download.php in X10media x10 Automatic Mp3 Search Engine Script 1.5.5 through 1.6 allows remote attackers to read arbitrary files via an encoded url parameter, as demonstrated by obtaining database credentials from includes/constants.php.
evCal Events Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to (1) evcal.mdb and (2) evcal97.mdb.
Nightfall Personal Diary 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for users-zza21.mdb.
Ocean12 Mailing List Manager Gold stores sensitive data under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for o12mail.mdb.
Facto stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the password via a direct request for database/facto.mdb. NOTE: some of these details are obtained from third party information.
Ikon AdManager 2.1 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for ikonBAnner_AdManager.mdb.
ASP AutoDealer stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for auto.mdb.
The Net Guys ASPired2Quote stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for admin/quote.mdb. NOTE: some of these details are obtained from third party information.
The Net Guys ASPired2Blog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for admin/blog.mdb. NOTE: some of these details are obtained from third party information.
ASPPortal stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for xportal.mdb.
Ocean12 Membership Manager Pro stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12member.mdb.
Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request.
ASP/MS Access Shoutbox, probably 1.1 beta, stores db/shoutdb.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request.
Harmoni before 1.6.0 does not require administrative privileges to list (1) user names or (2) asset ids, which allows remote attackers to obtain sensitive information.
JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2.0.CP03, and 4.3.0 before 4.3.0.CP01, allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string.
Calacode @Mail 5.41 on Linux uses weak world-readable permissions for (1) webmail/libs/Atmail/Config.php and (2) webmail/webadmin/.htpasswd, which allows local users to obtain sensitive information by reading these files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Menalto Gallery before 2.2.5 does not enforce permissions for non-album items that have been protected by a password, which might allow remote attackers to bypass intended access restrictions.
_macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages.
Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP6 allows remote attackers to bypass entitlements for instances of a floatable WLP portlet via unknown vectors.
8e6 R3000 Internet Filter 2.0.05.33, and other versions before 2.0.11, allows remote attackers to bypass intended restrictions via a fragmented HTTP request.
Ingres 2.5 and 2.6 on Windows, as used in multiple CA products and possibly other products, assigns the privileges and identity of users to be the same as the first user, which allows remote attackers to gain privileges.
LiteNews 0.1 (aka 01), and possibly 1.2 and earlier, allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie.
PHP MySQL Banner Exchange 2.2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database information via a direct request to inc/lib.inc.
ASP-CMS 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request for mdb-database/ASP-CMS_v100.mdb.
dBlog CMS, probably 2.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing an admin password hash via a direct request for dblog.mdb.
A regression error in tcp-wrappers 7.6.dbs-10 and 7.6.dbs-11 might allow remote attackers to bypass intended access restrictions when a service uses libwrap but does not specify server connection information.
SimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.
CS Guestbook stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the admin name and MD5 password hash via a direct request for base/usr/0.php.
Unspecified vulnerability in the server in Firebird before 2.0.2 allows remote attackers to determine the existence of arbitrary files, and possibly obtain other "file access," via unknown vectors, aka CORE-1312.
Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended.
Unspecified vulnerability in Adobe Connect Enterprise Server 6 allows remote attackers to read certain pages that are restricted to the administrator via unknown vectors.
OpenSER 1.2.2 does not verify the Digest authentication header URI against the Request URI in SIP messages, which allows remote attackers to use sniffed Digest authentication credentials to call arbitrary telephone numbers or spoof caller ID (aka "toll fraud and authentication forward attack"). NOTE: Debian disputes this issue, stating that "having the two URIs mismatch is allowed by the standard and happens in some setups for valid reasons.
WabCMS 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/wabcmsn.mdb. NOTE: this issue was originally reported for "webCMS," but this was an error by an unreliable researcher.
WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment.
Opera 9.10 Final allows remote attackers to bypass the Fraud Protection mechanism by adding certain characters to the end of a domain name, as demonstrated by the "." and "/" characters, which is not caught by the blacklist filter.
P-News 2.0 stores db/user.txt under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as usernames and password hashes via a direct request. NOTE: this might be the same issue as CVE-2006-6888.
Jax Guestbook 3.1 and 3.31 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain IP addresses of users via a direct request to (1) guestbook, (2) guestbook_ips2block, (3) ips2block, and (4) formmailer/logfile.csv.
Web Wiz Guestbook 6.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for database/WWGguestbook.mdb. NOTE: it was later reported that 8.21 is also affected.
ASP-DEv XM Events Diary stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for diary.mdb.
The file caching implementation in Joomla! before 1.5.4 allows attackers to access cached pages via unknown attack vectors.
A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco TelePresence Management Suite (TMS) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to a lack of proper access and authentication controls on the affected TMS software. An attacker could exploit this vulnerability by gaining access to internal, trusted networks to send crafted SOAP calls to the affected device. If successful, an exploit could allow the attacker to access system management tools. Under normal circumstances, this access should be prohibited.
Katy Whitton RankEm stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for database/topsites.mdb.
Virtual GuestBook (vgbook) 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to guestbook.mdb.
CodefixerSoftware MailingListPro Free Edition stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to db/MailingList.mdb.
The advanced-ajax-page-loader plugin before 2.7.7 for WordPress has no protection against the reading of uploaded files when not logged in.
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download arbitrary files from the underlying filesystem of the affected device.
The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors.
ASP Football Pool 2.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for NFL.mdb.
Web File Explorer 3.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for data/db.mdb.
YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function.