CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2007

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2007-1638 CSRF 2007-03-23 2018-10-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files.
102 CVE-2007-1637 Exec Code Overflow 2007-03-23 2011-03-08
9.3
None Remote Medium Not required Complete Complete Complete
Multiple buffer overflows in the IMAILAPILib ActiveX control (IMailAPI.dll) in Ipswitch IMail Server before 2006.2 allow remote attackers to execute arbitrary code via the (1) WebConnect and (2) Connect members in the (a) IMailServer control; (3) Sync3 and (4) Init3 members in the (b) IMailLDAPService control; and the (5) SetReplyTo member in the (c) IMailUserCollection control.
103 CVE-2007-1636 Dir. Trav. 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in index.php in RoseOnlineCMS 3 B1 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the op parameter, as demonstrated by injecting PHP code into Apache log files via the URL and User-Agent HTTP header.
104 CVE-2007-1635 2007-03-23 2018-10-16
9.0
None Remote Low ??? Complete Complete Complete
Static code injection vulnerability in admin/settings.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote authenticated users to inject arbitrary PHP code via the xtop parameter in a "ConfigSave" op to admin.php, which can later be accessed via a "Configure" op to admin.php.
105 CVE-2007-1634 Sql 2007-03-23 2018-10-16
7.5
None Remote Low Not required Partial Partial Partial
Variable extraction vulnerability in grab_globals.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote attackers to conduct SQL injection attacks via the _FILES[DB][tmp_name] parameter to print.php, which overwrites the $DB variable with dynamic variable evaluation.
106 CVE-2007-1633 Exec Code Dir. Trav. 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in bbcode_ref.php in the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by bbcode_ref.php.
107 CVE-2007-1632 2007-03-23 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in TYPOlight webCMS before 2.2 Build 5 has unknown impact and attack vectors related to a "major security hole."
108 CVE-2007-1631 Exec Code File Inclusion 2007-03-23 2018-10-16
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use.
109 CVE-2007-1630 Exec Code Sql 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Link Engine allows remote attackers to execute arbitrary SQL commands via the catid parameter.
110 CVE-2007-1629 Exec Code Sql 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Photo Gallery allows remote attackers to execute arbitrary SQL commands via the catid parameter.
111 CVE-2007-1628 Exec Code File Inclusion 2007-03-23 2018-10-16
9.3
None Remote Medium Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in Study planner (Studiewijzer) 0.15 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the SPL_CFG[dirroot] parameter to (1) service.alert.inc.php or (2) settings.ses.php in inc/; (3) db/mysql/db.inc.php; (4) integration/shortstat/configuration.php; (5) ali.class.php or (6) cat.class.php in methodology/traditional/class/; (7) cat_browse.inc.php, (8) chr_browse.inc.php, (9) chr_display.inc.php, or (10) dash_browse.inc.php in methodology/traditional/ui/inc/; (11) spl.webservice.php or (12) konfabulator/gateway_admin.php in ws/; or other unspecified files.
112 CVE-2007-1626 Exec Code File Inclusion 2007-03-23 2017-10-11
9.3
None Remote Medium Not required Complete Complete Complete
PHP remote file inclusion vulnerability in iframe.php in the iFrame Module for PHP-NUKE allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.
113 CVE-2007-1625 XSS 2007-03-23 2011-03-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in save_entry.php in realGuestbook 5.01 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter, as reachable through add_entry.php. NOTE: the original report stated that the vulnerability was in add_entry.php, which does not receive the input data.
114 CVE-2007-1624 Exec Code Sql 2007-03-23 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in realGuestbook 5.01 allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) homepage, and (4) text parameters to save_entry.php, as reachable through add_entry.php; and possibly other unspecified parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
115 CVE-2007-1623 XSS 2007-03-23 2008-09-05
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in realGuestbook 5.01, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) bg_color_1, (2) fs_menu, (3) fc_menu, (4) ff_menu, (5) bg_color_2, (6) fs_normal, (7) fc_normal, and (8) ff_normal parameters to welcome_admin.php; and possibly unspecified other parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
116 CVE-2007-1622 XSS 2007-03-23 2011-03-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.
117 CVE-2007-1621 Exec Code File Inclusion 2007-03-23 2017-10-11
10.0
None Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in templates/head.php in Active PHP Bookmark Notes (APB) 0.2.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APB_SETTINGS[template_path] parameter. NOTE: this issue might be related to CVE-2003-1254.
118 CVE-2007-1620 Exec Code File Inclusion 2007-03-23 2017-10-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.
119 CVE-2007-1619 Exec Code Sql 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in viewcomments.php in ScriptMagix Photo Rating 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the phid parameter.
120 CVE-2007-1618 Exec Code Sql 2007-03-23 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
121 CVE-2007-1617 Exec Code Sql 2007-03-23 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
122 CVE-2007-1616 Exec Code Sql 2007-03-23 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the recid parameter.
123 CVE-2007-1615 Exec Code Sql 2007-03-23 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
124 CVE-2007-1614 DoS Exec Code Overflow 2007-03-23 2011-03-08
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the zzip_open_shared_io function in zzip/file.c in ZZIPlib Library before 0.13.49 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long filename.
125 CVE-2007-1613 Dir. Trav. 2007-03-23 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter.
126 CVE-2007-1612 Exec Code Sql 2007-03-23 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the kolumna parameter.
127 CVE-2007-1611 XSS 2007-03-22 2017-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the RSS reader in a certain SOURCENEXT product, probably IKANARI JIJYOU 1.0.0 and 1.0.1, allows remote attackers to inject arbitrary web script or HTML via the title of an article in a feed.
128 CVE-2007-1610 XSS 2007-03-22 2017-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the RSS reader in Glue Software NewsGlue before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via a feed.
129 CVE-2007-1609 XSS 2007-03-22 2018-10-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS) in Oracle Application Server (OAS) 10g 10.1.2.0.0 allows remote attackers to inject arbitrary web script or HTML via the table parameter. NOTE: This may be related to CVE-2002-0563.
130 CVE-2007-1608 Http R.Spl. 2007-03-22 2017-07-29
7.5
None Remote Low Not required Partial Partial Partial
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header.
131 CVE-2007-1607 +Info 2007-03-22 2018-10-16
5.0
None Remote Low Not required Partial None None
search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error.
132 CVE-2007-1606 XSS 2007-03-22 2018-10-16
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.
133 CVE-2007-1605 +Info 2007-03-22 2018-10-16
5.0
None Remote Low Not required Partial None None
w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.
134 CVE-2007-1604 Exec Code 2007-03-22 2018-10-16
7.5
None Remote Low Not required Partial Partial Partial
Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.
135 CVE-2007-1603 Bypass 2007-03-22 2018-10-16
7.5
None Remote Low Not required Partial Partial Partial
admin/contest.php in Weekly Drawing Contest 0.0.1 allows remote attackers to bypass authentication, and insert new contest information into a database, via a direct POST request.
136 CVE-2007-1602 Exec Code Sql 2007-03-22 2018-10-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to execute arbitrary SQL commands via the order parameter.
137 CVE-2007-1601 Dir. Trav. 2007-03-22 2018-10-16
5.0
None Remote Low Not required Partial None None
** DISPUTED ** Directory traversal vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the order parameter. NOTE: another researcher disputes this vulnerability, noting that the order variable is not used in any context that allows opening files.
138 CVE-2007-1600 Exec Code File Inclusion 2007-03-22 2017-10-11
9.3
None Remote Medium Not required Complete Complete Complete
PHP remote file inclusion vulnerability in module.php in Digital Eye Gallery 1.1 Beta (aka 0.1.1b) allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter.
139 CVE-2007-1599 +Info 2007-03-22 2018-10-16
6.5
None Remote Low ??? Partial Partial Partial
wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.
140 CVE-2007-1598 Exec Code Overflow 2007-03-22 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in InterVations FileCOPA FTP Server 1.01 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by filecopa.tar by Immunity. NOTE: some of these details are obtained from third party information. NOTE: As of 20070322, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes.
141 CVE-2007-1597 +Info 2007-03-22 2018-10-16
5.0
None Remote Low Not required Partial None None
Unclassified NewsBoard 1.6.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain (1) the board log via a direct request for logs/board-YYYY-MM-DD.log, (2) the mail and private message (PM) log via a direct request for logs/email-YY-MM-DD-HH-MM-SS.log, (3) the SQL error message log via a direct request for logs/error-YY-MM.log, and (4) the IP log via a direct request for logs/ip.log.
142 CVE-2007-1596 Exec Code File Inclusion 2007-03-22 2017-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php.
143 CVE-2007-1595 2007-03-22 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form.
144 CVE-2007-1594 DoS 2007-03-22 2018-10-16
7.8
None Remote Low Not required None None Complete
The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet.
145 CVE-2007-1592 119 DoS Overflow 2007-03-22 2017-10-11
4.9
None Local Low Not required None None Complete
net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.
146 CVE-2007-1591 DoS 2007-03-22 2018-10-16
7.8
None Remote Low Not required None None Complete
VsapiNT.sys in the Scan Engine 8.0 for Trend Micro AntiVirus 14.10.1041, and other products, allows remote attackers to cause a denial of service (kernel fault and system crash) via a crafted UPX file with a certain field that triggers a divide-by-zero error.
147 CVE-2007-1590 DoS 2007-03-21 2017-07-29
7.8
None Remote Low Not required None None Complete
The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and bootloader 1.1.1.5, allows remote attackers to cause a denial of service (device crash) via SIP (1) INVITE, (2) CANCEL, or unspecified other messages with a WWW-Authenticate header containing a crafted Digest domain.
148 CVE-2007-1589 DoS 2007-03-21 2011-03-08
2.1
None Local Low Not required None None Partial
TrueCrypt before 4.3, when set-euid mode is used on Linux, allows local users to cause a denial of service (filesystem unavailability) by dismounting a volume mounted by a different user.
149 CVE-2007-1588 2007-03-21 2008-11-15
7.5
None Remote Low Not required Partial Partial Partial
server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges.
150 CVE-2007-1587 2007-03-21 2017-07-29
10.0
None Remote Low Not required Complete Complete Complete
templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remote attackers to execute arbitrary programs by specifying the program name in the qshapeLocation parameter.
Total number of vulnerabilities : 704   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13 14 15
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.