CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 1154 | CVE-1999-1174 | Candidate | ZIP drive for Iomega ZIP-100 disks allows attackers with physical access to the drive to bypass password protection by inserting a known disk with a known password, waiting for the ZIP drive to power down, manually replacing the known disk with the target disk, and using the known password to access the target disk. | Proposed (20010912) | ACCEPT(1) Cole | NOOP(2) Foat, Wall | View | |
| 1415 | CVE-1999-1435 | Candidate | Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows local users to gain privileges via long environmental variables. | Proposed (20010912) | ACCEPT(1) Cole | NOOP(2) Foat, Wall | View | |
| 5799 | CVE-2002-1415 | Candidate | Format string vulnerability in SMTP service for WebEasyMail 3.4.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in SMTP requests. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REVIEWING(1) Baker | Baker> There is an updated version available from the vendor"s website, | http://www.51webmail.com/downloadwem.html | however, I am unable to determine whether this bug has been fixed or | not, since the site is in Chinese. There is no english language version | of it, apparently. There is an upgrade notes and patch listing under the | download menu, so if we have someone with chinese language skills, we might | be able to get this one sorted out... | View |
| 5800 | CVE-2002-1416 | Candidate | The POP3 service for WebEasyMail 3.4.2.2 and earlier generates diffferent error messages for valid and invalid usernames during authentication, which makes it easier for remote attackers to conduct brute force attacks. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REVIEWING(1) Baker | Baker> See entry for CAN 2002-1415... | View |
| 5059 | CVE-2002-0669 | Candidate | The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows administrators to cause a denial of service by modifying the SIP_AUTHENTICATE_SCHEME value to force authentication of incoming calls, which does not notify the user when an authentication failure occurs. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REJECT(1) Baker | Baker> I don"t believe that a configuration option by the administrator is a | vulnerability. The fact that the administrator can require authentication | of users attempting to use the service, without notifying users that | are NOT using authentication is not a vulnerability. For example, I | could configure sshd to allow only certain hosts to connect, by means of | a key, and if someone else tried to connect that is not authorized, it | would disallow it. Similarly, the administrator could require authentication | and only notify those users allowed to connect of the necessary authentication | credentials to preclude un-authorized use of the system. The only way I would | see this as a vulnerability was if the change was able to be made without | the proper credentials through some fault in the program, or if there was no way to enable authentication on | any client trying to connect which would render the system unusable to everyone | (but that would still not really be a vulnerability as much as a "stupid | feature") | The ability to make this change afer gaining administrator priveleges by means | of another vulnerability does not make this a vulnerability. I would classify | this as a configuration setting that can severly restrict access, at the discretion | of the administrator. | View |
Page 20283 of 20943, showing 5 records out of 104715 total, starting on record 101411, ending on 101415
