Format string vulnerability in the MprLogToFile::logEvent function in Mbedthis AppWeb 2.0.5-4, when the build supports logging but the configuration disables logging, allows remote attackers to cause a denial of service (daemon crash) via format string specifiers in the HTTP scheme, as demonstrated by a “GET %n://localhost:80/” request.
NVD-CWE-Other
CVE-2007-3011
The DBAsciiAccess CGI Script in the web interface in Fujitsu-Siemens Computers ServerView before 4.50.09 allows remote attackers to execute arbitrary commands via shell metacharacters in the Servername subparameter of the ParameterList parameter.
CVE-2007-3013
SQL injection vulnerability in activeWeb contentserver before 5.6.2964 allows remote authenticated users with edit permission to execute arbitrary SQL commands via the id parameter to admin/picture/picture_real_edit.asp, and probably other unspecified vectors.
CVE-2007-3014
Multiple cross-site scripting (XSS) vulnerabilities in activeWeb contentserver before 5.6.2964 allow remote attackers to inject arbitrary web script or HTML via the msg parameter to (1) errors/rights.asp or (2) errors/transaction.asp, or (3) the name of a MIME type (mimetype).
CVE-2007-3017
The WYSIWYG editor applet in activeWeb contentserver CMS before 5.6.2964 only filters malicious tags from articles sent to admin/applets/wysiwyg/rendereditor.asp, which allows remote authenticated users to inject arbitrary JavaScript via a request to admin/worklist/worklist_edit.asp.
CVE-2007-3018
activeWeb contentserver CMS before 5.6.2964 does not limit the file-creation ability of editors who have restricted accounts, which allows these editors to create files in arbitrary directories.