Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to inject arbitrary web script or HTML via the action argument.

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

SQL injection vulnerability in admin.php in Design Nation DNGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) email and (2) id parameters.

Cross-site scripting (XSS) vulnerability in shop_main.cgi in interaktiv.shop 5 allows remote attackers to inject arbitrary web script or HTML via the (1) pn and (2) sbeg parameters.

SQL injection vulnerability in member.php in Clansys 1.1 allows remote attackers to execute arbitrary SQL commands via the showid parameter in the member page to index.php.

index.php in Shopweezle 2.0 allows remote attackers to include arbitrary local files via the url parameter.

Multiple SQL injection vulnerabilities in Shopweezle 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) itemID parameter to (a) login.php and (b) memo.php; and the (2) itemgr, (3) brandID, and (4) album parameters to (c) index.php. NOTE: this issue also produces resultant full path disclosure from invalid SQL queries.

Oracle Database 9.2.0.0 to 10.2.0.3 allows local users with "SELECT" privileges for a base table to insert, update, or delete data by creating a crafted view then performing the operations on that view.

Sire 2.0 nws allows remote attackers to upload arbitrary image files without authentication via a direct request to upload.php.

PHP remote file inclusion vulnerability in lire.php in Sire 2.0 nws allows remote attackers to execute arbitrary PHP code via a URL in the rub parameter.

PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8.3 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter.

Cross-site scripting (XSS) vulnerability in the Pages module in Shadowed Portal allows remote attackers to inject arbitrary web script or HTML via the page parameter to load.php.

Buy.php in Aweb Scripts Seller uses predictable cookies for authentication based on the time and the script number, which allows remote attackers to bypass authentication.

Cross-site scripting (XSS) vulnerability in index.php in Aweb Banner Generator 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the banner parameter in view mode.

Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) url, (2) city, (3) state, or (4) country parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that they are the result of post-disclosure analysis.

Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3.1 allows remote attackers to execute arbitrary web script or HTML via the (1) Your Name, (2) E-Mail, or (3) Comments fields when posting a message.

Cross-site scripting (XSS) vulnerability in Gallery before 1.5.3 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment variable is not defined, allows local users to overwrite arbitrary files via a symlink attack on temporary files in /var/tmp/fbps-[PID].

SQL injection vulnerability in members.php in XBrite Members 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

Unspecified vulnerability in GlobalSCAPE Secure FTP Server before 3.1.4 Build 01.10.2006 allows attackers to cause a denial of service (application crash) via a "custom command" with a long argument.

Multiple SQL injection vulnerabilities in MWNewsletter 1.0.0b allow remote attackers to execute arbitrary SQL commands via the (1) user_email parameter to (a) unsubscribe.php or (b) subscribe.php; or the (2) user_name parameter to subscribe.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information, although it is likely that this was discovered during post-disclosure analysis.

SQL injection vulnerability in MWNewsletter 1.0.0b allows remote attackers to execute arbitrary SQL commands via the user_name parameter to unsubscribe.php.

Cross-site scripting (XSS) vulnerability in subscribe.php in MWNewsletter 1.0.0b allows remote attackers to inject arbitrary web script or HTML via the user_name parameter.

Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might allow user-assisted attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space, which causes less memory to be allocated than required.

Unspecified vulnerability in su in HP HP-UX B.11.11, when using the LDAP netgroup feature, allows local users to gain unspecified access.