Primary Vendor -- Product | Description | | CVSS Score | Source & Patch Info | 20/20 Applications -- DataShed
| Multiple SQL injection vulnerabilities in 20/20 DataShed (aka Real Estate Listing System) allow remote attackers to execute arbitrary SQL commands via the (1) itemID parameter to (a) f-email.asp, or the (2) peopleID and (2) sort_order parameters to (b) listings.asp, different vectors than CVE-2006-5955. | | 7.0 | CVE-2006-6067 BUGTRAQ OTHER-REF BID XF
| Adobe -- Acrobat Reader
| Adobe Reader (Adobe Acrobat Reader) 7.0 through 7.0.8 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long argument string to the LoadFile method in an AcroPDF ActiveX control. | | 7.0 | CVE-2006-6027 OTHER-REF BID
| Apple -- Mac OS X Server Apple -- Mac OS X
| com.apple.AppleDiskImageController in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to execute arbitrary code via a malformed DMG image that triggers memory corruption. | | 10.0 | CVE-2006-6061 OTHER-REF BID FRSIRT SECTRACK SECUNIA XF CERT-VN
| ASP-Nuke -- ASP-Nuke
| SQL injection vulnerability in module/account/register/register.asp in ASP Nuke 0.80 and earlier allows remote attackers to execute arbitrary SQL commands via the StateCode parameter. | | 7.0 | CVE-2006-6070 BUGTRAQ OTHER-REF SECTRACK XF
| ASPIntranet -- ASPIntranet
| SQL injection vulnerability in default.asp in ASPintranet, possibly 1.2, allows remote attackers to execute arbitrary SQL commands via the a parameter. | | 7.0 | CVE-2006-5987 BUGTRAQ BID XF
| BestWebApp -- BestWebApp Dating Site
| SQL injection vulnerability in the login component in BestWebApp Dating Site allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. | | 7.0 | CVE-2006-6021 BUGTRAQ BID
| BestWebApp -- BestWebApp Dating Site
| Cross-site scripting (XSS) vulnerability in login_form.asp in BestWebApp Dating Site allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | | 7.0 | CVE-2006-6022 BUGTRAQ BID
| BiBa Software -- Selenium Server
| SeleniumServer FTP Server 1.0, and possibly earlier, stores user passwords in plaintext in the Servers directory, which allows attackers to obtain passwords by reading the file. NOTE: the provenance of this information is unknown; details are obtained from third party sources. | | 10.0 | CVE-2006-5982 FRSIRT SECUNIA OSVDB XF
| Blog Torrent -- Blog Torrent preview
| Cross-site scripting (XSS) vulnerability in announce.php in Blog Torrent Preview 0.92 allows remote attackers to inject arbitrary web script or HTML via the left parameter. | | 7.0 | CVE-2006-6020 BUGTRAQ XF
| Bloo -- Bloo
| Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | | 7.0 | CVE-2006-6019 BUGTRAQ OTHER-REF BID
| Bloo -- Bloo
| ** DISPUTED ** PHP remote file inclusion vulnerability in phoo.base.php in Bill Roberts Bloo 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the descriptorFileList parameter. NOTE: this issue is disputed by CVE since $descriptorFileList is used in a function definition within phoo.base.php. | | 7.0 | CVE-2006-6023 BUGTRAQ MLIST XF
| CactuSoft -- CactuShop
| Multiple SQL injection vulnerabilities in wwweb concepts CactuShop allow remote attackers to execute arbitrary SQL commands via the (1) prodtype parameter in prodtype.asp and the (2) product parameter in product.asp. | | 7.0 | CVE-2006-5991 BUGTRAQ OTHER-REF FRSIRT SECUNIA
| ClickTech -- Texas Rank'em
| Multiple SQL injection vulnerabilities in ClickTech Texas Rank'em allow remote attackers to execute arbitrary SQL commands via the (1) selPlayer parameter to player.asp or the (2) tournament_id parameter to tournaments.asp. | | 7.0 | CVE-2006-6050 BUGTRAQ OTHER-REF BID
| D-Link -- DWL-G132
| Stack-based buffer overflow in A5AGU.SYS 1.0.1.41 for the D-Link DWL-G132 wireless adapter allows remote attackers to execute arbitrary code via a 802.11 beacon request with a long Rates information element (IE). | | 10.0 | CVE-2006-6055 OTHER-REF SECTRACK
| Dragon Internet -- Events Listing
| Multiple SQL injection vulnerabilities in Dragon Calendar / Events Listing 2.x allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to (a) admin_login.asp, the (3) ID parameter to (b) event_searchdetail.asp, or the (4) VenueID parameter to (c) venue_detail.asp. | | 7.0 | CVE-2006-6066 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF
| Drumster -- BlogMe
| Multiple cross-site scripting (XSS) vulnerabilities in comments.asp in BlogMe 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) URL, or (3) Comments field. | | 7.0 | CVE-2006-5975 BUGTRAQ OTHER-REF BID SECUNIA XF
| Drumster -- BlogMe
| Multiple SQL injection vulnerabilities in admin_login.asp in BlogMe 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password field. NOTE: some of these details are obtained from third party information. | | 7.0 | CVE-2006-5976 BUGTRAQ OTHER-REF BID SECUNIA XF
| emreTURK -- OpenHuman
| SQL injection vulnerability in OpenHuman before 1.0 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | | 7.0 | CVE-2006-6036 OTHER-REF FRSIRT OSVDB XF
| Epic Designs -- eggblog
| Multiple cross-site scripting (XSS) vulnerabilities in eggblog 3.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) edit parameter to (a) admin/articles.php or (b) admin/comments.php, or the (2) add parameter to admin/users.php. | | 7.0 | CVE-2006-6046 BUGTRAQ BID SECTRACK XF
| Expinion -- MultiCalendars
| Multiple SQL injection vulnerabilities in MultiCalendars allow remote attackers to execute arbitrary SQL commands via the (1) M or (2) Y parameter to rss_out.asp, or the (3) cate parameter to all_calendars.asp. NOTE: the all_calendars.asp/calsids vector is already covered by CVE-2006-2293. | | 7.0 | CVE-2006-5977 BUGTRAQ XF
| Extreme CMS -- Extreme CMS
| Multiple cross-site scripting (XSS) vulnerabilities in admin/options.php in Extreme CMS 0.9, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) bg1, (2) bg2, (3) text, or (4) size parameters. NOTE: the provenance of this information is unknown; details are obtained from third party sources. | | 7.0 | CVE-2006-5985 FRSIRT SECUNIA
| Extreme CMS -- Extreme CMS
| admin/options.php in Extreme CMS 0.9, and possibly earlier, does not require authentication, which might allow remote attackers to conduct unauthorized activities. NOTE: this issue can be combined with another vulnerability to expand the scope of a cross-site scripting (XSS) attack without authentication. NOTE: the provenance of this information is unknown; details are obtained from third party sources. | | 7.0 | CVE-2006-5986 FRSIRT SECUNIA
| F-ART Agency -- BLOG:CMS
| Cross-site scripting (XSS) vulnerability in list.php in BLOG:CMS 4.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the FADDR parameter. | | 7.0 | CVE-2006-6035 BUGTRAQ BID FRSIRT SECUNIA
| FutureTec -- E-Calendar Pro
| Multiple SQL injection vulnerabilities in E-Calendar Pro 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd (Password) fields in (a) admin/default.asp; or the (3) Event Title, (4) Location, or (5) Description field when making a search engine query in (b) search.asp. NOTE: some of these details are obtained from third party information. | | 7.0 | CVE-2006-6030 BUGTRAQ SECUNIA
| Fuzzball MUCK -- Fuzzball MUCK
| Multiple buffer overflows in the Message Parsing Interpreter (MPI) in Fuzzball MUCK before 6.07 allow remote attackers to execute arbitrary code via crafted messages. | | 7.0 | CVE-2006-6064 OTHER-REF FRSIRT SECUNIA BID XF
| GCIS -- ASPCart
| Multiple SQL injection vulnerabilities in Greater Cincinnati Internet Solutions (GCIS) ASPCart allow remote attackers to execute arbitrary SQL commands via (1) the prodid parameter in (a) prodetails.asp; (2) the page parameter in (b) display.asp; the (3) custid, (4) item, (5) price, (6) custom, (7) department, (8) start, (9) quantity, (10) submit, (11) custom1, (12) custom2, or (13) custom3 parameters in (c) addcart.asp; or the (14) customerid parameter in (d) payment.asp. | | 7.0 | CVE-2006-6031 BUGTRAQ
| Imagemagick -- Imagemagick
| Multiple buffer overflows in Imagemagick 6.0 before 6.0.6.2, and 6.2 before 6.2.4.5, has unknown impact and user-assisted attack vectors via a crafted SGI image. | | 7.0 | CVE-2006-5868 DEBIAN SECUNIA
| JBMC Software -- DirectAdmin
| Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software DirectAdmin 1.28.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) user parameter to (a) CMD_SHOW_RESELLER or (b) CMD_SHOW_USER in the Admin level; the (2) TYPE parameter to (c) CMD_TICKET_CREATE or (d) CMD_TICKET, the (3) user parameter to (e) CMD_EMAIL_FORWARDER_MODIFY, (f) CMD_EMAIL_VACATION_MODIFY, or (g) CMD_FTP_SHOW, and the (4) name parameter to (h) CMD_EMAIL_LIST in the User level; or the (5) user parameter to (i) CMD_SHOW_USER in the Reseller level. | | 7.0 | CVE-2006-5983 BUGTRAQ OTHER-REF BID XF
| Jelsoft -- vBulletin
| Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.php in Jelsoft vBulletin 3.6.x allow remote attackers to inject arbitrary web script or HTML via (1) the prefs parameter in a buildnavprefs action or (2) the navprefs parameter in a savenavprefs action. | | 7.0 | CVE-2006-6040 BUGTRAQ BID FRSIRT SECUNIA
| Jim Plush -- My-BIC
| ** DISPUTED ** PHP remote file inclusion vulnerability in mybic_server.php in Jim Plush My-BIC 0.6.5 allows remote attackers to execute arbitrary PHP code via a URL in the INC_PATH parameter, a different vector than CVE-2006-5089. NOTE: this issue is disputed by CVE and third party researchers because INC_PATH is a constant. | | 7.0 | CVE-2006-6018 BUGTRAQ MLIST XF
| Leinir -- Travelsized CMS
| Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dan Jensen Travelsized CMS 0.4.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) page, (2) page_id, or (3) language parameter. | | 7.0 | CVE-2006-6037 BUGTRAQ OTHER-REF BID SECTRACK
| MamboXChange -- MosReporter
| PHP remote file inclusion vulnerability in reporter.logic.php in the MosReporter (com_reporter) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | | 7.0 | CVE-2006-6051 BUGTRAQ OTHER-REF BID
| My Firewall Plus -- My Firewall Plus
| My Firewall Plus 5.0 Build 1119 does not verify if explorer.exe is running before launching iexplore.exe from the "Test Your Firewall" feature, which allows local users to gain SYSTEM privileges. | | 7.0 | CVE-2006-3973 OTHER-REF FRSIRT SECUNIA
| NetGear -- MA521 Wireless Driver
| Buffer overflow in MA521nd5.SYS driver 5.148.724.2003 for NetGear MA521 PCMCIA adapter allows remote attackers to execute arbitrary code via (1) beacon or (2) probe 802.11 frame responses with an long supported rates information element. NOTE: this issue was reported as a "memory corruption" error, but the associated exploit code suggests that it is a buffer overflow. | | 10.0 | CVE-2006-6059 OTHER-REF CERT-VN FRSIRT SECTRACK SECUNIA
| Phil Taylor -- Shambo2
| PHP remote file inclusion vulnerability in shambo2.php in the Shambo2 (com_shambo2) component for Mambo 4.5 allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | | 7.0 | CVE-2006-6049 BUGTRAQ BID FRSIRT SECUNIA XF
| Powie -- pForum
| SQL injection vulnerability in editpoll.php in Powie's PHP Forum (pForum) 1.29a and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | | 7.0 | CVE-2006-6038 OTHER-REF BID XF FRSIRT SECUNIA
| Powie -- PHP MatchMaker
| SQL injection vulnerability in matchdetail.php in Powie's PHP MatchMaker 4.05 and earlier allows remote attackers to execute arbitrary SQL commands via the edit parameter. | | 7.0 | CVE-2006-6039 OTHER-REF BID XF FRSIRT SECUNIA
| Property Pro -- Property Pro
| SQL injection vulnerability in vir_Login.asp in Property Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the UserName field. | | 7.0 | CVE-2006-6029 BUGTRAQ
| Renasoft -- NetJetServer
| adm_lgn_admin.asp in Renasoft NetJetServer 2.5.3.939, and possibly earlier, does not properly perform login authentication, which allows remote attackers to obtain administrative privileges. NOTE: the provenance of this information is unknown; details are obtained from third party sources. | | 10.0 | CVE-2006-5980 FRSIRT SECUNIA
| SitesOutlet -- E-commerce Kit-1
| Multiple SQL injection vulnerabilities in SitesOutlet E-commerce Kit-1 PayPal Edition allow remote attackers to execute arbitrary SQL commands via the (1) keyword or (2) cid parameter in (a) catalogue.asp, or the (3) pid parameter in (b) viewDetail.asp. | | 7.0 | CVE-2006-6034 BUGTRAQ FRSIRT SECUNIA
| Sky Software -- FileView ActiveX Control WinZip -- WinZip
| Stack-based buffer overflow in the Sky Software FileView ActiveX control, as used in WinZip 10 before build 7245 and in certain other applications, allows remote attackers to execute arbitrary code via a long FilePattern attribute in a WZFILEVIEW object, a different vulnerability than CVE-2006-5198. | | 7.0 | CVE-2006-3890 BUGTRAQ Milw0rm MS CERT-VN BID SECUNIA
| SPHPBlog -- SPHPBlog
| Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter in add_block.php or (2) the entry parameter in index.php, different vectors than CVE-2005-1135. NOTE: this has been reported to affect 0.8, but as of 20061121, the most recent version is only 0.4.9. | | 7.0 | CVE-2006-6032 BUGTRAQ XF
| SPHPBlog -- SPHPBlog
| Multiple directory traversal vulnerabilities in Simple PHP Blog (SPHPBlog), probably 0.4.8, allow remote attackers to read arbitrary files and possibly include arbitrary PHP code via a .. (dot dot) sequence in the blog_theme parameter in (1) index.php, (2) add_cgi.php, (3) add_link.php, (4) login.php, (5) template.php, or (6) contact.php. | | 7.0 | CVE-2006-6033 BUGTRAQ
| Un4seen -- XMPlay
| Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1) FileName, and cause a crash via a long (2) DisplayName. | | 7.0 | CVE-2006-6063 OTHER-REF FRSIRT SECUNIA
| WebHost Automation -- Helm Web Hosting Control Panel
| Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hosting Control Panel 3.2.10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) txtCompanyName, (2) txtEmail, or (3) txtUserAccNum parameter to (a) users.asp, or the (4) setThemeColour parameter to (b) default.asp in the Reseller and Admin levels; or the (5) setThemeColour parameter to default.asp in the User level. NOTE: the txtDomainName parameter to domains.asp is covered by CVE-2006-1407, which suggests that this vector is fixed in 3.2.10 stable. | | 7.0 | CVE-2006-5984 BUGTRAQ FRSIRT SECUNIA
| WORK system e-commerce -- WORK system e-commerce
| Multiple PHP remote file inclusion vulnerabilities in WORK system e-commerce 3.0.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the g_include parameter to (1) index.php, (2) module/forum/forum.php, (3) unspecified files under module/, and (4) unspecified files under administration/module/. | | 7.0 | CVE-2006-6041 OTHER-REF FRSIRT SECTRACK SECUNIA
|