databases software vulnerabilities
vulnerabilities.aspcode.net
Searching databases software vulnerabilities
The installation of AdCycle banner management s
web-accessible
|
installation
|
management
|
directory
|
databases
|
passwords
|
attackers
|
buildcgi
|
execute
|
AdCycle
|
program
|
banner
|
delete
|
system
|
allows
|
leaves
|
remote
|
which
|
view
|
The installation of AdCycle banner management system leaves the build.cgi program in a web-accessible directory, which allows remote attackers to execute the program and view passwords or delete databases.
PostgreSQL stores usernames and passwords in pl
PostgreSQL
|
passwords
|
plaintext
|
usernames
|
stores
|
PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases.
HP architected interface facility (AIF) as incl
architected
|
interface
|
facility
|
HP architected interface facility (AIF) as includes with MPE/iX 5.5 through 6.5 running on a HP3000 allows an attacker to gain additional privileges and gain access to databases via the AIF - AIFCHANGELOGON program.
web-tools in SAP DB before 7.4.03.30 installs s
web-tools
|
before
|
SAP
|
web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm).
Unknown vulnerability in MySQL 3.23.58 and earl
vulnerability
|
Unknown
|
MySQL
|
Unknown vulnerability in MySQL 3.23.58 and earlier, when a local user has privileges for a database whose name includes a "_" (underscore), grants privileges to other databases that have similar names, which can allow the user to conduct unauthorized activities.
Multiple SQL injection vulnerabilities in Dynix
vulnerabilities
|
injection
|
Multiple
|
Dynix
|
SQL
|
Multiple SQL injection vulnerabilities in Dynix (formerly known as epixtech) WebPAC allow remote attackers to execute arbitrary SQL commands via unknown attack vectors, resulting in an ability to execute stored procedures, bypass login authentication, and cause an unspecified denial of service to backend databases.
By design, the built-in FTP server for iSeries
restricted
|
databases
|
sensitive
|
attackers
|
arbitrary
|
including
|
built-in
|
pathname
|
document
|
support
|
request
|
iSeries
|
systems
|
allows
|
AS/400
|
server
|
design
|
files
|
which
|
write
|
root
|
full
|
QSYS
|
does
|
read
|
PUT
|
not
|
GET
|
via
|
FTP
|
By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request.
show.php in McGallery 1.1 allows remote attacke
information
|
triggering
|
databases
|
arbitrary
|
sensitive
|
parameter
|
McGallery
|
attackers
|
modified
|
showphp
|
connect
|
remote
|
allows
|
error
|
host
|
gain
|
via
|
show.php in McGallery 1.1 allows remote attackers to connect to arbitrary databases, or gain sensitive information by triggering an error, via a modified host parameter.
core/database_api.php in Mantis 0.19.0a1 throug
core/database_apiphp
|
register_globals
|
bug#0005956
|
identified
|
monitoring
|
modifying
|
attackers
|
g_db_type
|
responses
|
databases
|
internal
|
variable
|
enabled
|
through
|
connect
|
0190a1
|
Mantis
|
allows
|
remote
|
100a3
|
speed
|
core/database_api.php in Mantis 0.19.0a1 through 1.0.0a3, with register_globals enabled, allows remote attackers to connect to internal databases by modifying the g_db_type variable and monitoring the speed of responses, as identified by bug#0005956.
SQL injection vulnerability in base_qry_main.ph
base_qry_mainphp
|
vulnerability
|
Intrusion
|
Databases
|
injection
|
Analysis
|
Console
|
SQL
|
SQL injection vulnerability in base_qry_main.php in Analysis Console for Intrusion Databases (ACID) 0.9.6b20 and Basic Analysis and Security Engine (BASE) 1.2 allows remote attackers to execute arbitrary SQL commands via the sig[1] parameter.
Oracle Databases running on Windows XP with Sim
authentication
|
attackers
|
supplying
|
Databases
|
username
|
enabled
|
Sharing
|
Windows
|
running
|
bypass
|
Oracle
|
allows
|
remote
|
Simple
|
valid
|
File
|
Oracle Databases running on Windows XP with Simple File Sharing enabled, allows remote attackers to bypass authentication by supplying a valid username.
Acidcat 2.1.13 and earlier stores the database
Acidcat
|
Acidcat 2.1.13 and earlier stores the database under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a request to databases/acidcat.mdb.
** DISPUTED ** SQL injection vulnerability in
vulnerability
|
unspecified
|
parameters
|
attackers
|
arbitrary
|
injection
|
commands
|
possibly
|
DISPUTED
|
Search0
|
earlier
|
execute
|
search
|
allows
|
remote
|
WebDB
|
via
|
SQL
|
** DISPUTED ** SQL injection vulnerability in WebDB 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified search parameters, possibly Search0. NOTE: the vendor has disputed this issue, saying that "WebDB is a generic online database system used by many of the clients of Lois Software. The flaw that was identified was some code that was added for a client to do some testing of his system and only certain safe commands were allowed. This code has now been removed and it is not now possible to use SQL queries as part of the query string. No installation or patch is required All clients use a common code library and have their own front end and databases and connections. So as soon as a change / upgrade / enhancement is made to the code, all users of the software begin to use the latest changes immediately." Since the issue appeared in a custom web site and no action is required on the part of customers, this issue should not be included in CVE.
Heap-based buffer overflow in bogofilter 0.96.2
bogofilter
|
Heap-based
|
overflow
|
buffer
|
Heap-based buffer overflow in bogofilter 0.96.2, 0.95.2, 0.94.14, 0.94.12, and other versions from 0.93.5 to 0.96.2, when using Unicode databases, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via "invalid input sequences" that lead to heap corruption when bogofilter or bogolexer converts character sets.
** DISPUTED ** Kwik-Pay Payroll 4.2.20, and po
Kwik-Pay
|
DISPUTED
|
Payroll
|
** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that "The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers."
Cross-site scripting (XSS) vulnerability in the
Cross-site
|
scripting
|
Cross-site scripting (XSS) vulnerability in the PrintFreshPage function in (1) Basic Analysis and Security Engine (BASE) 1.2.4 and (2) Analysis Console for Intrusion Databases (ACID) 0.9.6b23 allows remote attackers to inject arbitrary web script or HTML via the (a) back parameter to base_graph_main.php, (b) netmask parameter to base_stat_ipaddr.php, or (c) submit parameter to base_qry_alert.php within BASE, or (d) query string to acid_main.php in ACID, which causes the request URI ($_SERVER['REQUEST_URI']) to be inserted into a refresh operation.
IBM Informix Dynamic Server (IDS) before 9.40.x
Informix
|
Dynamic
|
Server
|
IBM
|
IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10.00.xC3 does not use database creation permissions, which allows remote authenticated users to create arbitrary databases.
Kahua before 0.7, when running multiple applica
authenticated
|
unauthorized
|
applications
|
application
|
supervisor
|
different
|
databases
|
username
|
accounts
|
database
|
multiple
|
instead
|
running
|
allows
|
remote
|
obtain
|
before
|
grants
|
access
|
assign
|
single
|
Kahua
|
which
|
basis
|
users
|
under
|
user
|
name
|
same
|
Kahua before 0.7, when running multiple applications under a single supervisor, grants application access on the basis of username instead of username and database name, which allows remote authenticated users to obtain unauthorized access if different databases assign the same username to different user accounts.
Software vulnerabilities results 1 to 19 of 19
Page:
1