selecting software vulnerabilities
vulnerabilities.aspcode.net
Searching selecting software vulnerabilities
Invision Power Board 1.3 Final allows remote at
installation
|
information
|
sensitive
|
attackers
|
"Personal
|
selecting
|
displays
|
Invision
|
message
|
Photo"
|
allows
|
remote
|
image
|
which
|
error
|
Power
|
Final
|
Board
|
file
|
path
|
gain
|
not
|
Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message.
Direct code injection vulnerability in Task Man
vulnerability
|
injection
|
Invision
|
Manager
|
Direct
|
Board
|
Power
|
code
|
Task
|
Direct code injection vulnerability in Task Manager in Invision Power Board 2.0.1 allows limited remote attackers to execute arbitrary code by referencing the file in "Task PHP File To Run" field and selecting "Run Task Now".
Six Apart Movable Type 3.16 allows local users
Movable
|
Apart
|
Type
|
Six
|
Six Apart Movable Type 3.16 allows local users with blog-creation privileges to create or overwrite arbitrary files of certain types (such as HTML and image files) by selecting an arbitrary directory as a blog's top-level directory. NOTE: this issue can be used in conjunction with CVE-2005-3102 to create or overwrite arbitrary files of all types.
Lexmark X1185 printer allows local users to gai
"Appearance"
|
"Additional
|
privileges
|
navigating
|
selecting
|
Lexmark
|
printer
|
dialog
|
styles
|
allows
|
SYSTEM
|
X1185
|
local
|
users
|
gain
|
Lexmark X1185 printer allows local users to gain SYSTEM privileges by navigating to the "Appearance" dialog and selecting the "Additional styles (skins) are available on the Lexmark web site" option, which launches a web browser that is running with SYSTEM privileges.
Mozilla Firefox 1.5.0.2 and possibly other vers
Firefox
|
Mozilla
|
Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a .wma file to launch Windows Media Player, or by referencing an "alternate web page."
Jelsoft vBulletin accepts uploads of Cascading
vBulletin
|
Cascading
|
uploads
|
Jelsoft
|
accepts
|
Sheets
|
Style
|
Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x. NOTE: this issue might be due to direct static code injection.
The ActiveX version of FrontRange iHEAT allows
authenticated
|
application
|
associated
|
FrontRange
|
arbitrary
|
uploading
|
selecting
|
extension
|
programs
|
version
|
ActiveX
|
machine
|
dialog
|
remote
|
allows
|
access
|
With"
|
"Open
|
files
|
users
|
iHEAT
|
file
|
host
|
not
|
run
|
The ActiveX version of FrontRange iHEAT allows remote authenticated users to run arbitrary programs or access arbitrary files on the host machine by uploading a file with an extension that is not associated with an application, and selecting a file from the "Open With..." dialog.
The PLUGINSPAGE functionality in Mozilla Firefo
functionality
|
PLUGINSPAGE
|
Firefox
|
Mozilla
|
before
|
The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows remote user-assisted attackers to execute privileged code by tricking a user into installing missing plugins and selecting the "Manual Install" button, then using nested javascript: URLs. NOTE: the manual install button is used for downloading software from a remote web site, so this issue would not cross privilege boundaries if the user progresses to the point of installing malicious software from the attacker-controlled site.
Cross-site scripting (XSS) vulnerability in Moz
Cross-site
|
scripting
|
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 1.5.0.4 allows user-assisted remote attackers to inject arbitrary web script or HTML by tricking a user into (1) performing a "View Image" on a broken image in which the SRC attribute contains a Javascript URL, or (2) selecting "Show only this frame" on a frame whose SRC attribute contains a Javascript URL.
Apple Remote Desktop (ARD) for Mac OS X 10.2.8
Desktop
|
Remote
|
Apple
|
Apple Remote Desktop (ARD) for Mac OS X 10.2.8 and later does not drop privileges on the remote machine while installing certain applications, which allows local users to bypass authentication and gain privileges by selecting the icon during installation. NOTE: it could be argued that the issue is not in Remote Desktop itself, but in applications that are installed while using it.
Symantec Sygate NAC allows physically proximate
associated
|
physically
|
proximate
|
attackers
|
selecting
|
exception
|
Symantec
|
network
|
address
|
methods
|
control
|
forged
|
Sygate
|
allows
|
bypass
|
local
|
join
|
rule
|
MAC
|
NAC
|
Symantec Sygate NAC allows physically proximate attackers to bypass control methods and join a local network by selecting a forged MAC address associated with an exception rule that (1) permits all non-Windows devices or (2) whitelists certain sets of Organizationally Unique Identifiers (OUIs).
PreviewAction in XWiki 0.9.543 through 0.9.1252
PreviewAction
|
XWiki
|
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Multiple cross-site scripting (XSS) vulnerabili
cross-site
|
scripting
|
Multiple
|
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.
GuppY 4.0 allows remote attackers to delete arb
install/installphp
|
"Installation
|
arbitrary
|
selecting
|
attackers
|
propre"
|
request
|
delete
|
allows
|
remote
|
direct
|
GuppY
|
files
|
then
|
via
|
GuppY 4.0 allows remote attackers to delete arbitrary files via a direct request to install/install.php, then selecting "Installation propre" (cleanup.php) and then "Suppression des fichiers d'installation" (delete.php).
Software vulnerabilities results 1 to 15 of 15
Page:
1