Total
3242 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2009-1878 | 1 Adobe | 1 Coldfusion | 2023-12-10 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in Adobe ColdFusion 8.0.1 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | |||||
CVE-2002-2427 | 1 Goahead | 1 Goahead Webserver | 2023-12-10 | 5.0 MEDIUM | N/A |
The security handler in GoAhead WebServer before 2.1.1 allows remote attackers to bypass authentication and obtain access to protected web content via "an extra slash in a URL," a different vulnerability than CVE-2002-1603. | |||||
CVE-2009-1580 | 1 Squirrelmail | 1 Squirrelmail | 2023-12-10 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | |||||
CVE-2008-6763 | 1 Hypersilence | 1 Silentum Loginsys | 2023-12-10 | 7.5 HIGH | N/A |
login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username. | |||||
CVE-2008-1334 | 1 Bt | 1 Home Hub | 2023-12-10 | 7.5 HIGH | N/A |
cgi/b on the BT Home Hub router allows remote attackers to bypass authentication, and read or modify administrative settings or make arbitrary VoIP telephone calls, by placing a character at the end of the PATH_INFO, as demonstrated by (1) %5C (encoded backslash), (2) '%' (percent), and (3) '~' (tilde). NOTE: the '/' (slash) vector is already covered by CVE-2007-5383. | |||||
CVE-2008-4515 | 1 Blue Coat Systems | 1 K9 Web Protection | 2023-12-10 | 7.5 HIGH | N/A |
Blue Coat K9 Web Protection 4.0.230 Beta relies on client-side JavaScript as a protection mechanism, which allows remote attackers to bypass authentication and access the (1) summary, (2) detail, (3) overrides, and (4) pwemail pages by disabling JavaScript. | |||||
CVE-2008-6739 | 1 Toddwoolums | 1 Asp Download | 2023-12-10 | 7.5 HIGH | N/A |
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request. | |||||
CVE-2009-2003 | 1 Ascadnetworks | 1 Password Protector Sd | 2023-12-10 | 7.5 HIGH | N/A |
Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin." | |||||
CVE-2008-3703 | 1 Symantec | 1 Veritas Storage Foundation | 2023-12-10 | 10.0 HIGH | N/A |
The management console in the Volume Manager Scheduler Service (aka VxSchedService.exe) in Symantec Veritas Storage Foundation for Windows (SFW) 5.0, 5.0 RP1a, and 5.1 accepts NULL NTLMSSP authentication, which allows remote attackers to execute arbitrary code via requests to the service socket that create "snapshots schedules" registry values specifying future command execution. NOTE: this issue exists because of an incomplete fix for CVE-2007-2279. | |||||
CVE-2009-1836 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2023-12-10 | 6.8 MEDIUM | N/A |
Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
CVE-2007-4043 | 1 Securecomputing | 1 Securityreporter | 2023-12-10 | 5.0 MEDIUM | N/A |
file.cgi in Secure Computing SecurityReporter (aka Network Security Analyzer) before 4.6.3 allows remote attackers to bypass authentication via a name parameter ending with a "%00.gif" sequence. NOTE: a separate traversal vulnerability could be leveraged to download arbitrary files. | |||||
CVE-2007-1480 | 1 Creative Guestbook | 1 Creative Guestbook | 2023-12-10 | 7.5 HIGH | N/A |
Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set. | |||||
CVE-2007-1953 | 1 Onelook | 1 Courts Online | 2023-12-10 | 7.5 HIGH | N/A |
Session fixation vulnerability in onelook courts on-line allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. | |||||
CVE-2007-5113 | 1 Roi Revolution | 1 Urchin | 2023-12-10 | 5.0 MEDIUM | N/A |
report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112. | |||||
CVE-2007-6237 | 1 Deluxebb | 1 Deluxebb | 2023-12-10 | 9.0 HIGH | N/A |
cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php. | |||||
CVE-2007-3050 | 1 Chameleon Cms | 1 Chameleon Cms | 2023-12-10 | 7.5 HIGH | N/A |
Session fixation vulnerability in chameleon cms 3.0 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | |||||
CVE-2007-4692 | 2 Apple, Microsoft | 4 Mac Os X, Mac Os X Server, Safari and 1 more | 2023-12-10 | 4.3 MEDIUM | N/A |
The tabbed browsing feature in Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to spoof HTTP authentication for other sites and possibly conduct phishing attacks by causing an authentication sheet to be displayed for a tab that is not active, which makes it appear as if it is associated with the active tab. | |||||
CVE-2007-2546 | 1 Simple Machines | 1 Simple Machines Forum | 2023-12-10 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in Simple Machines Forum (SMF) 1.1.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | |||||
CVE-2007-3597 | 1 Zen Cart | 1 Zen Cart | 2023-12-10 | 8.5 HIGH | N/A |
Session fixation vulnerability in Zen Cart 1.3.7 and earlier allows remote attackers to hijack web sessions by setting the Cookie parameter. | |||||
CVE-2007-1966 | 1 Exv2 | 1 Content Management System | 2023-12-10 | 5.0 MEDIUM | N/A |
Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie. |