Primary Vendor -- Product | Description | | CVSS Score | Source & Patch Info | @Mail -- @Mail WebMail
| Cross-site request forgery (CSRF) vulnerability in @Mail WebMail allows remote attackers to perform unauthorized actions as other unspecified users via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. | | 7.0 | CVE-2006-6701 OTHER-REF SECUNIA
| @Mail -- @Mail
| Cross-site scripting (XSS) vulnerability in Global.pm in @Mail before 4.61 allows remote attackers to inject arbitrary web script or HTML via crafted e-mail messages. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6702 OTHER-REF OTHER-REF FRSIRT
| @Mail -- @Mail Webadmin
| Cross-site scripting (XSS) vulnerability in the Webadmin in @Mail before 4.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "unescaped data in the database." | | 7.0 | CVE-2006-6704 OTHER-REF
| A-blog -- A-blog
| Cross-site scripting (XSS) vulnerability in a-blog 1.51 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | | 7.0 | CVE-2006-6729 OTHER-REF OTHER-REF FRSIRT SECUNIA
| Allied Telesis -- AT-9000/24 Ethernetswitch
| The Allied Telesis AT-9000/24 Ethernet switch accepts management packets from arbitrary VLANs, contrary to the documentation, which allows remote attackers to conduct attacks against the switch from unexpected locations. | | 7.0 | CVE-2006-6717 BUGTRAQ BID XF
| Allied Telesis -- AT-9000/24 Ethernetswitch
| The Allied Telesis AT-9000/24 Ethernet switch has a default password for its admin account, "manager," which allows remote attackers to perform unauthorized actions. | | 7.0 | CVE-2006-6718 BUGTRAQ
| AlstraSoft -- WebHost Directory
| AlstraSoft Web Host Directory allows remote attackers to bypass authentication and change the admin password via a direct request to admin/config. | | 7.0 | CVE-2006-6818 BUGTRAQ BID
| AlstraSoft -- WebHost Directory
| AlstraSoft Web Host Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a backup database via a direct request for admin/backup/db. | | 7.0 | CVE-2006-6819 BUGTRAQ
| Azucar CMS -- Azucar CMS
| PHP remote file inclusion vulnerability in admin/index_sitios.php in Azucar CMS 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the _VIEW parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6720 OTHER-REF BID FRSIRT SECUNIA XF
| chatwm -- chatwm
| SQL injection vulnerability in SelGruFra.asp in chatwm 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) txtUse and (2) txtPas parameters. | | 7.0 | CVE-2006-6791 BUGTRAQ BID
| cwm-design -- cwmExplorer
| Multiple SQL injection vulnerabilities in cwmExplorer 1.1.0 and earlier allow remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: The provenance of this information is unknown; details are obtained solely from third party information. | | 7.0 | CVE-2006-6766 FRSIRT
| DMXReady -- DMXReady Secure Login Manager
| Multiple SQL injection vulnerabilities in DMXReady Secure Login Manager 1.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) set_preferences.asp, (2) send_password_preferences.asp, and (3) SecureLoginManager/list.asp in the Local-Admin Panel; (4) the sent parameter to (a) login.asp, (b) content.asp, and (c) members.asp in the Remote-WebSite; and (5) the sent parameter to applications/SecureLoginManager/inc_secureloginmanager.asp in the Live Demo. | | 7.0 | CVE-2006-6816 BUGTRAQ BID
| DreaXTeam -- Xt-News
| Multiple cross-site scripting (XSS) vulnerabilities in Xt-News 0.1 allow remote attackers to inject arbitrary web script or HTML via the id_news parameter to (1) add_comment.php or (2) show_news.php. | | 7.0 | CVE-2006-6746 BUGTRAQ BID
| DreaXTeam -- Xt-News
| SQL injection vulnerability in show_news.php in Xt-News 0.1 allows remote attackers to execute arbitrary SQL commands via the id_news parameter. | | 7.0 | CVE-2006-6747 BUGTRAQ BID
| Efkan Forum -- Efkan Forum
| SQL injection vulnerability in default.asp in Efkan Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the grup parameter. | | 7.0 | CVE-2006-6794 BUGTRAQ
| Enthrallweb -- ePages
| SQL injection vulnerability in actualpic.asp in Enthrallweb ePages allows remote attackers to execute arbitrary SQL commands via the Biz_ID parameter. | | 7.0 | CVE-2006-6802 Milw0rm BID FRSIRT SECUNIA
| Enthrallweb -- eCars
| SQL injection vulnerability in Types.asp in Enthrallweb eCars 1.0 allows remote attackers to execute arbitrary SQL commands via the Type_id parameter. | | 7.0 | CVE-2006-6803 Milw0rm BID FRSIRT
| Enthrallweb -- Dragon Business Directory Pro
| SQL injection vulnerability in bus_details.asp in Dragon Business Directory - Pro (aka Dragon Internet Business Search Directory - Pro) 3.01.12 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. | | 7.0 | CVE-2006-6804 Milw0rm BID FRSIRT SECUNIA
| Enthrallweb -- eJobs
| SQL injection vulnerability in newsdetail.asp in Enthrallweb eJobs allows remote attackers to execute arbitrary SQL commands via the ID parameter. | | 7.0 | CVE-2006-6805 Milw0rm FRSIRT SECUNIA
| Enthrallweb -- eMates
| SQL injection vulnerability in newsdetail.asp in Enthrallweb eMates 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | | 7.0 | CVE-2006-6806 Milw0rm FRSIRT SECUNIA
| Eric Guillaume -- upload_download_de_fichiers
| SQL injection vulnerability in administration/administre2.php in Eric GUILLAUME uploader&downloader 3 allows remote attackers to execute arbitrary SQL commands via the id_user parameter. | | 7.0 | CVE-2006-6716 OTHER-REF BID XF
| Fishyshoop -- Fishyshoop
| pages/register/register.php in Fishyshoop 0.930 beta allows remote attackers to create arbitrary administrative users by setting the is_admin HTTP POST parameter to 1. | | 7.0 | CVE-2006-6773 BUGTRAQ BID FRSIRT SECUNIA
| FTPRush -- FTPRush
| Buffer overflow in FTPRush 1.0.0.610 might allow attackers to gain privileges via a long Host field. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. Also, it is not clear whether this issue crosses security boundaries. | | 7.0 | CVE-2006-6752 BID
| Future Internet -- Future Internet
| Multiple SQL injection vulnerabilities in Future Internet allow remote attackers to execute arbitrary SQL commands via the (1) newsId or (2) categoryid parameter in a Portal.Showpage action in index.cfm, or (3) the langId parameter in index.cfm. | | 7.0 | CVE-2006-6776 BUGTRAQ BID
| Future Internet -- Future Internet
| Cross-site scripting (XSS) vulnerability in index.cfm in Future Internet allows remote attackers to inject arbitrary web script or HTML via the categoryId parameter in a Portal.ShowPage action. | | 7.0 | CVE-2006-6777 BUGTRAQ BID
| Hitachi -- Hitachi Directory Server 2
| Buffer overflow in Hitachi Directory Server 2 P-2444-A124 before 02-11-/K on Windows, and P-1B44-A121 before 02-10-/V on HP-UX, allows remote attackers to execute arbitrary code via crafted LDAP requests. | | 10.0 | CVE-2006-6713 OTHER-REF BID FRSIRT SECUNIA
| HLstats -- HLstats
| SQL injection vulnerability in the login form in HLstats 1.20 through 1.34 allows remote attackers to execute arbitrary SQL commands via the killLimit parameter. | | 7.0 | CVE-2006-6780 BUGTRAQ BID
| inertianews -- inertianews
| PHP remote file inclusion vulnerability in inertianews_main.php in inertianews 0.02 beta allows remote attackers to execute arbitrary PHP code via a URL in the inews_path parameter. | | 7.0 | CVE-2006-6726 Milw0rm FRSIRT
| inertianews -- inertianews
| PHP remote file inclusion vulnerability in inertianews_class.php in inertianews 0.02 beta and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. | | 7.0 | CVE-2006-6727 FRSIRT
| Jelle de Vos -- Bandwebsite
| Bandwebsite (aka Bandsite portal system) 1.5 allows remote attackers to create administrative accounts via a direct request to admin.php with the Login parameter set to 1. | | 7.0 | CVE-2006-6722 OTHER-REF BID OTHER-REF XF
| KDE -- KsIRC
| Buffer overflow in KsIRC 1.3.12 allows remote attackers to execute arbitrary code via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server. | | 7.0 | CVE-2006-6811 OTHER-REF BID
| Keep It Simple Guest Book -- Keep It Simple Guest Book
| Multiple PHP remote file inclusion vulnerabilities in the Keep It Simple Guest Book (KISGB) allow remote attackers to execute arbitrary PHP code via a URL in the (1) path_to_themes parameter in (a) authenticate.php, and the (2) default_path_for_themes parameter in (b) admin.php and (c) upconfig.php. | | 7.0 | CVE-2006-6763 BUGTRAQ OTHER-REF
| Knusperleicht -- ShoutBox
| Cross-site scripting (XSS) vulnerability in shout.php in Knusperleicht ShoutBox 2.6 allows remote attackers to inject arbitrary web script or HTML via a post. | | 7.0 | CVE-2006-6721 OTHER-REF BID
| logahead -- logahead UNU
| Unrestricted file upload vulnerability in logahead UNU 1.0 allows remote attackers to upload arbitrary files via unspecified vectors related to plugins/widged/_widged.php and form Widgets. | | 7.0 | CVE-2006-6783 BUGTRAQ BID
| LuckyBot -- LuckyBot
| Multiple PHP remote file inclusion vulnerabilities in LuckyBot 3 allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) run.php or (2) ircbot.class.php. | | 7.0 | CVE-2006-6788 BUGTRAQ BID
| McAfee -- NeoTrace Pro McAfee -- NeoTrace Express McAfee -- Visual Trace
| Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader ActiveX control (NeoTraceExplorer.dll) in NeoTrace Express 3.25 and NeoTrace Pro (aka McAfee Visual Trace) 3.25 allows remote attackers to execute arbitrary code via a long argument string to the TraceTarget method. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6707 SECUNIA
| MGinternet -- Property Site Manager
| Cross-site scripting (XSS) vulnerability in listings.asp in MGinternet Property Site Manager allows remote attackers to inject arbitrary web script or HTML via the s parameter. | | 7.0 | CVE-2006-6708 BUGTRAQ BID XF
| MGinternet -- Property Site Manager
| Multiple SQL injection vulnerabilities in MGinternet Property Site Manager allow remote attackers to execute arbitrary SQL commands via the (1) p parameter to (a) detail.asp; the (2) l, (3) typ, or (4) loc parameter to (b) listings.asp; or the (5) Password or (6) Username parameter to (c) admin_login.asp. NOTE: some of these details are obtained from third party information. | | 7.0 | CVE-2006-6709 BUGTRAQ BID XF XF
| MXmania -- Newsletter MX
| SQL injection vulnerability in admin/admin_mail_adressee.asp in Newsletter MX 1.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. | | 7.0 | CVE-2006-6787 OTHER-REF BID
| MXmania -- Calendar MX BASIC
| SQL injection vulnerability in calendar_detail.asp in Calendar MX BASIC 1.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6792 BID FRSIRT
| MXmania -- MXmania File Upload Manager
| SQL injection vulnerability in detail.asp in Mxmania File Upload Manager (FUM) 1.0.6 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. | | 7.0 | CVE-2006-6813 OTHER-REF BID FRSIRT SECUNIA
| MXmania -- Calendar MX BASIC
| Calendar MX BASIC 1.0.2 and earlier store sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for calendar.mdb. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6825 FRSIRT
| myPHPCalendar -- myPHPCalendar
| Multiple PHP remote file inclusion vulnerabilities in myPHPCalendar 10.1 allow remote attackers to execute arbitrary PHP code via a URL in the cal_dir parameter to (1) admin.php, (2) contacts.php, or (3) convert-date.php. | | 7.0 | CVE-2006-6812 OTHER-REF BID
| myPHPNuke -- myPHPNuke My_eGallery
| PHP remote file inclusion vulnerability in gallery/displayCategory.php in the My_eGallery 2.5.6 module in myPHPNuke (MPN) allows remote attackers to execute arbitrary PHP code via a URL in the basepath parameter. | | 7.0 | CVE-2006-6795 OTHER-REF OTHER-REF BID
| Netbula -- Anyboard
| SQL injection vulnerability in Netbula Anyboard allows remote attackers to execute arbitrary SQL commands via the user name in the login form. | | 7.0 | CVE-2006-6784 BUGTRAQ BID
| Newxooper -- Newxooper
| PHP remote file inclusion vulnerability in compteur/mapage.php in Newxooper 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. | | 7.0 | CVE-2006-6711 OTHER-REF BID FRSIRT SECUNIA
| Newxooper -- Newxooper
| PHP remote file inclusion vulnerability in i-accueil.php in Newxooper 0.9 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6748 FRSIRT
| Obie Website -- Mini Web Shop
| Cross-site scripting (XSS) vulnerability in modules/viewcategory.php in Minh Nguyen Duong Obie Website Mini Web Shop 2.1.c allows remote attackers to inject arbitrary web script or HTML via the catname parameter. | | 7.0 | CVE-2006-6734 BUGTRAQ BID MLIST FRSIRT SECUNIA
| Okul Merkezi -- Okul Merkezi Portal
| PHP remote file inclusion vulnerability in ataturk.php in Okul Merkezi Portal 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. | | 7.0 | CVE-2006-6793 BUGTRAQ BID
| Open Newsletter -- Open Newsletter
| The admin PHP scripts in Open Newsletter 2.5 and earlier do not exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, or execute arbitrary code in conjunction with another vulnerability. | | 7.0 | CVE-2006-6785 OTHER-REF BID
| Oracle -- Oracle9i Oracle -- Oracle10g
| Multiple cross-site scripting (XSS) vulnerabilities in Oracle Portal 9i and 10g allow remote attackers to inject arbitrary JavaScript via the tc parameter in webapp/jsp/container_tabs.jsp, and other unspecified vectors. | | 7.0 | CVE-2006-6703 BUGTRAQ FRSIRT
| osTicket -- osTicket STS
| Cross-site scripting (XSS) vulnerability in support/view.php in Support Cards 1 (osTicket) allows remote attackers to inject arbitrary web script or HTML via the e parameter. | | 7.0 | CVE-2006-6733 BUGTRAQ BID
| Personal .NET Portal -- Personal .NET Portal
| Unspecified vulnerability in the tab editor for Personal .NET Portal before 2.0.0 has unknown impact and attack vectors related to a "Security leak." | | 7.0 | CVE-2006-6826 OTHER-REF FRSIRT XF
| PHP iCalendar -- PHP iCalendar
| Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad Little PHP iCalendar 2.23 rc1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) getdate parameter in (a) day.php, (b) month.php, (c) year.php, (d) week.php, (e) search.php, (f) rss/index.php, (g) print.php, and (h) preferences.php; the (2) cpath parameter in (i) day.php, (j) month.php, (k) year.php, (l) week.php, and (m) search.php; the (3) query parameter in search.php; and possibly the cpath, (4) unset, and (5) set parameters in a setcookie action in preferences.php; different vectors than CVE-2006-3319. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | | 7.0 | CVE-2006-6824 OTHER-REF BID SECTRACK SECUNIA
| PHP Live! -- PHP Live!
| Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) search_string parameter in (a) setup/transcripts.php, the (2) l parameter in (b) index.php, the (3) login field in (c) phplive/index.php, and the (4) deptid and (5) x parameters in (d) phplive/message_box.php. | | 7.0 | CVE-2006-6769 BUGTRAQ OTHER-REF BID SECUNIA
| Phpbbxtra -- Phpbbxtra
| PHP remote file inclusion vulnerability in includes/archive/archive_topic.php in Phpbbxtra 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. | | 7.0 | CVE-2006-6789 BUGTRAQ BID
| PhpMyManga -- PhpMyManga
| Multiple PHP remote file inclusion vulnerabilities in template.php in Laurent FALLET phpMyAnime (aka phpmymanga) 0.8.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) actionsPage or (2) formPage parameter. | | 7.0 | CVE-2006-6760 Milw0rm OTHER-REF BID XF
| pnamazu -- pnamazu
| Cross-site scripting (XSS) vulnerability in pnamazu 2006.02.28 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | | 7.0 | CVE-2006-6782 OTHER-REF BID FRSIRT SECUNIA
| PowerScripts -- PowerClan
| PHP remote file inclusion vulnerability in footer.inc.php in PowerClan 1.14a and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the settings[footer] parameter. | | 7.0 | CVE-2006-6715 OTHER-REF MLIST FRSIRT SECUNIA
| PWP Technologies -- The Classified Ad System
| Multiple cross-site scripting (XSS) vulnerabilities in default.asp in PWP Technologies The Classified Ad System allow remote attackers to inject arbitrary web script or HTML via the (1) cat or (2) main parameter. | | 7.0 | CVE-2006-6768 BUGTRAQ
| Softwebs Nepal -- Ananda Real Estate
| SQL injection vulnerability in list.asp in Softwebs Nepal (aka Ananda Raj Pandey) Ananda Real Estate 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the agent parameter. | | 7.0 | CVE-2006-6807 OTHER-REF BID FRSIRT SECUNIA
| SugarCRM -- SugarCRM
| Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages. | | 7.0 | CVE-2006-6712 OTHER-REF OTHER-REF BID FRSIRT SECUNIA SECTRACK
| Sun -- JDK Sun -- SDK Sun -- JRE
| Multiple buffer overflows in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 7 and earlier, Java System Development Kit (SDK) and JRE 1.4.2_12 and earlier 1.4.x versions, and SDK and JRE 1.3.1_18 and earlier allow attackers to develop Java applets that read, write, or execute local files, possibly related to (1) integer overflows in the Java_sun_awt_image_ImagingLib_convolveBI, awt_parseRaster, and awt_parseColorModel functions; (2) a stack overflow in the Java_sun_awt_image_ImagingLib_lookupByteRaster function; and (3) improper handling of certain negative values in the Java_sun_font_SunLayoutEngine_nativeLayout function. NOTE: some of these details are obtained from third party information. | | 10.0 | CVE-2006-6731 SUNALERT BID FRSIRT
| Sun -- Java 2 Standard Edition SDK Sun -- Java 2 Runtime Environment
| Multiple unspecified vulnerabilities in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 7 and earlier, and Java System Development Kit (SDK) and JRE 1.4.2_12 and earlier 1.4.x versions, allow attackers to develop Java applets or applications that are able to gain privileges, related to serialization in JRE. | | 8.0 | CVE-2006-6745 SUNALERT BID FRSIRT SECTRACK
| TimberWolf -- TimberWolf
| Cross-site scripting (XSS) vulnerability in shownews.php in TimberWolf 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the nid parameter. | | 7.0 | CVE-2006-6778 BUGTRAQ BID FRSIRT
| Ultimate PHP Board -- Ultimate PHP Board
| Direct static code injection vulnerability in chat/login.php in Ultimate PHP Board (UPB) 2.0b1 and earlier allows remote attackers to inject arbitrary PHP code via the username parameter, which is injected into chat/text.php. | | 7.0 | CVE-2006-6790 OTHER-REF BID
| Vladimir Menshakov -- buratinable templator
| Multiple PHP remote file inclusion vulnerabilities in process.php in Vladimir Menshakov buratinable templator (aka bubla) 1.0.0rc2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) bu_dir or (2) bu_config[dir] parameter. | | 7.0 | CVE-2006-6809 OTHER-REF BID
| w3m -- w3m
| Format string vulnerability in w3m 0.5.1, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name (CN) field of an SSL certificate. | | 8.0 | CVE-2006-6772 OTHER-REF BID FRSIRT SECTRACK SECUNIA
| WordPress -- WordPress
| Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. | | 7.0 | CVE-2006-6808 FULLDISC OTHER-REF OTHER-REF BID
| Yrch! -- Yrch!
| PHP remote file inclusion vulnerability in plugins/metasearch/plug.inc.php in Yrch! 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. | | 7.0 | CVE-2006-6823 OTHER-REF BID FRSIRT
|