| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbfs, allows remote attackers to obtain unprocessed content such as source files for .php programs via a trailing "\" (backslash), which is not handled by the intended AddType directive. |
| Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differently to failed use of the end-user question-based login feature depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. |
| HP eSupportDiagnostics ActiveX control (hpediag.dll) 1.0.11.0 exports dangerous methods, which allows remote attackers to (1) read arbitrary files via the ReadTextFile method, or (2) read arbitrary registry values via the ReadValue method. |
| OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. |
| XRMS CRM 1.99.2 allows remote attackers to obtain configuration information via a direct request to tests/info.php, which calls the phpinfo function. |
| No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\SOFTWARE\Vitalwerks\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values. |
| Unspecified vulnerability in the RMI dissector in Wireshark (formerly Ethereal) 0.9.5 through 1.0.0 allows remote attackers to read system memory via unspecified vectors. |
| All Club CMS (ACCMS) 0.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database configuration information, including credentials, via a direct request to accms.dat. |
| Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks. |
| Unspecified vulnerability in the Windows client API in Novell GroupWise 7 before SP3 and 6.5 before SP6 Update 3 allows remote authenticated users to access the non-shared stored e-mail messages of another user who has shared at least one folder with the attacker. |
| The RecentChanges feature in WikkaWiki (Wikka Wiki) before 1.1.6.3 allows remote attackers to obtain the names, and possibly revision notes and dates, of private pages via RSS feeds. |
| Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown vectors. |
| Battlefront Dropteam 1.3.3 and earlier sends the client's online account name and password to the game server, which allows malicious game servers to steal account information. |
| Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a "benchmarking attack." |
| Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1 and 9 incorrectly associate ISATAP addresses with the Local Intranet zone, which allows remote servers to capture NTLM credentials, and execute arbitrary code through credential-reflection attacks, by sending an authentication request, aka "ISATAP Vulnerability." |
| Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug. |
| The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 sends configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain sensitive information such as passwords by reading the SetupWizard.exe process memory, a related issue to CVE-2008-4390. |
| Unspecified vulnerability in LifeType before 1.1.6, and 1.2 before 1.2-beta2, allows remote attackers to obtain sensitive information (file contents) via a "crafted URL." |
| IntraLearn Software IntraLearn 2.1, and possibly other versions before 4.2.3, allows remote attackers to obtain sensitive information via a direct request to (1) Knowledge_Impact_Course.htm, (2) LRN-formatted_Course.htm, or (3) Create_Course.htm in help/1/Instructor/, which reveals the installation path in an error message. |
| Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns. |