CVE-2007-1126
published 2007-02-27CVE-2007-1126: Directory traversal vulnerability in index.php in xtcommerce allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.
PriorityP432medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
5.47%
91.8th percentile
Directory traversal vulnerability in index.php in xtcommerce allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xt-commerce | xt-commerce | < 2.0 | 2.0 |
| xt-commerce | xt-commerce | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws
bugzilla·2008-04-04·CVSS 9.3
CVE-2007-6243 [CRITICAL] CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws
CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws
Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to
7.0.70.0 does not sufficiently restrict the interpretation and usage of
cross-domain policy files, which makes it easier for remote attackers to conduct
cross-domain and cross-site scripting (XSS) attacks.
Discussion:
This issue was addressed in:
Red Hat Enterprise Linux Extras:
http://rhn.redhat.com/errata/RHSA-2007-1126.html
http://rhn.redhat.com/errata/RHSA-2008-0221.html
Bugzilla
CVE-2007-6246 flash: privilege escalation
bugzilla·2007-12-06·CVSS 4.4
CVE-2007-6246 [MEDIUM] CVE-2007-6246 flash: privilege escalation
CVE-2007-6246 flash: privilege escalation
Placeholder for CVE-2007-6246
Discussion:
This is now public:
http://www.adobe.com/support/security/bulletins/apsb07-20.html
Please see the Adobe bulletin for additional information.
---
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
CVE-2007-6244 flash: XSS via asfunction protocol
bugzilla·2007-12-06·CVSS 4.3
CVE-2007-6244 [MEDIUM] CVE-2007-6244 flash: XSS via asfunction protocol
CVE-2007-6244 flash: XSS via asfunction protocol
Placeholder for CVE-2007-6244
Discussion:
This is now public:
http://www.adobe.com/support/security/bulletins/apsb07-20.html
Please see the Adobe bulletin for additional information.
---
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
CVE-2007-6245 flash: HTTP headers modification
bugzilla·2007-12-06·CVSS 5.8
CVE-2007-6245 [MEDIUM] CVE-2007-6245 flash: HTTP headers modification
CVE-2007-6245 flash: HTTP headers modification
Placeholder for CVE-2007-6245
Discussion:
This is now public:
http://www.adobe.com/support/security/bulletins/apsb07-20.html
Please see the Adobe bulletin for additional information.
---
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
CVE-2007-6242 flash: abitrary code execution
bugzilla·2007-12-05·CVSS 6.8
CVE-2007-6242 [MEDIUM] CVE-2007-6242 flash: abitrary code execution
CVE-2007-6242 flash: abitrary code execution
Placeholder for CVE-2007-6242
Discussion:
This is now public:
http://www.adobe.com/support/security/bulletins/apsb07-20.html
---
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
CVE-2007-5275 Flash plugin DNS rebinding
bugzilla·2007-11-05·CVSS 5.0
CVE-2007-5275 [MEDIUM] CVE-2007-5275 Flash plugin DNS rebinding
CVE-2007-5275 Flash plugin DNS rebinding
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5275 to the following vulnerability:
The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324.
References:
http://crypto.stanford.edu/dns/dns-rebinding.pdf
Discussion:
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
Bugzilla
CVE-2007-4324 Flash movie can determine whether a TCP port is open
bugzilla·2007-08-15·CVSS 5.0
CVE-2007-4324 [MEDIUM] CVE-2007-4324 Flash movie can determine whether a TCP port is open
CVE-2007-4324 Flash movie can determine whether a TCP port is open
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4324
to the following vulnerability:
ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0 allows remote attackers to bypass the Security Sandbox Model, obtain sensitive information, and port scan arbitrary hosts via a Flash (SWF) movie that specifies a connection to make, then using timing discrepancies from the SecurityErrorEvent error to determine whether a host is open or not.
References:
http://www.securityfocus.com/archive/1/archive/1/475961/100/0/threaded
Discussion:
Issue was addressed in supported products by:
https://rhn.redhat.com/errata/RHSA-2007-1126.html
http://osvdb.org/33758http://secunia.com/advisories/24301http://securityreason.com/securityalert/2294http://www.securityfocus.com/archive/1/461073/100/0/threadedhttp://www.securityfocus.com/bid/22698http://www.vupen.com/english/advisories/2007/0746https://exchange.xforce.ibmcloud.com/vulnerabilities/32656http://osvdb.org/33758http://secunia.com/advisories/24301http://securityreason.com/securityalert/2294http://www.securityfocus.com/archive/1/461073/100/0/threadedhttp://www.securityfocus.com/bid/22698http://www.vupen.com/english/advisories/2007/0746https://exchange.xforce.ibmcloud.com/vulnerabilities/32656
2007-02-27
Published