CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 5059 | CVE-2002-0669 | Candidate | The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows administrators to cause a denial of service by modifying the SIP_AUTHENTICATE_SCHEME value to force authentication of incoming calls, which does not notify the user when an authentication failure occurs. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REJECT(1) Baker | Baker> I don"t believe that a configuration option by the administrator is a | vulnerability. The fact that the administrator can require authentication | of users attempting to use the service, without notifying users that | are NOT using authentication is not a vulnerability. For example, I | could configure sshd to allow only certain hosts to connect, by means of | a key, and if someone else tried to connect that is not authorized, it | would disallow it. Similarly, the administrator could require authentication | and only notify those users allowed to connect of the necessary authentication | credentials to preclude un-authorized use of the system. The only way I would | see this as a vulnerability was if the change was able to be made without | the proper credentials through some fault in the program, or if there was no way to enable authentication on | any client trying to connect which would render the system unusable to everyone | (but that would still not really be a vulnerability as much as a "stupid | feature") | The ability to make this change afer gaining administrator priveleges by means | of another vulnerability does not make this a vulnerability. I would classify | this as a configuration setting that can severly restrict access, at the discretion | of the administrator. | View |
| 5799 | CVE-2002-1415 | Candidate | Format string vulnerability in SMTP service for WebEasyMail 3.4.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in SMTP requests. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REVIEWING(1) Baker | Baker> There is an updated version available from the vendor"s website, | http://www.51webmail.com/downloadwem.html | however, I am unable to determine whether this bug has been fixed or | not, since the site is in Chinese. There is no english language version | of it, apparently. There is an upgrade notes and patch listing under the | download menu, so if we have someone with chinese language skills, we might | be able to get this one sorted out... | View |
| 5800 | CVE-2002-1416 | Candidate | The POP3 service for WebEasyMail 3.4.2.2 and earlier generates diffferent error messages for valid and invalid usernames during authentication, which makes it easier for remote attackers to conduct brute force attacks. | Proposed (20030317) | ACCEPT(1) Cole | NOOP(2) Cox, Wall | REVIEWING(1) Baker | Baker> See entry for CAN 2002-1415... | View |
| 1034 | CVE-1999-1054 | Candidate | The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command. | Proposed (20010912) | ACCEPT(1) Cole | NOOP(2) Foat, Wall | View | |
| 1386 | CVE-1999-1406 | Candidate | dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which allows local users to cause a denial of service (crash) by redirecting fd 1 (stdout) to the kernel. | Proposed (20010912) | ACCEPT(1) Cole | NOOP(2) Foat, Wall | View |
Page 661 of 20943, showing 5 records out of 104715 total, starting on record 3301, ending on 3305
