Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2004-12-31 | CVE-2004-2577 | Unspecified vulnerability in PHPgroupware 0.9.16Rc1/0.9.16Rc2 The acl_check function in phpGroupWare 0.9.16RC2 always returns True, even when mkdir does not behave as expected, which could allow remote attackers to obtain sensitive information via WebDAV from users' home directories that lack .htaccess files, and possibly has other unknown impacts. | 5.0 |
| 2004-12-31 | CVE-2004-2576 | Information Disclosure vulnerability in PHPgroupware 0.9.16.000 class.vfs_dav.inc.php in phpGroupWare 0.9.16.000 does not create .htaccess files to enable authorization checks for access to users' home-directory files, which allows remote attackers to obtain sensitive information from these files. | 5.0 |
| 2004-12-31 | CVE-2004-2575 | Information Disclosure vulnerability in Phpgroupware phpGroupWare 0.9.14.005 and earlier allow remote attackers to obtain sensitive information via a direct request to (1) hook_admin.inc.php, (2) hook_home.inc.php, (3) class.holidaycalc.inc.php, and (4) setup.inc.php.sample, which reveals the path in an error message. | 5.0 |
| 2004-12-31 | CVE-2004-2574 | HTML Injection vulnerability in PHPgroupware 0.9.16.000/0.9.16.002/0.9.16.003 Cross-site scripting (XSS) vulnerability in index.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to inject arbitrary web script or HTML via the date parameter in a calendar.uicalendar.planner menuaction. network phpgroupware | 4.3 |
| 2004-12-31 | CVE-2004-2572 | Remote Installation Path Disclosure vulnerability in Amax Information Technologies Magic Winmail Server 3.6 AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensitive information by entering (1) invalid characters such as "()" or (2) a large number of characters in the Lookup field on the netaddressbook.php web form, which reveals the path in an ldaplib.php error message when the ldap_search function fails, due to improper processing of the $keyword variable. | 5.0 |
| 2004-12-31 | CVE-2004-2570 | Injection vulnerability in Opera Browser Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user. | 5.0 |
| 2004-12-31 | CVE-2004-2568 | SQL Injection and Cross-Site Scripting vulnerability in ReciPants Multiple cross-site scripting (XSS) vulnerabilities in ReciPants 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) user id, (2) recipe id, (3) category id, and (4) other ID number fields. network recipants | 4.3 |
| 2004-12-31 | CVE-2004-2566 | Cross-Site Scripting vulnerability in Livefocusgroup Multiple cross-site scripting (XSS) vulnerabilities in LiveWorld products, possibly including (1) LiveForum, (2) LiveQ&A, (3) LiveChat, and (4) LiveFocusGroup, allow remote attackers to inject arbitrary web script or HTML via the q parameter in (a) search.jsp, (b) findclub!execute.jspa, and (c) search!execute.jspa. network liveworld | 4.3 |
| 2004-12-31 | CVE-2004-2565 | Multiple vulnerability in Sambar Server 6.1 Multiple directory traversal vulnerabilities in Sambar Server 6.1 Beta 2 on Windows, and possibly other versions on Linux, when the administrative IP address restrictions have been modified from the default, allow remote authenticated users to read arbitrary files via (1) a "..\" (dot dot backslash) in the file parameter to showini.asp, or (2) an absolute path with drive letter in the log parameter to showlog.asp. | 5.0 |
| 2004-12-31 | CVE-2004-2564 | Multiple vulnerability in Sambar Server 6.1 Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server 6.1 Beta 2 on Windows, and possibly other versions on Linux, allow remote attackers to inject arbitrary web script or HTML via (1) the show parameter in show.asp and (2) the title parameter in showperf.asp. network sambar | 4.3 |