Primary Vendor -- Product | Description | | CVSS Score | Source & Patch Info | AmpJuke -- AmpJuke
| Cross-site scripting (XSS) vulnerability in index.php in AmpJuke 0.7.0 allows remote attackers to inject arbitrary web script or HTML via the limit parameter in a search action. | | 4.3 | CVE-2008-0496 BUGTRAQ
| Bubbling Library -- Bubbling Library
| Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to read arbitrary files via a .. (dot dot) in the uri parameter to dispatcher.php in (1) examples/dispatcher/framework/, (2) examples/dispatcher/, (3) examples/wizard/, and (4) PHP/, different vectors than CVE-2008-????. | | 5.0 | CVE-2008-0521 MILW0RM BID XF
| Clansphere -- Clansphere
| Directory traversal vulnerability in install.php in Clansphere 2007.4.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. | | 5.0 | CVE-2008-0489 BUGTRAQ BID XF
| Coppermine -- Coppermine Photo Gallery
| Multiple SQL injection vulnerabilities in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) util.php and (2) reviewcom.php. NOTE: some of these details are obtained from third party information. | | 6.8 | CVE-2008-0504 OTHER-REF BID SECUNIA
| Coppermine -- Coppermine Photo Gallery
| Multiple cross-site scripting (XSS) vulnerabilities in docs/showdoc.php in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote attackers to inject arbitrary web script or HTML via the (1) h and (2) t parameters. NOTE: some of these details are obtained from third party information. | | 6.0 | CVE-2008-0505 OTHER-REF BID SECUNIA
| Dean -- Permalinks Migration Plugin
| Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting. | | 6.8 | CVE-2008-0508 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA
| Drake Team -- Drake CMS
| Cross-site scripting (XSS) vulnerability in index.php in Drake CMS 0.4.9 allows remote attackers to inject arbitrary web script or HTML via the option parameter. | | 4.3 | CVE-2007-6695 OTHER-REF BID
| Endian -- Firewall
| Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 4.3 | CVE-2008-0494 OTHER-REF BID
| eTicket -- eTicket
| Cross-site scripting (XSS) vulnerability in index.php in eTicket 1.5.6-RC4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | | 4.3 | CVE-2008-0552 BUGTRAQ OTHER-REF BID
| F5 -- BIG-IP
| Cross-site scripting (XSS) vulnerability in dms/policy/rep_request.php in F5 BIG-IP Application Security Manager (ASM) 9.4.3 allows remote attackers to inject arbitrary web script or HTML via the report_type parameter. | | 4.3 | CVE-2008-0539 BUGTRAQ BID
| Francisco Burzi -- PHP-Nuke
| SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information. | | 6.8 | CVE-2008-0461 MILW0RM BID FRSIRT SECUNIA XF
| GE Fanuc -- Proficy Real-Time Information Portal
| GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the passwords and gain privileges. | | 5.0 | CVE-2008-0174 BUGTRAQ OTHER-REF CERT-VN SECTRACK
| Gerd Tentler -- Simple Forum
| Multiple cross-site scripting (XSS) vulnerabilities in forum.php in Gerd Tentler Simple Forum 3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) open and (2) date_show parameters. | | 4.3 | CVE-2008-0541 MILW0RM BID
| Gerd Tentler -- Simple Forum
| Directory traversal vulnerability in thumbnail.php in Gerd Tentler Simple Forum 3.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | | 5.0 | CVE-2008-0542 MILW0RM BID
| Hal Networks -- Perl _CGI_cart Hal Networks -- PHP_cart Hal Networks -- Shop_hal_v1
| Cross-site scripting (XSS) vulnerability in multiple Hal Networks shopping-cart products allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | | 4.3 | CVE-2008-0522 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF SECUNIA
| HFS -- HTTP File Server
| HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allows remote attackers to cause a denial of service (daemon crash) via a long account name. | | 5.0 | CVE-2008-0406 BUGTRAQ OTHER-REF OTHER-REF SECUNIA XF
| HFS -- HTTP File Server
| HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request. | | 5.0 | CVE-2008-0407 BUGTRAQ OTHER-REF OTHER-REF SECUNIA XF
| HFS -- HTTP File Server
| HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication. | | 6.4 | CVE-2008-0408 BUGTRAQ OTHER-REF OTHER-REF SECUNIA XF
| HFS -- HTTP File Server
| Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL. | | 4.3 | CVE-2008-0409 BUGTRAQ OTHER-REF OTHER-REF SECUNIA XF
| HFS -- HTTP File Server
| HTTP File Server (HFS) before 2.2c allows remote attackers to obtain configuration and usage details by using an id element such as %version% in HTTP Basic Authentication instead of a username and password, as demonstrated by placing this id element in the userinfo subcomponent of a URL. | | 5.0 | CVE-2008-0410 BUGTRAQ OTHER-REF OTHER-REF SECUNIA XF
| IBM -- AIX
| Multiple buffer overflows in IBM AIX 4.3 allow remote attackers to cause a denial of service (crash) or possibly gain privileges via a long argument to (1) piox25, related to piox25.c; or (2) piox25remote, related to piox25remote.sh. | | 5.5 | CVE-2008-0509 AIXAPAR BID FRSIRT SECUNIA
| Joomla -- com_mamml Component
| SQL injection vulnerability in index.php in the MaMML (com_mamml) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. | | 6.8 | CVE-2008-0511 MILW0RM BID
| Joomla -- com_fq Component
| SQL injection vulnerability in index.php in the fq (com_fq) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. | | 6.8 | CVE-2008-0512 MILW0RM BID
| Linux -- Linux
| cp, when running with an option to preserve symlinks on multiple OSes, allows local, user-assisted attackers to overwrite arbitrary files via a symlink attack using crafted directories containing multiple source files that are copied to the same destination. | | 6.9 | CVE-2007-4998 OTHER-REF OTHER-REF
| LiquidSilverCMS -- LiquidSilverCMS
| Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter. | | 6.8 | CVE-2008-0459 MILW0RM BID SECUNIA FRSIRT XF
| Lumension Security -- PatchLink Update
| PatchLink Update client for Unix allows local users to (1) truncate arbitrary files via a symlink attack on the /tmp/patchlink.tmp file used by the logtrimmer script, and (2) execute arbitrary code via a symlink attack on the /tmp/plshutdown file used by the rebootTask script. | | 4.6 | CVE-2008-0525 BUGTRAQ SECTRACK SECUNIA XF XF
| Mambo -- Mambo Open Source 4.5
| SQL injection vulnerability in index.php in the Newsletter (com_newsletter) component for Mambo 4.5 and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. | | 6.8 | CVE-2008-0510 MILW0RM BID
| ManageEngine -- Applications Manager
| Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4) redirectto, and (5) resourceid parameters to (a) jsp/ThresholdActionConfiguration.jsp; the (6) page and (7) redirect parameters to (b) jsp/UpdateGlobalSettings.jsp; and the (8) haid and (9) returnpath parameters to (c) showTile.do. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 4.3 | CVE-2008-0474 BID SECUNIA XF
| ManageEngine -- Applications Manager
| ManageEngine Applications Manager 8.1 build 8100 allows remote attackers to obtain sensitive information ( Home->Summary) via an invalid URI, as demonstrated by the "/-" URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 5.0 | CVE-2008-0475 BID SECUNIA XF
| ManageEngine -- Applications Manager
| ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 6.4 | CVE-2008-0476 BID SECUNIA XF
| Microsoft -- ie MediaWiki -- MediaWiki BotQuery Ext MediaWiki -- MediaWiki
| Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | | 4.3 | CVE-2008-0460 MLIST SECUNIA FRSIRT XF
| Netwerk -- Smart Publisher
| Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Publisher 1.0.1 allows remote attackers to execute arbitrary PHP code via the filedata parameter. | | 6.8 | CVE-2008-0503 MILW0RM BID SECUNIA
| Nucleus CMS -- Nucleus CMS
| Cross-site scripting (XSS) vulnerability in action.php in Nucleus CMS 3.31 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, which is not quoted when processing PHP_SELF. | | 4.3 | CVE-2008-0497 BUGTRAQ BUGTRAQ OTHER-REF
| Persits Software -- XUpload
| Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information. | | 6.8 | CVE-2008-0492 MILW0RM BID FRSIRT SECUNIA XF
| phpBB -- phpBB
| Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action. | | 4.3 | CVE-2008-0471 BUGTRAQ SECUNIA
| phpIP -- phpIP Management
| Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) password parameter to login.php, the (2) id parameter to display.php, and unspecified other vectors. NOTE: some of these details are obtained from third party information. | | 6.8 | CVE-2008-0538 FULLDISC MILW0RM SECUNIA
| Radio Toolbox -- Steamcast
| Steamcast 0.9.75 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large integer in the Content-Length HTTP header, which triggers a NULL dereference when malloc fails. | | 5.0 | CVE-2008-0548 OTHER-REF XF
| Radio Toolbox -- Steamcast
| Integer overflow in the OggHeaderParse function in Steamcast 0.9.75 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via a long Ogg tag. | | 5.0 | CVE-2008-0549 OTHER-REF OTHER-REF XF
| SeagullProject.org -- Seagull
| Directory traversal vulnerability in optimizer.php in Seagull 0.6.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the files parameter. | | 5.0 | CVE-2008-0465 MILW0RM BID OTHER-REF FRSIRT SECUNIA XF
| SetCMS -- SetCMS
| Directory traversal vulnerability in index.php in SetCMS 3.6.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the set parameter, as demonstrated by sending a certain CLIENT_IP HTTP header in an enter action to index.php, and injecting PHP sequences into files/enter.set, which is then included by index.php. | | 5.8 | CVE-2008-0478 MILW0RM BID XF
| ShoppingTree -- CandyPress Store
| Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and probably earlier 4.x and 3.x versions, allows remote attackers to inject arbitrary web script or HTML via the helpfield parameter. | | 4.3 | CVE-2008-0547 BUGTRAQ MILW0RM OTHER-REF BID SECUNIA XF
| SoftCart -- SoftCart
| Multiple cross-site scripting (XSS) vulnerabilities in SoftCart.exe in SoftCart 5.1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) License_Plate, (2) License_State, (3) Ticket_Date, and (4) Ticket_Number parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | | 4.3 | CVE-2008-0523 SECUNIA
| SourceForge -- phpMyClub
| Directory traversal vulnerability in phpMyClub 0.0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page_courante parameter to the top-level URI. | | 5.8 | CVE-2008-0501 MILW0RM BID XF
| trixbox -- trixbox
| Multiple cross-site scripting (XSS) vulnerabilities in trixbox 2.4.2.0 allow remote attackers to inject arbitrary web script or HTML via the query string to index.php in (1) user/ or (2) maint/. | | 4.3 | CVE-2008-0540 OTHER-REF BID
| Web Wiz -- Text Editor Web Wiz -- Forums Web Wiz -- NewsPad
| Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text Editor 4.0, Web Wiz Forums 9.07, and Web Wiz Newspad 1.02, does not require authentication, which allows remote attackers to list directories and read files. NOTE: this can be leveraged for listings outside the configured directory tree by exploiting a separate directory traversal vulnerability. | | 5.0 | CVE-2008-0466 BUGTRAQ MILW0RM OTHER-REF OTHER-REF SECTRACK BUGTRAQ MILW0RM OTHER-REF
| Web Wiz -- Rich Text Editor
| RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to upload (1) .html and (2) .htm files via unspecified vectors. | | 6.4 | CVE-2008-0473 BUGTRAQ MILW0RM OTHER-REF BID SECTRACK
| Web Wiz -- NewsPad
| Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz NewsPad 1.02 allows remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter. | | 5.0 | CVE-2008-0479 BUGTRAQ MILW0RM OTHER-REF OTHER-REF SECTRACK SECUNIA XF
| Web Wiz -- Web Wiz Forums
| Multiple directory traversal vulnerabilities in Web Wiz Forums 9.07 and earlier allow remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter to (1) RTE_file_browser.asp or (2) file_browser.asp. | | 5.0 | CVE-2008-0480 BUGTRAQ MILW0RM OTHER-REF OTHER-REF SECTRACK SECUNIA XF
| Web Wiz -- Rich Text Editor
| Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter in a save action. | | 5.0 | CVE-2008-0481 BUGTRAQ MILW0RM OTHER-REF OTHER-REF SECTRACK SECUNIA XF
| WoltLab -- Burning Board
| Cross-site request forgery (CSRF) vulnerability in modcp.php in Woltlab Burning Board (wBB) 2.3.6 PL2 allows remote attackers to delete threads as moderators or administrators via a thread_del action. | | 4.3 | CVE-2008-0472 BUGTRAQ SECUNIA XF
| WordPress -- WassUp Plugin
| Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date parameter to spy.php. | | 6.5 | CVE-2008-0520 MILW0RM
|