command parameter, different vectors than CVE-2003-0749. | | 7.0 | CVE-2006-5114 BUGTRAQ BID
| Steve Poulsen -- GuildFTPd
| Buffer overflow in GuildFTPd 0.999.13 allows remote attackers to have an unknown impact, possibly code execution related to input containing "globbing chars." | | 7.0 | CVE-2006-5133 BUGTRAQ OTHER-REF OTHER-REF OSVDB
| Sum Effect Software -- digiSHOP
| Multiple cross-site scripting (XSS) vulnerabilities in cart.php in Sum Effect Software digiSHOP 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) sortBy or (2) search parameters. | | 7.0 | CVE-2006-5164 BUGTRAQ BID SECUNIA
| Trend Micro -- OfficeScan
| Format string vulnerability in the ActiveX control (ATXCONSOLE.OCX) in TrendMicro OfficeScan Corporate Edition (OSCE) before 7.3 Patch 1 allows remote attackers to execute arbitrary code via format string identifiers in the "Management Console's Remote Client Install name search". | | 7.0 | CVE-2006-5157 BUGTRAQ OTHER-REF BID SECTRACK SECUNIA
| UBBCentral -- UBB.threads
| Multiple PHP remote file inclusion vulnerabilities in ubbt.inc.php in Groupee UBB.threads 6.5.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[thispath] or (2) GLOBALS[configdir] parameter. | | 7.0 | CVE-2006-5136 BUGTRAQ BID XF
| VAMP Webmail -- VAMP Webmail
| PHP remote file inclusion vulnerability in wamp_dir/setup/yesno.phtml in VAMP Webmail 2.0beta1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the no_url parameter. | | 7.0 | CVE-2006-5147 Milw0rm BID XF
| VideoDB -- VideoDB
| PHP remote file inclusion vulnerability in core/pdf.php in VideoDB 2.2.1 and earlier allows remote attackers to execute arbitrary PHP code via the config[pdf_module] parameter. | | 7.0 | CVE-2006-5155 OTHER-REF BID SECUNIA XF
| Yblog -- Yblog
| Multiple cross-site scripting (XSS) vulnerabilities in Yblog allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) funk.php, or the (2) action parameter in (b) tem.php and (c) uss.php. | | 7.0 | CVE-2006-5146 BUGTRAQ MLIST BID
| Yuuki Yoshizawa -- Exporia
| Directory traversal vulnerability in common.php in Yuuki Yoshizawa Exporia 0.3.0 allows remote attackers to include and execute local files via a .. (dot dot) in the lan parameter to includes.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-5113 BID FRSIRT OSVDB SECUNIA
|