SQL injection vulnerability in SMBCMS 2.1 allows remote attackers to execute arbitrary SQL commands via unspecified search parameters.

SQL injection vulnerability in index.php in HelpDeskPoint 2.38 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter.

Cross-site scripting (XSS) vulnerability in index.php in (1) GmailSite 1.0 through 1.0.4 and (2) GFHost 0.1.1 through 0.4.2 allows remote attackers to inject arbitrary web script or HTML via the lng parameter.

The default configuration of Recruitment Software installs admin/site.xml under the web document root with insufficient access control, which might allow remote attackers to obtain sensitive information (MySQL database credentials) via a direct request.

Drivers for certain display adapters, including (1) an unspecified ATI driver and (2) an unspecified Intel driver, might allow remote attackers to cause a denial of service (system crash) via a large JPEG image, as demonstrated in Internet Explorer using stoopid.jpg with a width and height of 9999999.

The m_join function in channel.c for PTnet ircd 1.5 and 1.6 allows remote attackers to cause a denial of service (memory exhaustion that triggers a daemon restart) via a large number of requests to join a "charmed channel" such as PTnet, #PTnoticias and #*.log, which causes ircd to open the channel even though it does not have any valid users.

upload.exe in eFileGo 3.01 allows remote attackers to cause a denial of service (CPU consumption) via an argument with an invalid directory name.

Directory traversal vulnerability in eFileGo 3.01 allows remote attackers to execute arbitrary code, read arbitrary files, and upload arbitrary files via a ... (triple dot) in (1) the URL on port 608 and (2) the argument to upload.exe.

Cross-site scripting (XSS) vulnerability in the editavatar page in vBulletin 3.5.1 allows remote attackers to inject arbitrary web script or HTML via a URL in the remote avatar url field, in which the URL generates a parsing error, and possibly requiring a trailing extension such as .jpg.

Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.

SQL injection vulnerability in index.php in phpoutsourcing Zorum Forum 3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the rollid parameter in the showhtmllist method.

Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local users to corrupt user memory and possibly cause a denial of service via a long string, which causes sysctl to write a zero byte outside the buffer. NOTE: since the sysctl is called from a userland program that provides the argument, this might not be a vulnerability, unless a legitimate user-assisted or setuid scenario can be identified.

SQL injection vulnerability in tickets.php in cSupport 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the pg parameter.

SQL injection vulnerability in index.php in iSupport 1.06 allows remote attackers to execute arbitrary SQL commands via the include_file parameter.

SQL injection vulnerability in news.php in DapperDesk 3.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter.

Multiple SQL injection vulnerabilities in digiSHOP 3.1.17 and earlier allow remote attackers to execute arbitrary SQL commands or obtain the full installation path via (1) the c parameter in cart.php and (2) unspecified search module parameters.

Cross-site scripting (XSS) vulnerability in VUBB alpha rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified fields in the user edit profile.

Multiple SQL injection vulnerabilities in VUBB alpha rc1 allow remote attackers to execute arbitrary SQL commands via the (1) f parameter to viewforum.php, (2) t parameter to viewtopic.php, and (3) view parameter to usercp.php.

SQL injection vulnerability in search.php in Free ClickBank 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the keywords parameter.

Format string vulnerability in the server for Dopewars before 1.5.12, when running as an NT service, allows remote attackers to execute arbitrary code via unspecified attack vectors.