CVE Cross Reference 2002
The information on this page may be obsolete. For the current documentation, please log into the mySAINT portal using your customer login and password.
Current CVEs
| CVE Description | SAINT®® Tutorial | SAINT®® Vuln. ID | SANS Top 20 | ||
 |
Buffer overflow in the preprocessor in groff 1.16 and earlier allows remote attackers to gain privileges via lpd in the LPRng printing system. |
groff vulnerability |
misc_lpdgroff misc_lprnggroff |
||
 |
CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote attackers to obtain an anonymous bind to the LDAP server via a request that does not include a password, which causes a null password to be sent to the LDAP server. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user comment via an HTTP request to process_bug.cgi using the "who" parameter, instead of the Bugzilla_login cookie, or (2) post a bug as another user by modifying the reporter parameter to enter_bug.cgi, which is passed to post_bug.cgi. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access" privileges to see other products that are not accessible to the user, by submitting a bug and reading the resulting Product pulldown menu. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL code and create files or gain privileges via (1) the sql parameter in buglist.cgi, (2) invalid field names from the "boolean chart" query in buglist.cgi, (3) the mybugslink parameter in userprefs.cgi, (4) a malformed bug ID in the buglist parameter in long_list.cgi, and (5) the value parameter in editusers.cgi, which allows groupset privileges to be modified by attackers with blessgroupset privileges. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allow remote attackers to more easily conduct attacks on the login. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. |
SNMP vulnerabilities |
net_snmp_snmp | ||
|
Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. |
SNMP vulnerabilities |
net_snmp_snmp | ||
|
Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options. |
Microsoft Telnet Server |
shell_telnet_ms | ||
 |
Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows remote attackers to execute arbitrary code via a Voice Video & Games request. |
AOL ICQ vulnerability Note: Authentication is required to detect this vulnerability |
misc_icqver | ||
|
Buffer overflows in the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other derived libraries such as BSD libc and GNU glibc, allow remote attackers to execute arbitrary code via DNS server responses that trigger the overflow in the (1) getnetbyname, or (2) getnetbyaddr functions, aka "LIBRESOLV: buffer overrun" and a different vulnerability than CVE-2002-0684. |
DNS resolver library Note: Authentication is recommended to improve the accuracy of this check |
dns_resolver | ||
|
Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. |
cachefsd vulnerability |
rpc_cachefsd | ||
|
Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server. |
rsyncd vulnerabilities |
misc_rsyncd | ||
|
Microsoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys. |
registry access |
win_registry | ||
|
Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. |
SNMP vulnerabilities |
net_snmp_snmp | ||
|
SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail Connector (IMC) in Exchange Server 5.5 does not properly handle responses to NTLM authentication, which allows remote attackers to perform mail relaying via an SMTP AUTH command using null session credentials. |
Microsoft mail server vulnerabilities |
mail_smtp_winauth | ||
|
SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request. |
Microsoft mail server vulnerabilities |
mail_smtp_windows | ||
|
Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Vulnerability in Java Runtime Environment (JRE) allows remote malicious web sites to hijack or sniff a web client's sessions, when an HTTP proxy is being used, via a Java applet that redirects the session to another server, as seen in (1) Netscape 6.0 through 6.1 and 4.79 and earlier, (2) Microsoft VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x, and possibly other implementations that use vulnerable versions of SDK or JDK. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_redirect | ||
|
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe. |
Apache vulnerabilities |
web_server_apache_batch | ||
|
Buffer overflow in ippRead function of CUPS before 1.1.14 may allow attackers to execute arbitrary code via long attribute names or language values. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions. |
Squid vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid | ||
|
Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with an ftp:// URL with a larger number of special characters, which exceed the buffer when Squid URL-escapes the characters. |
Squid vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid | ||
|
Memory leak in SNMP in Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service. |
Squid vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid | ||
|
Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_shell | ||
|
Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. |
http IIS access |
web_server_iis_htr web_server_iis_multiple |
||
|
The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer. |
http IIS access |
web_server_iis_multiple | ||
|
The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. |
http IIS access |
web_server_iis_multiple | ||
|
Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. |
http IIS access |
web_server_iis_multiple | ||
|
Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. |
http IIS access |
web_server_iis_multiple | ||
|
Java Runtime Environment (JRE) Bytecode Verifier allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, as seen in (1) Microsoft VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x, (2) Netscape 6.2.1 and earlier, and possibly other implementations that use vulnerable versions of SDK or JDK, aka a variant of the "Virtual Machine Verifier" vulnerability. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_redirect | ||
|
Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. |
http IIS access |
web_server_iis_multiple | ||
|
Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled. |
PHP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_bo | ||
|
The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session. |
Apache SSL module vulnerabilities |
web_mod_apachessl web_mod_ssl |
||
|
Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. |
OpenSSH vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh | ||
|
Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. |
cachefsd vulnerability |
rpc_cachefsd | ||
|
Buffer overflow in index.cgi administration interface for Boozt! Standard 0.9.8 allows local users to execute arbitrary code via a long name field when creating a new banner. |
http cgi access |
web_prog_cgi_boozt | ||
|
Buffer overflow in Michael Lamont Savant Web Server 3.0 allows remote attackers to cause a denial of service (crash) via a long HTTP request to the cgi-bin directory in which the CGI program name contains a large number of . (dot) characters. |
Savant vulnerabilities |
web_server_savant | ||
|
BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
Linksys EtherFast BEFN2PS4, BEFSR41, and BEFSR81 Routers, and possibly other products, allow remote attackers to gain sensitive information and cause a denial of service via an SNMP query for the default community string "public," which causes the router to change its configuration and send SNMP trap information back to the system that initiated the query. |
Guessable Read Community |
net_snmp_read | ||
|
Directory traversal vulnerability in Funsoft Dino's Webserver 1.2 and earlier allows remote attackers to read files or execute arbitrary commands via a .. (dot dot) in the URL. |
http server read access |
web_server_read | ||
|
MDG Computer Services Web Server 4D/eCommerce 3.5.3 allows remote attackers to exploit directory traversal vulnerability via a ../ (dot dot) containing URL-encoded slashes in the HTTP request. |
http server read access |
web_server_read | ||
|
Buffer overflows in Avirt Gateway Suite 4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) long header fields to the HTTP proxy, or (2) a long string to the telnet proxy. |
Avirt Gateway vulnerabilities Avirt Gateway web vulnerabilities |
shell_telnet_avirtbo web_proxy_avirt |
||
|
Telnet proxy in Avirt Gateway Suite 4.2 does not require authentication for connecting to the proxy system itself, which allows remote attackers to list file contents of the proxy and execute arbitrary commands via a "dos" command. |
Avirt Gateway vulnerabilities |
shell_telnet_avirt | ||
|
Pi-Soft SpoonFTP 1.1 and earlier allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command. |
FTP bounce |
ftp_bounce | ||
|
Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." |
http IIS access |
web_server_iis_multiple | ||
|
Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. |
http IIS access |
web_server_iis_multiple | ||
|
Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. |
http IIS access |
web_server_iis_multiple | ||
|
Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. |
http IIS access |
web_server_iis_multiple | ||
|
Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_uncprovider | ||
|
Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5 and 2.6 until March 12, 2002 distributions, allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via compressed DNS responses. |
Squid vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_proxy_squid | ||
|
Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration. |
Zope vulnerabilities |
web_dev_zope | ||
|
Buffer overflows in icecast 1.3.11 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request from an MP3 client. |
icecast vulnerability |
web_server_icecast | ||
|
Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web script and steal cookies of other IMP/HORDE users via the script parameter. |
Horde IMP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_imp | ||
|
mod_python version 2.7.6 and earlier allows a module indirectly imported by a published module to then be accessed via the publisher, which allows remote attackers to call possibly dangerous functions from the imported module. |
Apache module vulnerabilities |
web_mod_python | ||
|
Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Cross-site scripting vulnerability in the SQLXML component of Microsoft SQL Server 2000 allows an attacker to execute arbitrary script via the root parameter as part of an XML SQL query, aka "Script Injection via XML Tag." |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows remote attackers to execute arbitrary code via a header length value that exceeds the actual length of the header. |
RealPlayer vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_reallinux misc_realplayer |
||
|
Etype Eserv 2.97 allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command. |
FTP bounce |
ftp_bounce | ||
|
Directory traversal vulnerability in eshare Expressions 4 Web server allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request. |
http server read access |
web_server_read | ||
|
Web configuration utility in HP AdvanceStack hubs J3200A through J3210A with firmware version A.03.07 and earlier, allows unauthorized users to bypass authentication via a direct HTTP request to the web_access.html file, which allows the user to change the switch's configuration and modify the administrator password. |
switch access |
net_passchange | ||
|
Directory traversal vulnerability in InstantServers MiniPortal 1.1.5 and earlier allows remote authenticated users to read arbitrary files via a ... (modified dot dot) in the GET command. |
FTP server directory traversal |
ftp_traversal | ||
|
Buffer overflow in CWMail.exe in NetWin before 2.8a allows remote authenticated users to execute arbitrary code via a long item parameter. |
http potential problems |
web_prog_cgi_cwmail | ||
|
Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments. |
Exim vulnerability |
mail_smtp_exim mail_smtp_eximbo |
||
|
Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request. |
http server read access |
web_server_read | ||
|
Buffer overflow in Netwin WebNews CGI program 1.1, Webnews.exe, allows remote attackers to execute arbitrary code via a long group argument. |
http potential problems |
web_prog_cgi_webnews | ||
|
Netwin WebNews 1.1k CGI program includes several default usernames and cleartext passwords that cannot be deleted by the administrator, which allows remote attackers to gain privileges via the username/password combinations (1) testweb/newstest, (2) alwn3845/imaptest, (3) alwi3845/wtest3452, or (4) testweb2/wtest4879. |
http potential problems |
web_prog_cgi_webnews | ||
|
Directory traversal vulnerability in Essentia Web Server 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. |
http server read access |
web_server_read | ||
|
fasttrack p2p, as used in (1) KaZaA before 1.5, (2) grokster, and (3) morpheus allows remote attackers to cause a denial of service (memory exhaustion) via a series of client-to-client messages, which pops up new windows per message. |
peer to peer file sharing |
misc_p2p_kazaa misc_p2p_morpheus |
||
|
fasttrack p2p, as used in (1) KaZaA, (2) grokster, and (3) morpheus allows remote attackers to spoof other users by modifying the username and network information in the message header. |
peer to peer file sharing |
misc_p2p_kazaa misc_p2p_morpheus |
||
|
FreeRADIUS RADIUS server allows remote attackers to cause a denial of service (CPU consumption) via a flood of Access-Request packets. |
RADIUS vulnerabilities |
misc_radius | ||
|
comment2.jse in ScriptEase:WebServer allows remote attackers to read arbitrary files by specifying the target file as an argument in the URL. |
http cgi access |
web_prog_cgi_comment2 | ||
|
Directory traversal vulnerability in BadBlue before 1.6.1 allows remote attackers to read arbitrary files via a ... (modified dot dot) in the URL. |
http server read access |
web_server_read | ||
|
Cross-site scripting vulnerability in BadBlue before 1.6.1 beta allows remote attackers to execute arbitrary script and possibly additional commands via a URL that contains Javascript. |
Cross site scripting |
web_server_css | ||
|
Directory traversal vulnerability in the HTTP server for BPM Studio Pro 4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTP request. |
http server read access |
web_server_read | ||
|
Buffer overflows in xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows remote attackers to execute arbitrary code via (1) a long DNS hostname that is determined using reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell request. |
xtell vulnerabilities |
misc_xtell | ||
|
Directory traversal vulnerability in xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows remote attackers to read files with short names, and local users to read more files using a symlink with a short name, via a .. in the TTY argument. |
xtell vulnerabilities |
misc_xtell | ||
|
RealPlayer 8 allows remote attackers to cause a denial of service (CPU utilization) via malformed .mp3 files. |
RealPlayer vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_reallinux misc_realplayer |
||
|
Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi. |
Cobalt RaQ vulnerabilities |
misc_raqcss | ||
|
Directory traversal vulnerability in Cobalt RAQ 4 allows remote attackers to read password-protected files, and possibly files outside the web root, via a .. (dot dot) in an HTTP request. |
Cobalt RaQ vulnerabilities |
misc_raq | ||
|
service.cgi in Cobalt RAQ 4 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long service argument. |
Cobalt RaQ vulnerabilities |
misc_raqdos | ||
|
The XMLHttpRequest object (XMLHTTP) in Netscape 6.1 and Mozilla 0.9.7 allows remote attackers to read arbitrary files and list directories on a client system by opening a URL that redirects the browser to the file on the client, then reading the result using the responseText property. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Unknown vulnerability in rpc.passwd in the nfs.sw.nis subsystem of SGI IRIX 6.5.15 and earlier allows local users to gain root privileges. |
yppasswdd detected |
rpc_yppasswdd | ||
|
xfsmd for IRIX 6.5 through 6.5.16 uses weak authentication, which allows remote attackers to call dangerous RPC functions, including those that can mount or unmount xfs file systems, to gain root privileges. |
xfsmd vulnerability |
rpc_xfsmd | ||
|
ghostscript before 6.53 allows attackers to execute arbitrary commands by using .locksafe or .setsafe to reset the current pagedevice. |
Linux lpd |
printer_linuxlpd | ||
|
Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." |
http IIS access |
web_server_iis_htr | ||
|
Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_rasphonebook | ||
|
smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_debugger | ||
|
Buffer overflow in Apple QuickTime 5.0 ActiveX component allows remote attackers to execute arbitrary code via a long pluginspage field. |
QuickTime vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_quicktime | ||
|
Buffer overflow in University of Washington imap server (uw-imapd) imap-2001 (imapd 2001.315) and imap-2001a (imapd 2001.315) with legacy RFC 1730 support, and imapd 2000.287 and earlier, allows remote authenticated users to execute arbitrary code via a long BODY request. |
imap version |
mail_imap_shell | ||
|
Cross-site scripting vulnerabilities in Mailman before 2.0.11 allow remote attackers to execute script via (1) the admin login page, or (2) the Pipermail index summaries. |
Mailman vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_misc_mailman | ||
|
Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. |
Mailman vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_misc_mailman | ||
|
Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. |
sunrpc vulnerabilities |
rpc_kadmin rpc_openafs rpc_sunrpc |
||
|
Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
ISC BIND 9 before 9.2.1 allows remote attackers to cause a denial of service (shutdown) via a malformed DNS packet that triggers an error condition that is not properly handled when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL, aka DoS_findtype. |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_binddos dns_potential |
||
|
Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. |
ntop server vulnerability |
web_tool_ntop | ||
|
Directory traversal vulnerability in the web server used in RealPlayer 6.0.7, and possibly other versions, may allow local users to read files that are accessible to RealPlayer via a .. (dot dot) in an HTTP GET request to port 1275. |
RealPlayer vulnerabilities http server read access Note: Authentication is required to detect this vulnerability |
misc_reallinux misc_realplayer web_server_read |
||
|
Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate use, since authentication cannot proceed without specifying a scheme that is supported by both the client and the server. |
http header vulnerabilities |
web_security_internalip | ||
|
Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup. |
finger vulnerabilities |
misc_finger_efingerd | ||
|
efingerd 1.61 and earlier, when configured without the -u option, executes .efingerd files as the efingerd user (typically "nobody"), which allows local users to gain privileges as the efingerd user by modifying their own .efingerd file and running finger. |
finger vulnerabilities |
misc_finger_efingerd | ||
|
Marcus S. Xenakis directory.php script allows remote attackers to execute arbitrary commands via shell metacharacters in the dir parameter. |
http cgi access |
web_prog_php_directory | ||
|
Buffer overflow in webpsvc.exe for Talentsoft Web+ 5.0 and earlier allows remote attackers to execute arbitrary code via a long argument to webplus.exe program, which triggers the overflow in webpsvc.exe. |
http potential problems |
web_prog_cgi_webpluspot | ||
|
filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote attackers to execute arbitrary PHP code by specifying the URL to the code in the lib_path parameter. |
PHProjekt vulnerabilities |
web_prog_php_filemanager | ||
|
Directory traversal vulnerability in filemanager.asp for Hosting Controller 1.4.1 and earlier allows remote attackers to read and modify arbitrary files, and execute commands, via a .. (dot dot) in the OpenPath parameter. |
http potential problems |
web_prog_asp_filemanager | ||
|
db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier allows remote attackers to execute arbitrary code from remote servers via the phpbb_root_path parameter. |
http cgi access |
web_prog_php_phpbbdb | ||
|
The default configuration of Foundry Networks EdgeIron 4802F allows remote attackers to modify sensitive information via arbitrary SNMP community strings. |
Guessable Write Community |
net_snmp_write | ||
|
Directory traversal vulnerability in PCI Netsupport Manager before version 7, when running web extensions, allows remote attackers to read arbitrary files via a .. (dot dot) in the HTTP GET request. |
http server read access |
web_server_read | ||
|
Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the host parameter. |
http cgi access |
web_prog_cgi_traceroute | ||
|
Linux Directory Penguin NsLookup CGI script (nslookup.pl) 1.0 allows remote attackers to execute arbitrary code via shell metacharacters in the (1) query or (2) type parameters. |
http cgi access |
web_prog_cgi_nslookup | ||
|
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
csSearch.cgi in csSearch 2.3 and earlier allows remote attackers to execute arbitrary Perl code via the savesetup command and the setup parameter, which overwrites the setup.cgi configuration file that is loaded by csSearch.cgi. |
http potential problems |
web_prog_cgi_cssearch | ||
|
Transparent Network Substrate (TNS) Listener in Oracle 9i 9.0.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a single malformed TCP packet to port 1521. |
Oracle TNS Listener |
database_oracle_tns | ||
|
The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. |
UDP IP Identification |
misc_udpipidzero | ||
|
The PHP administration script in popper_mod 1.2.1 and earlier relies on Apache .htaccess authentication, which allows remote attackers to gain privileges if the script is not appropriately configured by the administrator. |
http cgi access |
web_prog_php_mailadmin | ||
|
SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie. |
SquirrelMail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_squirrel | ||
|
Cross-site scripting vulnerability in Novell Web Search 2.0.1 allows remote attackers to execute arbitrary script as other Web Search users via the search parameter. |
Cross site scripting |
web_prog_jsp_nsearch | ||
|
PHPGroupware 0.9.12 and earlier, when running with the magic_quotes_gpc feature disabled, allows remote attackers to compromise the database via a SQL injection attack. |
phpGroupWare vulnerabilities |
web_prog_php_groupware | ||
|
Nortel CVX 1800 is installed with a default "public" community string, which allows remote attackers to read usernames and passwords and modify the CVX configuration. |
Guessable Read Community |
net_snmp_read | ||
|
Buffer overflow in Tivoli Storage Manager TSM (1) Server or Storage Agents 3.1 through 5.1, and (2) the TSM Client Acceptor Service 4.2 and 5.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 1580 or port 1581. |
Tivoli Storage Manager |
misc_tivoli | ||
|
Directory traversal vulnerability in Aprelium Abyss Web Server (abyssws) before 1.0.0.2 allows remote attackers to read files outside the web root, including the abyss.conf file, via URL-encoded .. (dot dot) sequences in the HTTP request. |
Abyss web server http server read access |
web_server_abyss web_server_read |
||
|
Aprelium Abyss Web Server (abyssws) before 1.0.3 stores the administrative console password in plaintext in the abyss.conf file, which allows local users with access to the file to gain privileges. |
Abyss web server |
web_server_abyss | ||
|
Anthill allows remote attackers to bypass authentication and file bug reports by directly accessing the postbug.php program instead of enterbug.php. |
Anthill vulnerabilities |
web_prog_php_anthill | ||
|
Cross-site scripting vulnerabilities in Anthill allow remote attackers to execute script as other Anthill users. |
Anthill vulnerabilities |
web_prog_php_anthill | ||
|
Directory traversal vulnerability in Quik-Serv HTTP server 1.1B allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. |
http server read access |
web_server_read | ||
|
Directory traversal vulnerability in TYPSoft FTP server 0.97.1 and earlier allows a remote authenticated user (possibly anonymous) to list arbitrary directories via a .. in a LIST (ls) command ending in wildcard *.* characters. |
TYPSoft FTP vulnerabilities |
ftp_typsoft | ||
|
Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Location header, (2) a long HTTP request to the plsql module, (3) a long password in the HTTP Authorization, (4) a long Access Descriptor (DAD) password in the addadd form, or (5) a long cache directory name. |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias | ||
|
The default configuration of Oracle 9i Application Server 1.0.2.x running Oracle JSP or SQLJSP stores globals.jsa under the web root, which allows remote attackers to gain sensitive information including usernames and passwords via a direct HTTP request to globals.jsa. |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias | ||
|
Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages. |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias | ||
|
Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process. |
Oracle TNS Listener |
database_oracle_tns | ||
|
Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. |
rpc walld vulnerability |
rpc_walld | ||
|
Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges. |
OpenSSH vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh | ||
|
Buffer overflow in Netscape 6 and Mozilla 1.0 RC1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long channel name in an IRC URI. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Netscape 6 and Mozilla 1.0 RC1 and earlier allows remote attackers to determine the existence of files on the client system via a LINK element in a Cascading Style Sheet (CSS) page that causes an HTTP redirect. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Buffer overflow in WTRS_UI.EXE (WTX_REMOTE.DLL) for WebTrends Reporting Center 4.0d allows remote attackers to execute arbitrary code via a long HTTP GET request to the /reports/ directory. |
WebTrends vulnerabilities |
web_tool_webtrends | ||
|
WebTrends Reporting Center 4.0d allows remote attackers to determine the real path of the web server via a GET request to get_od_toc.pl with an empty Profile parameter, which leaks the pathname in an error message. |
WebTrends vulnerabilities |
web_tool_webtrends | ||
|
dnstools.php for DNSTools 2.0 beta 4 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user_logged_in or user_dnstools_administrator parameters. |
http cgi access |
web_prog_php_dnstools | ||
|
Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure." |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication. |
OpenSSH vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh | ||
|
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt). |
OpenSSH vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
shell_ssh_openssh | ||
|
Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key." |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in several Database Consistency Checkers (DBCCs) for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows members of the db_owner and db_ddladmin roles to execute arbitrary code. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
SQL injection vulnerability in stored procedures for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 may allow authenticated users to execute arbitrary commands. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. |
Internet Explorer vulnerabilities Note: Authentication is required to detect this vulnerability |
win_patch_ie_png | ||
|
Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption, as exploited by the Slammer/Sapphire worm. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The keep-alive mechanism for Microsoft SQL Server 2000 allows remote attackers to cause a denial of service (bandwidth consumption) via a "ping" style packet to the Resolution Service (UDP port 1434) with a spoofed IP address of another SQL Server system, which causes the two servers to exchange packets in an infinite loop. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers. |
DNS resolver library Note: Authentication is recommended to improve the accuracy of this check |
dns_resolver | ||
|
xfsmd for IRIX 6.5 through 6.5.16 allows remote attackers to execute arbitrary code via shell metacharacters that are not properly filtered from several calls to the popen() function, such as export_fs(). |
xfsmd vulnerability |
rpc_xfsmd | ||
|
Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries. |
Apache SSL module vulnerabilities |
web_mod_ssl | ||
|
OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code. |
OpenSSL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl | ||
|
Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3. |
OpenSSL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl | ||
|
Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key. |
OpenSSL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl | ||
|
The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings. |
OpenSSL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl | ||
|
Directory traversal vulnerability in Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to read arbitrary files and execute commands via .. (dot dot) sequences containing \ (backslash) characters. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. |
tooltalk version |
rpc_tooltalkiv | ||
|
CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. |
tooltalk version |
rpc_tooltalkiv | ||
|
Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. |
tooltalk version |
rpc_tooltalkbo | ||
|
Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet. |
Apache Tomcat vulnerabilities Cross site scripting Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver web_server_css |
||
|
Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr. |
DNS resolver library Note: Authentication is recommended to improve the accuracy of this check |
dns_resolver | ||
|
Buffer overflow in the search component for iPlanet Web Server (iWS) 4.1 and Sun ONE Web Server 6.0 allows remote attackers to execute arbitrary code via a long argument to the NS-rel-doc-name parameter. |
http cgi access |
web_prog_cgi_iplanetsearch | ||
|
The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers. |
Zope vulnerabilities |
web_dev_zope | ||
|
ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes. |
Zope vulnerabilities |
web_dev_zope | ||
|
Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_help | ||
|
The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_help | ||
|
Buffer overflow in the Transact-SQL (T-SQL) OpenRowSet component of Microsoft Data Access Components (MDAC) 2.5 through 2.7 for SQL Server 7.0 or 2000 allows remote attackers to execute arbitrary code via a query that calls the OpenRowSet command. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Buffer overflow in Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5 allows remote attackers to execute arbitrary code via an EHLO request from a system with a long name as obtained through a reverse DNS lookup, which triggers the overflow in IMC's hello response. |
Microsoft Exchange vulnerabilities |
mail_smtp_exchange | ||
|
Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response. |
dhcpd vulnerabilities |
misc_dhcp | ||
|
The Web Reports Server for SurfControl SuperScout WebFilter stores the "scwebusers" username and password file in a web-accessible directory, which allows remote attackers to obtain valid usernames and crack the passwords. |
SurfControl vulnerabilities |
web_tool_surfcontrol | ||
|
UserManager.js in the Web Reports Server for SurfControl SuperScout WebFilter uses weak encryption for administrator functions, which allows remote attackers to decrypt the administrative password using a hard-coded key in a Javascript function. |
SurfControl vulnerabilities |
web_tool_surfcontrol | ||
|
The Web Reports Server for SurfControl SuperScout WebFilter allows remote attackers to cause a denial of service (CPU consumption) via large GET requests, possibly due to a buffer overflow. |
SurfControl vulnerabilities |
web_tool_surfcontrol | ||
|
Directory traversal vulnerability in the Web Reports Server for SurfControl SuperScout WebFilter allows remote attackers to read arbitrary files via an HTTP request containing ... (triple dot) sequences. |
SurfControl vulnerabilities |
web_tool_surfcontrol | ||
|
SQL injection vulnerabilities in the Web Reports Server for SurfControl SuperScout WebFilter allow remote attackers to execute arbitrary SQL queries via the RunReport option to SimpleBar.dll, and possibly other DLLs. |
SurfControl vulnerabilities |
web_tool_surfcontrol | ||
|
PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed. |
PHP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version | ||
|
A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_connman | ||
|
Microsoft SQL Server 7.0 and 2000 installs with weak permissions for extended stored procedures that are associated with helper functions, which could allow unprivileged users, and possibly remote attackers, to run stored procedures with administrator privileges via (1) xp_execresultset, (2) xp_printstatements, or (3) xp_displayparamstmt. |
MS SQL Server local vulnerabilities Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_local_xpprivelev database_mssql_mssql |
||
|
Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service". |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_shareprovider | ||
 |
Microsoft SQL Server 2000 allows remote attackers to cause a denial of service via a malformed 0x08 packet that is missing a colon separator. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check unless dangerous checks are enabled |
database_mssql_mssql database_mssql_res |
||
|
Cross-site scripting vulnerability in thttpd 2.20 and earlier allows remote attackers to execute arbitrary script via a URL to a nonexistent page, which causes thttpd to insert the script into a 404 error message. |
Cross site scripting |
web_server_css | ||
|
Microsoft BackOffice 4.0 and 4.5, when configured to be accessible by other systems, allows remote attackers to bypass authentication and access the administrative ASP pages via an HTTP request with an authorization type (auth_type) that is not blank. |
Microsoft BackOffice |
web_tool_backoffice | ||
|
Sambar web server before 5.2 beta 1 allows remote attackers to obtain source code of server-side scripts, or cause a denial of service (resource exhaustion) via DOS devices, using a URL that ends with a space and a null character. |
Sambar vulnerabilities |
web_server_sambarsource | ||
|
CGIscript.net csMailto.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the form-attachment field. |
http potential problems |
web_prog_cgi_csmailto | ||
|
CGIscript.net csMailto.cgi program allows remote attackers to read arbitrary files by specifying the target filename in the form-attachment field. |
http potential problems |
web_prog_cgi_csmailto | ||
|
CGIscript.net csMailto.cgi program allows remote attackers to use csMailto as a "spam proxy" and send mail to arbitrary users via modified (1) form-to, (2) form-from, and (3) form-results parameters. |
http potential problems |
web_prog_cgi_csmailto | ||
|
CGIscript.net csMailto.cgi program exports feedback to a file that is accessible from the web document root, which could allow remote attackers to obtain sensitive information by directly accessing the file. |
http potential problems |
web_prog_cgi_csmailto | ||
|
Buffer overflow in Talentsoft Web+ 5.0 allows remote attackers to execute arbitrary code via an HTTP request with a long cookie. |
http potential problems |
web_prog_cgi_webpluspot | ||
|
(1) Webmin 0.96 and (2) Usermin 0.90 with password timeouts enabled allow local and possibly remote attackers to bypass authentication and gain privileges via certain control characters in the authentication information, which can force Webmin or Usermin to accept arbitrary username/session ID combinations. |
Webmin vulnerabilities |
web_tool_webminauth | ||
|
Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlier allows remote attackers to execute arbitrary code via a long "bind DN" parameter. |
IMail vulnerabilities |
mail_misc_imailldap | ||
|
Directory traversal vulnerability in Lysias Lidik web server 0.7b allows remote attackers to list directories via an HTTP request with a ... (modified dot dot). |
http server read access |
web_server_read | ||
|
Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. |
SNMP vulnerabilities |
net_snmp_snmp | ||
|
Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. |
SNMP vulnerabilities |
net_snmp_snmp | ||
|
Buffer overflow in the ISAPI DLL filter for Macromedia JRun 3.1 allows remote attackers to execute arbitrary code via a direct request to the filter with a long HTTP host header field in a URL for a .jsp file. |
JRun vulnerabilities |
web_dev_jrun_isapi | ||
|
The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote attackers to display restricted products and components via a direct HTTP request to queryhelp.cgi. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured to perform reverse DNS lookups, allows remote attackers to bypass IP restrictions by connecting from a system with a spoofed reverse DNS hostname. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new directories with world-writable permissions, and (2) creates the params file with world-writable permissions, which allows local users to modify the files and execute code. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the "del" option. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, could allow remote attackers to execute script as other Bugzilla users via the full name (real name) field, which is not properly quoted by editusers.cgi. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing a mass change, sets the groupset of all bugs to the groupset of the first bug, which could inadvertently cause insecure groupset permissions to be assigned to some bugs. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properly handle URL-encoded field names that are generated by some browsers, which could cause certain fields to appear to be unset, which has the effect of removing group permissions on bugs when buglist.cgi is provided with the encoded field names. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error messages from the syncshadowdb command to the HTML output, which could leak sensitive information, including plaintext passwords, if syncshadowdb fails. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Heap-based buffer overflow in the TFTP server capability in Cisco IOS 11.1, 11.2, and 11.3 allows remote attackers to cause a denial of service (reset) or modify configuration via a long filename. |
Cisco IOS TFTP Server |
net_cisco_tftp | ||
|
Buffer overflow in VMware Authorization Service for VMware GSX Server 2.0.0 build-2050 allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. |
VMware vulnerabilities |
misc_vmwaregsx | ||
|
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer, allows a remote web server to access HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame, which is allowed because the document.domain of the two frames matches on the parent domain. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. |
WS FTP vulnerabilities |
ftp_wsftp | ||
|
dvips converter for Postscript files in the tetex package calls the system() function insecurely, which allows remote attackers to execute arbitrary commands via certain print jobs, possibly involving fonts. |
LPRng vulnerability |
printer_lprng | ||
|
The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
Format string vulnerability in certain third party modifications to mod_dav for logging bad gateway messages (e.g. Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response, which causes the format string specifiers to be returned from dav_lookup_uri() in mod_dav.c, which is then used in a call to ap_log_rerror(). |
Oracle vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_oracle_ias | ||
|
Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
Buffer overflow in Sun ONE / iPlanet Web Server 4.1 and 6.0 allows remote attackers to execute arbitrary code via an HTTP request using chunked transfer encoding. |
iPlanet vulnerabilities |
web_server_netscape_iplanet | ||
|
tinyproxy HTTP proxy 1.5.0, 1.4.3, and earlier allows remote attackers to execute arbitrary code via memory that is freed twice (double-free). |
tinyproxy vulnerability |
web_proxy_tinyproxy | ||
|
Cross-site scripting vulnerability in Mailman before 2.0.12 allows remote attackers to execute script as other users via a subscriber's list subscription options in the (1) adminpw or (2) info parameters to the ml-name feature. |
Mailman vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_misc_mailman | ||
|
SQL*NET listener for Oracle Net Oracle9i 9.0.x and 9.2 allows remote attackers to cause a denial of service (crash) via certain debug requests that are not properly handled by the debugging feature. |
Oracle TNS Listener |
database_oracle_tns | ||
|
Buffer overflow in the OpenDataSource function of the Jet engine on Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_certvalid | ||
|
Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol." |
Microsoft Terminal Server Note: Authentication is recommended to improve the accuracy of this check |
misc_msterminal | ||
|
The Remote Data Protocol (RDP) version 5.1 in Microsoft Windows XP allows remote attackers to cause a denial of service (crash) when Remote Desktop is enabled via a PDU Confirm Active data packet that does not set the Pattern BLT command, aka "Denial of Service in Remote Desktop." |
Microsoft Terminal Server Note: Authentication is recommended to improve the accuracy of this check |
misc_msterminal | ||
|
A certain class that supports XML (Extensible Markup Language) in Microsoft Virtual Machine (VM) 5.0.3805 and earlier, probably com.ms.osp.ospmrshl, exposes certain unsafe methods, which allows remote attackers to execute unsafe code via a Java applet, aka "Inappropriate Methods Exposed in XML Support Classes." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_jdbc | ||
|
Java Database Connectivity (JDBC) classes in Microsoft Virtual Machine (VM) up to and including 5.0.3805 allow remote attackers to load and execute DLLs (dynamic link libraries) via a Java applet that calls the constructor for com.ms.jdbc.odbc.JdbcOdbc with the desired DLL terminated by a null string, aka "DLL Execution via JDBC Classes." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_jdbc | ||
|
Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to cause a denial of service (crash) in Internet Explorer via invalid handle data in a Java applet, aka "Handle Validation Flaw." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_jdbc | ||
|
Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
|
showtemp.cfm for Gafware CFXImage 1.6.6 allows remote attackers to read arbitrary files via (1) a .. or (2) a C: style pathname in the FILE parameter. |
http Cold Fusion |
web_prog_cfm_showtemp | ||
|
Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote attackers to cause a denial of service (hang or memory consumption) via (1) a large packet to the DHCP port, (2) a large packet to the Telnet port, or (3) a flood of large packets to the CPE, which causes the TCP/IP stack to consume large amounts of memory. |
Cisco CBOS vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability unless dangerous checks are enabled |
net_cisco_cbostelnet | ||
|
Directory traversal vulnerability in NewAtlanta ServletExec ISAPI 4.1 allows remote attackers to read arbitrary files via a URL-encoded request to com.newatlanta.servletexec.JSP10Servlet containing "..%5c" (modified dot-dot) sequences. |
http cgi access |
web_prog_jsp_jspten | ||
|
CGIScript.net csNews.cgi allows remote attackers to obtain potentially sensitive information, such as the full server pathname and other configuration settings, via the viewnews command with an invalid database, which leaks the information in error messages. |
http cgi access |
web_prog_cgi_csnewscgi | ||
|
CGIScript.net csNews.cgi allows remote attackers to obtain database files via a direct URL-encoded request to (1) default%2edb or (2) default%2edb.style, or remote authenticated users to perform administrative actions via (3) a database parameter set to default%2edb. |
http cgi access |
web_prog_cgi_csnewscgi | ||
|
CGIScript.net csNews.cgi allows remote authenticated users to read arbitrary files, and possibly gain privileges, via the (1) pheader or (2) pfooter parameters in the "Advanced Settings" capability. |
http cgi access |
web_prog_cgi_csnewscgi | ||
|
CGIScript.net csNews.cgi allows remote authenticated users to execute arbitrary Perl code via terminating quotes and metacharacters in text fields of the "Advanced Settings" capability. |
http cgi access |
web_prog_cgi_csnewscgi | ||
|
Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8.18.0 and earlier, as used in Oracle9iAS and other products, allows remote attackers to execute arbitrary code via a long database name parameter. |
http potential problems |
web_prog_cgi_rwcgi60 | ||
|
Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when writing an error message to a log file. |
Oracle TNS Listener |
database_oracle_tns | ||
|
Vulnerability in VNC, TightVNC, and TridiaVNC allows local users to execute arbitrary code as LocalSystem by using the Win32 Messaging System to bypass the VNC GUI and access the "Add new clients" dialogue box. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Microsoft SQL Server 2000 SP2, when configured as a distributor, allows attackers to execute arbitrary code via the @scriptfile parameter to the sp_MScopyscript stored procedure. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
SunPCi II VNC uses a weak authentication scheme, which allows remote attackers to obtain the VNC password by sniffing the random byte challenge, which is used as the key for encrypted communications. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long HTTP request to TCP port 6588 or (2) a SOCKS 4A request to TCP port 1080 with a long DNS hostname. |
AnalogX vulnerabilities |
web_proxy_analogx | ||
|
Directory traversal vulnerability in webmail feature of ArGoSoft Mail Server Plus or Pro 1.8.1.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in a URL. |
ArGoSoft mail vulnerabilities |
mail_web_argosoft | ||
|
ArGoSoft Mail Server 1.8.1.7 and earlier allows a webmail user to cause a denial of service (CPU consumption) by forwarding the email to the user while autoresponse is enabled, which creates an infinite loop. |
ArGoSoft mail vulnerabilities |
mail_smtp_argosoft | ||
|
Lotus Domino R4 allows remote attackers to bypass access restrictions for files in the web root via an HTTP request appended with a "?" character, which is treated as a wildcard character and bypasses the web handlers. |
Lotus Domino HTTP vulnerability |
web_server_lotus_four | ||
|
Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote attackers to cause a denial of service (CPU consumption) via a large packet that was designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144). |
Cisco vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_ssh | ||
|
Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections. |
WebLogic vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_weblogic | ||
|
Omnicron OmniHTTPd 2.09 allows remote attackers to cause a denial of service (crash) via an HTTP request with a long, malformed HTTP 1version number. |
OmniHTTPd vulnerabilities |
web_server_omni | ||
|
Directory traversal vulnerability in search engine for iPlanet web server 6.0 SP2 and 4.1 SP9, and Netscape Enterprise Server 3.6, when running on Windows platforms, allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the NS-query-pat parameter. |
http cgi access |
web_prog_cgi_iplanetsearch | ||
|
Buffer overflow in SmartMax MailMax POP3 daemon (popmax) 4.8 allows remote attackers to execute arbitrary code via a long USER command. |
MailMax vulnerabilities |
mail_pop_mailmax | ||
|
Buffer overflow in the control service for MERCUR Mailserver 4.2 allows remote attackers to execute arbitrary code via a long password. |
MERCUR vulnerabilities |
mail_smtp_mercur | ||
|
Buffer overflow in the Web Messaging daemon for Ipswitch IMail before 7.12 allows remote attackers to execute arbitrary code via a long HTTP GET request for HTTP/1.0. |
IMail vulnerabilities |
mail_web_imail | ||
|
Abyss Web Server 1.0.3 allows remote attackers to list directory contents via an HTTP GET request that ends in a large number of / (slash) characters. |
Abyss web server |
web_server_abyss | ||
|
Directory traversal vulnerability in Abyss Web Server 1.0.3 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in an HTTP GET request. |
Abyss web server |
web_server_abyss | ||
|
The Administration console for Abyss Web Server 1.0.3 before Patch 2 allows remote attackers to gain privileges and modify server configuration via direct requests to CHL files such as (1) srvstatus.chl, (2) consport.chl, (3) general.chl, (4) srvparam.chl, and (5) advanced.chl. |
Abyss web server |
web_server_abyss | ||
|
The Administration console for Abyss Web Server 1.0.3 allows remote attackers to read files without providing login credentials via an HTTP request to a target file that ends in a "+" character. |
Abyss web server |
web_server_abyss | ||
|
Buffer overflow in Novell GroupWise 6.0.1 Support Pack 1 allows remote attackers to execute arbitrary code via a long RCPT TO command. |
Novell GroupWise vulnerabilities |
mail_smtp_groupwise | ||
|
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Cisco VPN 3000 Concentrator 3.6(Rel) and earlier, and 2.x.x, when configured to use internal authentication with group accounts and without any user accounts, allows remote VPN clients to log in using PPTP or IPSEC user authentication. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
HTML interface for Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.0.3(B) allows remote attackers to cause a denial of service (CPU consumption) via a long URL request. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Information leaks in Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before 3.5.4 allow remote attackers to obtain potentially sensitive information via the (1) SSH banner, (2) FTP banner, or (3) an incorrect HTTP request. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled, allows remote attackers to cause a denial of service (reload) via a Windows-based PPTP client with the "No Encryption" option set. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows restricted administrators to obtain user passwords that are stored in plaintext in HTML source code. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.2, allows restricted administrators to obtain certificate passwords that are stored in plaintext in the HTML source code for Certificate Management pages. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, adds an "HTTPS on Public Inbound (XML-Auto)(forward/in)" rule but sets the protocol to "ANY" when the XML filter configuration is enabled, which ultimately allows arbitrary traffic to pass through the concentrator. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to obtain potentially sensitive information without authentication by directly accessing certain HTML pages. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote attackers to cause a denial of service (crash) via a long (1) username or (2) password to the HTML login interface. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via a long user name. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.4, allows remote attackers to cause a denial of service via an incoming LAN-to-LAN connection with an existing security association with another device on the remote network, which causes the concentrator to remove the previous connection. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, allows remote attackers to cause a denial of service via (1) malformed or (2) large ISAKMP packets. |
Cisco VPN vulnerabilities Note: A valid SNMP read community string is required to detect this vulnerability |
net_cisco_vpn | ||
|
Multiple SQL injection vulnerabilities in Mantis 0.17.2 and earlier, when running without magic_quotes_gpc enabled, allows remote attackers to gain privileges or perform unauthorized database operations via modified form fields, e.g. to account_update.php. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
print_all_bug_page.php in Mantis 0.17.3 and earlier does not verify the limit_reporters option, which allows remote attackers to view bug summaries for bugs that would otherwise be restricted. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the "View Bugs" page. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the g_jpgraph_path parameter to reference the location of the PHP code. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
config_inc2.php in Mantis before 0.17.4 allows remote attackers to execute arbitrary code or read arbitrary files via the parameters (1) g_bottom_include_page, (2) g_top_include_page, (3) g_css_include_file, (4) g_meta_include_file, or (5) a cookie. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
Mantis 0.17.4a and earlier allows remote attackers to view private bugs by modifying the f_id bug ID parameter to (1) bug_update_advanced_page.php, (2) bug_update_page.php, (3) view_bug_advanced_page.php, or (4) view_bug_page.php. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
The "View Bugs" page (view_all_bug_page.php) in Mantis 0.17.4a and earlier includes summaries of private bugs for users that do not have access to any projects. |
Mantis vulnerabilities |
web_prog_php_mantis | ||
|
TNS Listener in Oracle Net Services for Oracle 9i 9.2.x and 9.0.x, and Oracle 8i 8.1.x, allows remote attackers to cause a denial of service (hang or crash) via a SERVICE_CURLOAD command. |
Oracle TNS Listener |
database_oracle_tns | ||
|
Buffer overflow in Savant Web Server 3.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. |
Savant vulnerabilities |
web_server_savant | ||
|
Buffer overflow in the authentication function for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows remote attackers to execute arbitrary code via a long request to TCP port 1433, aka the "Hello" overflow. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and Galeon, set the document referrer too quickly in certain situations when a new page is being loaded, which allows web pages to determine the next page that is being visited, including manually entered URLs, using the onunload handler. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php. |
SquirrelMail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_squirrel | ||
|
Encoded directory traversal vulnerability in Dino's web server 2.1 allows remote attackers to read arbitrary files via ".." (dot dot) sequences with URL-encoded (1) "/" (%2f") or (2) "\" (%5c) characters. |
http server read access |
web_server_read | ||
|
Buffer overflow in the Database Console Command (DBCC) that handles user inputs in Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, allows attackers to execute arbitrary code via a long SourceDB argument in a "non-SQL OLEDB data source" such as FoxPro, a variant of CAN-2002-0644. |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka "Flaw in Output File Handling for Scheduled Jobs." |
Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_mssql | ||
|
Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. |
ODBC RDS |
web_server_rds | ||
|
The xp_runwebtask stored procedure in the Web Tasks component of Microsoft SQL Server 7.0 and 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000 can be executed by PUBLIC, which allows an attacker to gain privileges by updating a webtask that is owned by the database owner through the msdb.dbo.mswebtasks table, which does not have strong permissions. |
MS SQL Server local vulnerabilities Microsoft SQL Server Note: Authentication is recommended to improve the accuracy of this check |
database_mssql_local_mswebtasks database_mssql_local_runwebtask database_mssql_mssql |
||
|
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet. |
Apache Tomcat vulnerabilities http cgi info Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver web_prog_jsp_defaultservlet |
||
|
IBM Websphere 4.0.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP request with long HTTP headers, such as "Host". |
WebSphere vulnerabilities |
web_dev_websphere | ||
|
Buffer overflow in John Franks WN Server 1.18.2 through 2.0.0 allows remote attackers to execute arbitrary code via a long GET request. |
WN vulnerabilities |
web_server_wn | ||
|
Cross-site scripting (XSS) vulnerability in IBM Web Traffic Express Caching Proxy Server 3.6 and 4.x before 4.0.1.26 allows remote attackers to execute script as other users via an HTTP GET request. |
WebSphere Edge Server |
web_dev_websphereproxy | ||
|
Cross-site scripting (XSS) vulnerability in IBM Web Traffic Express Caching Proxy Server 3.6 and 4.x before 4.0.1.26 allows remote attackers to execute script as other users via an HTTP request that contains an Location: header with a "%0a%0d" (CRLF) sequence, which echoes the Location as an HTTP header in the server response. |
WebSphere Edge Server |
web_dev_websphereproxy | ||
|
IBM Web Traffic Express Caching Proxy Server 3.6 and 4.x before 4.0.1.26 allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version number, which causes ibmproxy.exe to crash. |
WebSphere Edge Server |
web_dev_websphereproxy | ||
|
Multiple buffer overflows in Winamp 3.0, when displaying an MP3 in the Media Library window, allows remote attackers to execute arbitrary code via an MP3 file containing a long (1) Artist or (2) Album ID3v2 tag. |
Winamp vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_winamp | ||
|
Buffer overflow in the S/MIME Parsing capability in Microsoft Outlook Express 5.5 and 6.0 allows remote attackers to execute arbitrary code via a digitally signed email with a long "From" address, which triggers the overflow when the user views or previews the message. |
Outlook and Outlook Express Note: Authentication is required to detect this vulnerability |
mail_client_outlookexpress | ||
|
A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
|
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
|
IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned. |
http IIS access Note: Authentication is recommended to improve the accuracy of this check |
web_server_iis_iis | ||
|
Buffer overflow in talkd on NetBSD 1.6 and earlier, and possibly other operating systems, may allow remote attackers to execute arbitrary code via a long inbound message. |
talk vulnerabilities |
misc_talk | ||
|
editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the "usebuggroups" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to users via known features of Perl math that set multiple bits. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, allows remote attackers to execute arbitrary code via shell metacharacters in a system call to processmail. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes from an email address during account creation, which allows remote attackers to execute arbitrary SQL via a SQL injection attack. |
Bugzilla vulnerabilities |
web_prog_cgi_bugzilla | ||
|
Buffer overflow in Microsoft PPTP Service on Windows XP and Windows 2000 allows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code via a certain PPTP packet with malformed control data. |
PPTP vulnerabilities |
misc_pptp | ||
|
Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources). |
Heartbeat vulnerability Note: Authentication is recommended to improve the accuracy of this check |
misc_heartbeat | ||
|
Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindbo dns_potential |
||
|
BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindbo dns_potential |
||
|
BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindbo dns_potential |
||
|
Avaya Cajun switches P880, P882, P580, and P550R 5.2.14 and earlier contain undocumented accounts (1) manuf and (2) diag with default passwords, which allows remote attackers to gain privileges. |
default device password |
net_avayapass | ||
|
The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack. |
Kerberos detected |
misc_kadmind | ||
|
Microsoft Outlook 2002 allows remote attackers to cause a denial of service (repeated failure) via an email message with a certain invalid header field that is accessed using POP3, IMAP, or WebDAV, aka "E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail." |
Outlook and Outlook Express Note: Authentication is required to detect this vulnerability |
mail_client_outlook | ||
|
Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to execute arbitrary code by including a Java applet that invokes COM (Component Object Model) objects in a web site or an HTML mail. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
The Java Database Connectivity (JDBC) APIs in Microsoft Virtual Machine (VM) 5.0.3805 and earlier allow remote attackers to bypass security checks and access database contents via an untrusted Java applet. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
Internet Explorer 5.5 and 6.0 does not perform complete security checks on external caching, which allows remote attackers to read arbitrary files. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
Buffer overflow in Oracle iSQL*Plus web application of the Oracle 9 database server allows remote attackers to execute arbitrary code via a long USERID parameter in the isqlplus URL. |
Oracle iSQLPlus vulnerabilities |
database_oracle_isqlplus | ||
|
Alcatel OmniSwitch 7700/7800 switches running AOS 5.1.1 contains a back door telnet server that was intended for development but not removed before distribution, which allows remote attackers to gain administrative privileges. |
Alcatel Operating System |
net_omniswitch | ||
|
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks. |
SquirrelMail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_squirrel | ||
|
Multiple buffer overflows in conf.c for Masqmail 0.1.x before 0.1.17, and 0.2.x before 0.2.15, allow local users to gain privileges via certain entries in the configuration file (-C option). |
MasqMail vulnerabilities |
mail_smtp_masqmail | ||
|
The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to steal cookies and execute script in a different security context via a URL that contains a colon in the domain portion, which is not properly parsed and loads an applet from a malicious site within the security context of the site that is being visited by the user. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
The Microsoft Java virtual machine (VM) build 5.0.3805 and earlier, as used in Internet Explorer, allows remote attackers to extend the Standard Security Manager (SSM) class (com.ms.security.StandardSecurityManager) and bypass intended StandardSecurityManager restrictions by modifying the (1) deniedDefinitionPackages or (2) deniedAccessPackages settings, causing a denial of service by adding Java applets to the list of applets that are prevented from running. |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to cause a denial of service (crash) and possibly conduct other unauthorized activities via applet tags in HTML that bypass Java class restrictions (such as private constructors) by providing the class name in the code parameter, aka "Incomplete Java Object Instantiation Vulnerability." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_com | ||
|
Heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL that references a malformed .jar file, which overflows a buffer during decompression. |
Mozilla vulnerabilities Note: Authentication is required to detect this vulnerability |
web_client_mozilla | ||
|
Heap-based buffer overflow in the error-handling mechanism for the IIS ISAPI handler in Macromedia ColdFusion 6.0 allows remote attackers to execute arbitrary via an HTTP GET request with a long .cfm file name. |
http Cold Fusion Note: Authentication is recommended to improve the accuracy of this check unless dangerous checks are enabled |
web_prog_cfm_mx | ||
|
Heap-based buffer overflow in the error-handling mechanism for the IIS ISAPI handler in Macromedia JRun 4.0 and earlier allows remote attackers to execute arbitrary via an HTTP GET request with a long .jsp file name. |
JRun vulnerabilities |
web_dev_jrun_isapi | ||
|
Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. |
X Font Server vulnerabilities |
misc_xfs | ||
|
Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. |
Samba vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
win_samba | ||
|
Multiple buffer overflows in RealOne and RealPlayer allow remote attackers to execute arbitrary code via (1) a Synchronized Multimedia Integration Language (SMIL) file with a long parameter, (2) a long long filename in a rtsp:// request, e.g. from a .m3u file, or (3) certain "Now Playing" options on a downloaded file with a long filename. |
RealPlayer vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_reallinux misc_realplayer |
||
|
Buffer overflow in the Windows Shell function in Microsoft Windows XP allows remote attackers to execute arbitrary code via an .MP3 or .WMA audio file with a corrupt custom attribute, aka "Unchecked Buffer in Windows Shell Could Enable System Compromise." |
Windows updates needed Note: Authentication is required to detect this vulnerability |
win_patch_xpshell | ||
|
TightVNC before 1.2.6 generates the same challenge string for multiple connections, which allows remote attackers to bypass VNC authentication by sniffing the challenge and response of other users. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. |
Sendmail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_smtp_sendmail | ||
|
Cross-site scripting (XSS) vulnerability in read_body.php for SquirrelMail 1.2.10, 1.2.9, and earlier allows remote attackers to insert script and HTML via the (1) mailbox and (2) passed_id parameters. |
SquirrelMail vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
mail_web_squirrel | ||
|
Unknown vulnerability in smb2www 980804-16 and earlier allows remote attackers to execute arbitrary commands. |
http potential problems |
web_prog_cgi_smb2www | ||
|
overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Hardening Patch) installed allows remote attackers to execute arbitrary code via a POST request with shell metacharacters in the email parameter. |
Cobalt RaQ vulnerabilities |
misc_raqbo | ||
|
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by ice-cream. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page, as demonstrated by new-coke. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers, as demonstrated by nogif. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released, as demonstrated by fanta. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3.23.x before 3.23.54 allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call. |
MySQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version | ||
|
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password. |
MySQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version | ||
|
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response. |
MySQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_mysql_version | ||
|
Multiple buffer overflows in OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allow remote attackers to execute arbitrary code via (1) long -t or -r parameters to slurpd, (2) a malicious ldapfilter.conf file that is not properly handled by getfilter functions, (3) a malicious ldaptemplates.conf that causes an overflow in libldap, (4) a certain access control list that causes an overflow in slapd, or (5) a long generated filename for logging rejected replication requests. |
LDAP vulnerabilities |
misc_ldap | ||
|
OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allows remote or local attackers to execute arbitrary code when libldap reads the .ldaprc file within applications that are running with extra privileges. |
LDAP vulnerabilities |
misc_ldap | ||
|
Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value. |
Exim vulnerability |
mail_smtp_exim mail_smtp_eximbo |
||
|
Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Integer overflow in pdftops, as used in Xpdf 2.01 and earlier, xpdf-i, and CUPS before 1.1.18, allows local users to execute arbitrary code via a ColorSpace entry with a large number of elements, as demonstrated by cups-pdf. |
CUPS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
printer_cups | ||
|
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Heap-based buffer overflow in the wordwrap function in PHP after 4.1.2 and before 4.3.0 may allow attackers to cause a denial of service or execute arbitrary code. |
PHP vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_version | ||
|
Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability "in handling long datetime input." |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Unknown vulnerability in cash_out and possibly other functions in PostgreSQL 7.2.1 and earlier, and possibly later versions before 7.2.3, with unknown impact, based on an invalid integer input which is processed as a different data type, as demonstrated using cash_out(2). |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. |
PostgreSQL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
database_pgsql | ||
|
Gallery photo album package before 1.3.1 allows local and possibly remote attackers to execute arbitrary code via a modified GALLERY_BASEDIR variable that points to a directory or URL that contains a Trojan horse init.php script. |
PHP injection Gallery vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_prog_php_captionator web_prog_php_galleryversion |
||
|
The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6 allows remote attackers to execute arbitrary Perl code via an HTTP POST request. |
http NetWare |
web_server_netwareperl | ||
|
Directory traversal vulnerability in the web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6 allows remote attackers to read arbitrary files via an HTTP request containing "..%5c" (URL-encoded dot-dot backslash) sequences. |
http NetWare |
web_server_netwareperl | ||
|
The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6 allows remote attackers to obtain Perl version information via the -v option. |
http NetWare |
web_server_netwareperl | ||
|
The Gateway GS-400 server has a default root password of "0001n" that can not be changed via the administrative interface, which can allow attackers to gain root privileges. |
default device password |
net_gatewaypass | ||
|
Cross-site scripting (XSS) vulnerability in CERN Proxy Server allows remote attackers to execute script as other users via a link to a non-existent page whose name contains the script, which is inserted into the resulting error page. |
Cross site scripting |
web_server_css | ||
|
An undocumented SNMP read/write community string ('NoGaH$@!') in Avaya P330, P130, and M770-ATM Cajun products allows remote attackers to gain administrative privileges. |
Guessable Read Community Guessable Write Community |
net_snmp_nogah net_snmp_nogahw |
||
|
Multiple cross-site scripting (XSS) vulnerabilities in OmniHTTPd allow remote attackers to insert script or HTML into web pages via (1) test.php, (2) test.shtml, or (3) redir.exe. |
OmniHTTPd vulnerabilities |
web_server_omni | ||
|
Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections. |
TCP sequence number prediction |
misc_tcpseq | ||
|
The AIM component of Trillian 0.73 and 0.74 allows remote attackers to cause a denial of service (crash) via certain strings such as "P > O < C". |
Trillian vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_trillian | ||
|
Multiple buffer overflows in the IRC component of Trillian 0.73 and 0.74 allows remote malicious IRC servers to cause a denial of service and possibly execute arbitrary code via (1) a large response from the server, (2) a JOIN with a long channel name, (3) a long "raw 221" message, (4) a PRIVMSG with a long nickname, or (5) a long response from an IDENT server. |
Trillian vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_trillian | ||
|
The IRC component of Trillian 0.73 and 0.74 allows remote malicious IRC servers to cause a denial of service (crash) by sending the raw messages (1) 206, (2) 211, (3) 213, (4) 214, (5) 215, (6) 217, (7) 218, (8) 243, (9) 302, (10) 317, (11) 324, (12) 332, (13) 333, (14) 352, and (15) 367. |
Trillian vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_trillian | ||
|
The IRC component of Trillian 0.73 and 0.74 allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the Trillian user is not in. |
Trillian vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_trillian | ||
|
Heap-based buffer overflow in Null HTTP Server 0.5.0 and earlier allows remote attackers to execute arbitrary code via a negative value in the Content-Length HTTP header. |
Null httpd vulnerabilities |
web_server_null | ||
|
Cross-site scripting (XSS) vulnerability in Null HTTP Server 0.5.0 and earlier allows remote attackers to insert arbitrary HTML into a "404 Not Found" response. |
Cross site scripting |
web_server_css | ||
|
Directory traversal vulnerability in SWServer 2.2 and earlier allows remote attackers to read arbitrary files via a URL containing .. sequences with "/" or "\" characters. |
http server read access |
web_server_read | ||
|
Directory traversal vulnerability in WebServer 4 Everyone 1.22 allows remote attackers to read arbitrary files via "..\" (dot-dot backslash) sequences in a URL. |
http server read access |
web_server_read | ||
|
The vncserver wrapper for vnc before 3.3.3r2-21 uses the rand() function instead of srand(), which causes vncserver to generate weak cookies. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Directory traversal vulnerability in Daniel Arenz Mini Server 2.1.6 allows remote attackers to read arbitrary files via (1) ../ (dot-dot slash) or (2) ..\ (dot-dot backslash) sequences. |
http server read access |
web_server_read | ||
|
Buffer overflow in XML parser in wsabi.dll of Winamp 3 (1.0.0.488) allows remote attackers to execute arbitrary code via a skin file (.wal) with a long include file tag. |
Winamp vulnerabilities Note: Authentication is required to detect this vulnerability |
misc_winamp | ||
|
Directory traversal vulnerability in ASTAware SearchDisk engine for Sun ONE Starter Kit 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) attack on port (1) 6015 or (2) 6016, or (3) an absolute pathname to port 6017. |
http server read access |
web_server_read | ||
|
Directory traversal vulnerability in CooolSoft Personal FTP Server 2.24 allows remote attackers to read or modify arbitrary files via .. (dot dot) sequences in the commands (1) LIST (ls), (2) mkdir, (3) put, or (4) get. |
FTP server directory traversal |
ftp_traversal | ||
|
Cisco ONS15454 and ONS15327 running ONS before 3.4 uses a "public" SNMP community string that cannot be changed, which allows remote attackers to obtain sensitive information. |
Guessable Read Community |
net_snmp_read | ||
|
Directory traversal vulnerability in thttpd, when using virtual hosting, allows remote attackers to read arbitrary files via .. (dot dot) sequences in the Host: header. |
thttpd vulnerabilities |
web_server_thttpdvirtual | ||
|
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c. |
OpenSSL vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
misc_openssl | ||
|
Integer overflow in imapparse.c for Cyrus IMAP server 1.4 and 2.1.10 allows remote attackers to execute arbitrary code via a large length value that facilitates a buffer overflow attack, a different vulnerability than CVE-2002-1347. |
Cyrus imap version |
mail_imap_cyrus | ||
|
Directory traversal vulnerability in nph-mr.cgi in Mailreader.com 2.3.20 through 2.3.31 allows remote attackers to view arbitrary files via .. (dot dot) sequences and a null byte (%00) in the configLanguage parameter. |
http cgi access |
web_prog_cgi_nphmr | ||
|
The ap_log_rerror function in Apache 2.0 through 2.035, when a CGI application encounters an error, sends error messages to the client that include the full path for the server, which allows remote attackers to obtain sensitive information. |
Apache vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_server_apache_version | ||
|
mod_dav in Apache before 2.0.42 does not properly handle versioning hooks, which may allow remote attackers to kill a child process via a null dereference and cause a denial of service (CPU consumption) in a preforked multi-processing module. |
Apache module vulnerabilities |
web_mod_dav | ||
|
The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote. |
ISAKMP identity disclosure |
misc_isakmpaggrshared | ||
|
Multi-Tech ProxyServer products MTPSR1-100, MTPSR1-120, MTPSR1-202ST, MTPSR2-201, and MTPSR3-200 ship with a null password, which allows remote attackers to gain administrative privileges via Telnet or HTTP. |
guessed account password |
pass_none | ||
|
Novell NetWare 5.1 installs sample applications that allow remote attackers to obtain sensitive information via (1) ndsobj.nlm, (2) allfield.jse, (3) websinfo.bas, (4) ndslogin.pl, (5) volscgi.pl, (6) lancgi.pl, (7) test.jse, or (8) env.pl. |
http cgi info |
web_prog_cgi_ndsobj | ||
|
SSH Secure Shell for Servers and SSH Secure Shell for Workstations 2.0.13 through 3.2.1, when running without a PTY, does not call setsid to remove the child process from the process group of the parent process, which allows attackers to gain certain privileges. |
SSH vulnerabilities |
shell_ssh_ssh | ||
|
SSH Secure Shell for Servers 3.0.0 to 3.1.1 allows remote attackers to override the AllowedAuthentications configuration and use less secure authentication schemes (e.g. password) than configured for the server. |
SSH vulnerabilities |
shell_ssh_ssh | ||
|
The Web Publishing feature in Netscape Enterprise Server 3.x and iPlanet Web Server 4.x allows remote attackers to cause a denial of service (crash) via a wp-html-rend request. |
iPlanet vulnerabilities |
web_server_netscape_dos | ||
|
calendar.php in vBulletin before 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the command parameter. |
vBulletin vulnerabilities |
web_prog_php_vbulletin | ||
|
The Post_Method function in method.c for Monkey HTTP Daemon before 0.5.1 allows remote attackers to cause a denial of service (crash) via a POST request with an invalid or missing Content-Length header value. |
Monkey HTTP Daemon |
web_server_monkey | ||
|
Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting 404 error message. |
Cross site scripting |
web_server_css | ||
|
Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0 allows remote attackers to view source code and determine the existence of arbitrary files via a hex-encoded "%c0%ae%c0%ae" string, which is the Unicode representation for ".." (dot dot). |
http IIS samples |
web_prog_iis_codebrws web_prog_iis_sdkcodebrws |
||
|
Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files. |
http IIS samples |
web_prog_iis_codebrws web_prog_iis_sdkcodebrws |
||
|
csGuestbook.cgi in CGISCRIPT.NET csGuestbook 1.0 allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. |
http potential problems |
web_prog_cgi_csgb | ||
|
csLiveSupport.cgi in CGIScript.net csLiveSupport allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. |
http potential problems |
web_prog_cgi_csls | ||
|
csChatRBox.cgi in CGIScript.net csChat-R-Box allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. |
http potential problems |
web_prog_cgi_cscrb | ||
|
csNewsPro.cgi in CGIScript.net csNews Professional (csNewsPro) allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. |
http potential problems |
web_prog_cgi_csnews | ||
|
PHProjekt 2.0 through 3.1 relies on the $PHP_SELF variable for authentication, which allows remote attackers to bypass authentication for scripts via a request to a .php file with "sms" in the URL, which is included in the PATH_INFO portion of the $PHP_SELF variable, as demonstrated using "mail_send.php/sms". |
PHProjekt vulnerabilities |
web_prog_php_phprojekt | ||
|
PHProjekt 2.0 through 3.1 allows remote attackers to view or modify data via requests to certain scripts that do not verify if the user is logged in. |
PHProjekt vulnerabilities |
web_prog_php_phprojekt | ||
|
The upload function in PHProjekt 2.0 through 3.1 does not properly verify certain variables related to uploaded data, which allows remote attackers to cause PHProjekt to process arbitrary files. |
PHProjekt vulnerabilities |
web_prog_php_phprojekt | ||
|
Multiple SQL injection vulnerabilities in PHProjekt 2.0 through 3.1 allow remote attackers to execute arbitrary SQL commands via the unknown attack vectors. |
PHProjekt vulnerabilities |
web_prog_php_phprojekt | ||
|
Directory traversal vulnerability in PHProjekt 2.0 through 3.1 allows remote attackers to read arbitrary files via .. (dot dot) sequences. |
PHProjekt vulnerabilities |
web_prog_php_phprojekt | ||
|
Microsoft Site Server 3.0 prior to SP4 installs a default user, LDAP_Anonymous, with a default password of LdapPassword_1, which allows remote attackers the "Log on locally" privilege. |
Microsoft Site Server |
misc_mssiteserver | ||
|
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. |
Drupal vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_cms_drupal | ||
|
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database. |
MySQL missing password |
database_mysql_pass | ||
|
ezhttpbench.php in eZ httpbench 1.1 allows remote attackers to read arbitrary files via a full pathname in the AnalyseSite parameter. |
http cgi access |
web_prog_php_ezhttpbench | ||
|
Directory traversal vulnerability in TinyHTTPD 0.1 .0 allows remote attackers to read or execute arbitrary files via a ".." (dot dot) in the URL. |
http server read access |
web_server_read | ||
|
Savant Webserver 3.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request with a negative Content-Length value. |
Savant vulnerabilities |
web_server_savant | ||
|
TightVNC before 1.2.4 running on Windows stores unencrypted passwords in the password text control of the WinVNC Properties dialog, which could allow local users to access passwords. |
VNC detected Note: Authentication is recommended to improve the accuracy of this check |
misc_vnc | ||
|
Cross-site scripting (XSS) vulnerability in Monkey 0.5.0 allows remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) a parameter to test2.pl. |
Cross site scripting |
web_server_css | ||
|
Macromedia JRun 3.0 through 4.0, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
HP Application Server 8.0, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
jo! jo Webserver 1.0, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
Oracle Oracle9i Application Server 1.0.2.2 and 9.0.2 through 9.0.2.0.1, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
Orion Application Server 1.5.3, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
Pramati Server 3.0, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
Sybase Enterprise Application Server 4.0, when running on Windows, allows remote attackers to retrieve files in the WEB-INF directory, which contains Java class files and configuration information, via a request to the WEB-INF directory with a trailing dot ("WEB-INF."). |
Web Application Servers |
web_dev_webinf | ||
|
Directory traversal vulnerability in Simple Web Server (SWS) 0.0.4 through 0.1.0 allows remote attackers to read arbitrary files via a ".." (dot dot) in an HTTP request. |
http server read access |
web_server_read | ||
|
The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Heap-based buffer overflow in the goim handler of AOL Instant Messenger (AIM) 4.4 through 4.8.2616 allows remote attackers to cause a denial of service (crash) via escaping of the screen name parameter, which triggers the overflow when the user selects "Get Info" on the buddy. |
AOL Instant Messenger Note: Authentication is required to detect this vulnerability |
misc_aim | ||
|
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. |
ArubaOS vulnerabilities Note: Authentication is required to detect this vulnerability |
net_arubaosver | ||
|
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages. |
Apache Tomcat vulnerabilities http cgi info Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver web_prog_jsp_pageinfo web_prog_jsp_realpath web_prog_jsp_source |
||
|
Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26 uses a default administrator password and accepts admin logins on the external interface, which allows remote attackers to gain privileges if the password is not changed. |
default device password |
net_password | ||
|
PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string. |
http cgi access |
web_prog_php_phpexe | ||
|
Cross-site scripting (XSS) vulnerability in the default ASP pages on Microsoft Site Server 3.0 on Windows NT 4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) ctr parameter in Default.asp and (2) the query string to formslogin.asp. |
Microsoft Site Server |
misc_mssiteserver | ||
|
cphost.dll in Microsoft Site Server 3.0 allows remote attackers to cause a denial of service (disk consumption) via an HTTP POST of a file with a long TargetURL parameter, which causes Site Server to abort and leaves the uploaded file in c:\temp. |
Microsoft Site Server |
misc_mssiteserver | ||
|
Buffer overflow in Novell Remote Manager module, httpstk.nlm, in NetWare 5.1 and NetWare 6 allows remote attackers to execute arbitrary code via a long (1) username or (2) password. |
NetWare Remote Manager |
web_tool_netwarerm | ||
|
graph.php in Ganglia PHP RRD Web Client 1.0.2 allows remote attackers to execute arbitrary commands via the command parameter, which is provided to the passthru function. |
http cgi access |
web_prog_php_graph | ||
|
PHP remote file inclusion vulnerability in publish_xp_docs.php for Gallery 1.3.2 allows remote attackers to inject arbitrary PHP code by specifying a URL to an init.php file in the GALLERY_BASEDIR parameter. |
PHP injection |
web_prog_php_publish | ||
|
publish_xp_docs.php in Gallery 1.3.2 allows remote attackers to execute arbitrary PHP code by modifying the GALLERY_BASEDIR parameter to reference a URL on a remote web server that contains the code. |
PHP injection |
web_prog_php_publish | ||
|
Savant Web Server 3.1 and earlier allows remote attackers to bypass authentication for password protected user folders via a URL with a hex encoded space (%20) and a '.' (%2e) at the end of the filename. |
Savant vulnerabilities |
web_server_savant | ||
|
cgitest.exe in Savant Web Server 3.1 and earlier allows remote attackers to cause a denial of service (crash) via a long HTTP request. |
Savant vulnerabilities |
web_server_savant | ||
|
Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences. |
Monkey HTTP Daemon |
web_server_monkey | ||
|
Cross-site scripting vulnerability AOL Instant Messenger (AIM) 4.5 and 4.7 for MacOS and Windows allows remote attackers to conduct unauthorized activities, such as adding buddies and groups to a user's buddy list, via a URL with a META HTTP-EQUIV="refresh" tag to an aim: URL. |
AOL Instant Messenger Note: Authentication is required to detect this vulnerability |
misc_aim | ||
|
BIND 4 and BIND 8, when resolving recursive DNS queries for arbitrary hosts, allows remote attackers to conduct DNS cache poisoning via a birthday attack that uses a large number of open queries for the same resource record (RR) combined with spoofed responses, which increases the possibility of successfully spoofing a response in a way that is more efficient than brute force methods. |
DNS vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
dns_bindspoof | ||
|
chetcpasswd.cgi in Pedro Lineu Orso chetcpasswd before 2.1 allows remote attackers to read the last line of the shadow file via a long user (userid) field. |
http cgi access |
web_prog_cgi_chetcpasswd | ||
|
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values. |
Apache Tomcat vulnerabilities Note: Authentication is recommended to improve the accuracy of this check |
web_dev_tomcatver | ||
|
schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. |
Kerberos detected Note: Authentication is required to detect this vulnerability |
misc_kerberospkg |
: A dangerous check is available for this vulnerability.