CVE Daily
← All years

All CVEs — 2009

Page 3/34.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2009-12-08
Medium

CVE-2009-4233

Cross-site scripting (XSS) vulnerability in modules/mod_yj_whois.php in the YJ Whois component 1.0x and 1.5.x for Joomla! allows remote attackers to inject arbitrary web script or HTML via the domain…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4232

The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action…

CVSS: 5.0 CWE: CWE-287
Read more
High

CVE-2009-4231

Directory traversal vulnerability in as/lib/plugins.php in SweetRice 0.5.3 and earlier allows remote attackers to include and execute arbitrary local files via .. (dot dot) in the plugin parameter.

CVSS: 7.5 CWE: CWE-22
Read more
High

CVE-2009-4230

Multiple stack-based buffer overflows in src/Task.cc in the FastCGI program in IIPImage Server before 0.9.8 might allow remote attackers to execute arbitrary code via vectors associated with crafted…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2009-4229

Multiple SQL injection vulnerabilities in ActiveWebSoftwares Active Bids allow remote attackers to execute arbitrary SQL commands via (1) the catid parameter in the PATH_INFO to the default URI or (2…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4227

Stack-based buffer overflow in the read_1_3_textobject function in f_readold.c in Xfig 3.2.5b and earlier, and in the read_textobject function in read1_3.c in fig2dev in Transfig 3.2.5a and earlier,…

CVSS: 6.8 CWE: CWE-119
Read more
High

CVE-2009-4226

Race condition in the IP module in the kernel in Sun OpenSolaris snv_106 through snv_124 allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vect…

CVSS: 7.1 CWE: CWE-362
Read more
Critical

CVE-2009-4225

Stack-based buffer overflow in the PestPatrol ActiveX control (ppctl.dll) 5.6.7.9 in CA eTrust PestPatrol allows remote attackers to execute arbitrary code via a long argument to the Initialize metho…

CVSS: 9.3 CWE: CWE-119
Read more
Critical

CVE-2009-3994

Stack-based buffer overflow in the GetUID function in src-IL/src/il_dicom.c in DevIL 1.7.8 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a cra…

CVSS: 9.3 CWE: CWE-119
Read more
2009-12-07
Medium

CVE-2009-4224

Multiple PHP remote file inclusion vulnerabilities in SweetRice 0.5.4, 0.5.3, and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) _plugin/subsc…

CVSS: 6.8 CWE: CWE-20
Read more
High

CVE-2009-4223

PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1.1b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.

CVSS: 7.5 CWE: CWE-94
Read more
High

CVE-2009-4221

SQL injection vulnerability in classified.php in phpBazar 2.1.1fix and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter, a different vector than CVE-2008-3767.

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4220

PHP remote file inclusion vulnerability in includes/classes/pctemplate.php in PointComma 3.8b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pcConfig[smartyPath]…

CVSS: 7.5 CWE: CWE-94
Read more
Critical

CVE-2009-4219

Stack-based buffer overflow in the MYACTIVEX.MyActiveXCtrl.1 ActiveX control in MyActiveX.ocx 1.4.8.0 in Haihaisoft Universal Player allows remote attackers to execute arbitrary code via a long URL p…

CVSS: 9.3 CWE: CWE-119
Read more
High

CVE-2009-4218

Multiple SQL injection vulnerabilities in files/login.asp in JiRo's Banner System eXperience (JBSX) allow remote attackers to execute arbitrary SQL commands via the (1) admin or (2) password field, a…

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4217

SQL injection vulnerability in the Itamar Elharar MusicGallery (com_musicgallery) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an itempage a…

CVSS: 7.5 CWE: CWE-89
Read more
Critical

CVE-2009-4216

Directory traversal vulnerability in funzioni/lib/menulast.php in klinza professional cms 5.0.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in…

CVSS: 9.3 CWE: CWE-22
Read more
Medium

CVE-2009-4214

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors i…

CVSS: 4.3 CWE: CWE-79
Read more
2009-12-04
High

CVE-2009-4020

Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to t…

CVSS: 7.8 CWE: CWE-119
Read more
Medium

CVE-2009-3560

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via a…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2009-4209

Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in moziloCMS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) file parameters in an…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4208

SQL injection vulnerability in the os_news module in Open-school (OS) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action to index.php.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4207

Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.7 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a sub…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4206

SQL injection vulnerability in admin.link.modify.php in Million Dollar Text Links 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4205

Directory traversal vulnerability in admin.php in Flashlight Free Edition allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter.

CVSS: 7.5 CWE: CWE-22
Read more
High

CVE-2009-4204

SQL injection vulnerability in read.php in Flashlight Free Edition allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4203

Multiple SQL injection vulnerabilities in admin/aclass/admin_func.php in Arab Portal 2.2 allow remote attackers to execute arbitrary SQL commands via the (1) X-Forwarded-For or (2) Client-IP HTTP hea…

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4202

Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory tr…

CVSS: 7.5 CWE: CWE-22
Read more
Critical

CVE-2009-4201

Multiple stack-based buffer overflows in Mp3 Tag Assistant Professional 2.92 build 300 allow remote attackers to execute arbitrary code via an MP3 file with a long string in the (1) ID3v1, (2) ID3v2,…

CVSS: 9.3 CWE: CWE-119
Read more
High

CVE-2009-4200

SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.ph…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4199

Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arb…

CVSS: 6.8 CWE: CWE-89
Read more
Medium

CVE-2009-4198

SQL injection vulnerability in my_orders.php in MyMiniBill allows remote authenticated users to execute arbitrary SQL commands via the orderid parameter in a status action.

CVSS: 6.5 CWE: CWE-89
Read more
Critical

CVE-2009-4148

DAZ Studio 2.3.3.161, 2.3.3.163, and 3.0.1.135 allows remote attackers to execute arbitrary JavaScript code via a (1) .ds, (2) .dsa, (3) .dse, or (4) .dsb file, as demonstrated by code that loads the…

CVSS: 9.3 CWE: CWE-94
Read more
Low

CVE-2009-3304

GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to overwrite arbitrary files via a symlink attack on authorized_keys files in users' home directories, related to deb-specific/ssh_dump_update.pl…

CVSS: 3.3 CWE: CWE-59
Read more
Medium

CVE-2009-4196

Multiple cross-site scripting (XSS) vulnerabilities in multiple scripts in Forms/ in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 allow remote attackers to inject arbitrary web script or…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2009-4195

Buffer overflow in Adobe Illustrator CS4 14.0.0, CS3 13.0.3 and earlier, and CS3 13.0.0 allows remote attackers to execute arbitrary code via a long DSC comment in an Encapsulated PostScript (.eps) f…

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2009-2631

Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Ne…

CVSS: 6.8 CWE: CWE-284
Read more
2009-12-03
High

CVE-2009-4194

Directory traversal vulnerability in Golden FTP Server 4.30 Free and Professional, 4.50, and possibly other versions allows remote authenticated users to delete arbitrary files via a .. (dot dot) in…

CVSS: 8.1 CWE: CWE-22
Read more
Low

CVE-2009-4193

Merkaartor 0.14 allows local users to append data to arbitrary files via a symlink attack on the /tmp/merkaartor.log temporary file.

CVSS: 3.3 CWE: CWE-59
Read more
Medium

CVE-2009-4192

Directory traversal vulnerability in dialog/file_manager.php in Interspire Knowledge Manager 5 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. NOTE: the proven…

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2009-4187

Multiple cross-site scripting (XSS) vulnerabilities in the Gateway component in Sun Java System Portal Server 6.3.1, 7.1, and 7.2 allow remote attackers to inject arbitrary web script or HTML via uns…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2009-4186

Stack consumption vulnerability in Apple Safari 4.0.3 on Windows allows remote attackers to cause a denial of service (application crash) via a long URI value (aka url) in the Cascading Style Sheets…

CVSS: 9.3 CWE: CWE-119
Read more
Critical

CVE-2009-1567

Multiple stack-based buffer overflows in the Lateral Arts Photobox uploader ActiveX control 1.x before 1.3, and 2.2.0.6, allow remote attackers to execute arbitrary code via a long URL string for the…

CVSS: 9.3 CWE: CWE-119
Read more
2009-12-02
Medium

CVE-2009-4175

CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to obtain sensitive information via an invalid date value in the from_date_day parameter to search.php, which reveals the i…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2009-4173

Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create…

CVSS: 6.8 CWE: CWE-352
Read more
Low

CVE-2009-4172

Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews 8 and 8b, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script…

CVSS: 2.6 CWE: CWE-79
Read more
Medium

CVE-2009-4171

An ActiveX control in YahooBridgeLib.dll for Yahoo! Messenger 9.0.0.2162, and possibly other 9.0 versions, allows remote attackers to cause a denial of service (NULL pointer dereference and applicati…

CVSS: 4.3 CWE: CWE-119
Read more
Critical

CVE-2009-4127

Unspecified vulnerability in Wikipedia Toolbar extension before 0.5.9.2 for Firefox allows user-assisted remote attackers to execute arbitrary JavaScript with Chrome privileges via vectors involving…

CVSS: 9.3 CWE: CWE-94
Read more
Medium

CVE-2009-4170

WP-Cumulus Plug-in 1.20 for WordPress, and possibly other versions, allows remote attackers to obtain sensitive information via a crafted request to wp-cumulus.php, probably without parameters, which…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2009-4169

Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4168

Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as used in the WP-Cumulus plugin before 1.23 for WordPress and the Joomulus module 2.0 and earlier for Joomla!, allows remote attac…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4166

SQL injection vulnerability in the Trips (mchtrips) extension 2.0.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2009-4165

SQL injection vulnerability in the simple Glossar (simple_glossar) extension 1.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4164

Cross-site scripting (XSS) vulnerability in the simple Glossar (simple_glossar) extension 1.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified ve…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4163

SQL injection vulnerability in the TW Productfinder (tw_productfinder) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4161

Cross-site scripting (XSS) vulnerability in the [AN] Search it! (an_searchit) extension 2.4.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vect…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2009-4159

Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticat…

CVSS: 3.5 CWE: CWE-79
Read more
High

CVE-2009-4158

SQL injection vulnerability in the Calendar Base (cal) extension before 1.2.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4157

Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script o…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4156

PHP remote file inclusion vulnerability in modules/pms/index.php in Ciamos CMS 0.9.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_path parameter.

CVSS: 7.5 CWE: CWE-94
Read more
High

CVE-2009-4155

Multiple SQL injection vulnerabilities in Eshopbuilde CMS allow remote attackers to execute arbitrary SQL commands via the sitebid parameter to (1) home-f.asp and (2) opinions-f.asp; (3) sitebid, (4)…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4154

Directory traversal vulnerability in includes/feedcreator.class.php in Elxis CMS allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2009-4152

Cross-site scripting (XSS) vulnerability in the Collaboration component in IBM WebSphere Portal 6.1.x before 6.1.0.3 allows remote attackers to inject arbitrary web script or HTML via the people pick…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4151

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting…

CVSS: 5.8 CWE: CWE-287
Read more
High

CVE-2009-4027

Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) pac…

CVSS: 7.1 CWE: CWE-362
Read more
Medium

CVE-2009-3585

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting…

CVSS: 5.8 CWE: CWE-287
Read more
Critical

CVE-2009-3672

Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote attackers to execute arbitrary code via v…

CVSS: 9.3 CWE: CWE-94
Read more
2009-12-01
High

CVE-2009-4128

GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted portion of a password with the actual password, which makes it easier for physically proximate attackers to conduct brute force…

CVSS: 7.2 CWE: CWE-287
Read more
Medium

CVE-2009-4121

Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delet…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2009-4120

Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2009-4119

Cross-site scripting (XSS) vulnerability in Feed Element Mapper module 5.x before 5.x-1.3, 6.x before 6.x-1.3, and 6.x-2.0-alpha before 6.x-2.0-alpha4 for Drupal allows remote attackers to inject arb…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2009-4117

Multiple stack-based buffer overflows in pdf_shade4.c in MuPDF before commit 20091125231942, as used in SumatraPDF before 1.0.1, allow remote attackers to cause a denial of service and possibly execu…

CVSS: 9.3 CWE: CWE-119
Read more
2009-11-30
Low

CVE-2009-4116

Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read ar…

CVSS: 3.5 CWE: CWE-22
Read more
Medium

CVE-2009-4115

Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP c…

CVSS: 6.5 CWE: CWE-94
Read more
Medium

CVE-2009-4114

kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other versions before 9.0.0.736, does not properly validate input to IOCTL 0x0022c008, which allows local users to cause a denial of servi…

CVSS: 4.9 CWE: CWE-20
Read more
Medium

CVE-2009-4113

Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inj…

CVSS: 6.5 CWE: CWE-94
Read more
Medium

CVE-2009-4030

MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are or…

CVSS: 4.4 CWE: CWE-59
Read more
Medium

CVE-2009-4028

The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which al…

CVSS: 6.8 CWE: CWE-20
Read more
Medium

CVE-2008-7247

sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticate…

CVSS: 6.0 CWE: CWE-59
Read more
2009-11-29
Medium

CVE-2009-4110

Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not prope…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4109

The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2009-4108

XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to cause a denial of service (crash) by uploading or creating a large number of files or directories, then performing a LIST comman…

CVSS: 4.0 CWE: CWE-119
Read more
Critical

CVE-2009-4107

Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remote attackers to execute arbitrary code via a crafted .ibkey file containing a long string.

CVSS: 9.3 CWE: CWE-119
Read more
High

CVE-2009-4106

Unrestricted file upload vulnerability in admintools/editpage-2.php in Agoko CMS 0.4 and earlier allows remote attackers to inject and execute arbitrary PHP code via the filename and text parameters.

CVSS: 7.5 CWE: CWE-20
Read more
Low

CVE-2009-4105

TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (crash) by sending an APPE (append) command immediately followed by a DELE (delete) command without sending file…

CVSS: 3.5 CWE: CWE-20
Read more
High

CVE-2009-4104

SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyftenbloggie) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter to index…

CVSS: 7.5 CWE: CWE-89
Read more
Critical

CVE-2009-4103

Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allows remote FTP servers to cause a denial of service and possibly execute arbitrary code via unspecified FTP server responses. NOTE…

CVSS: 9.3 CWE: CWE-119
Read more
Critical

CVE-2009-4102

Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks…

CVSS: 9.3 CWE: CWE-20
Read more
Critical

CVE-2009-4101

infoRSS 1.1.4.2 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting at…

CVSS: 9.3 CWE: CWE-20
Read more
Critical

CVE-2009-4100

Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripti…

CVSS: 9.3 CWE: CWE-20
Read more
High

CVE-2009-4099

SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL command…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4098

Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uplo…

CVSS: 6.0 CWE: CWE-20
Read more
Critical

CVE-2009-4097

Stack-based buffer overflow in the MplayInputFile function in Serenity Audio Player 3.2.3 and earlier allows remote attackers to execute arbitrary code via a long URL in an M3U file. NOTE: some of t…

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2009-4111

Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted…

CVSS: 6.8 CWE: CWE-94
Read more
Critical

CVE-2009-4025

Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the…

CVSS: 10.0 CWE: CWE-78
Read more
Critical

CVE-2009-4024

Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NO…

CVSS: 10.0 CWE: CWE-94
Read more
High

CVE-2009-4023

Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary fi…

CVSS: 7.5 CWE: CWE-94
Read more
High

CVE-2009-4095

myPhile 1.2.1 allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.

CVSS: 7.5 CWE: CWE-287
Read more
High

CVE-2009-4094

PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the…

CVSS: 7.5 CWE: CWE-94
Read more
Medium

CVE-2009-4093

Multiple cross-site scripting (XSS) vulnerabilities in comments.php in Simplog 0.9.3.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cname (Name) or…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4092

Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests tha…

CVSS: 6.8 CWE: CWE-352
Read more
High

CVE-2009-4090

Unrestricted file upload vulnerability in ajax/addComment.php in telepark.wiki 2.4.23 and earlier script allows remote attackers to execute arbitrary code by uploading a file with a name containing a…

CVSS: 7.5 CWE: CWE-20
Read more
Medium

CVE-2009-4089

telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments…

CVSS: 5.0 CWE: CWE-287
Read more
Medium

CVE-2009-4088

Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 and earlier allow remote attackers to read arbitrary files via directory traversal sequences in the css parameter to (1) getjs.php…

CVSS: 6.8 CWE: CWE-22
Read more
Medium

CVE-2009-4087

Cross-site scripting (XSS) vulnerability in index.php in telepark.wiki 2.4.23 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4086

CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via certain byte sequences at the…

CVSS: 5.0 CWE: CWE-20
Read more
High

CVE-2009-4085

PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_id.php in PHP Traverser 0.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[BASE] parameter. NOT…

CVSS: 7.5 CWE: CWE-94
Read more
High

CVE-2009-4084

SQL injection vulnerability in the search feature in e107 0.7.16 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4083

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) submitnews.php, (2) userset…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4082

PHP remote file inclusion vulnerability in forums/Forum_Include/index.php in Outreach Project Tool (OPT) 1.2.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CRM_p…

CVSS: 7.5 CWE: CWE-94
Read more
Medium

CVE-2009-4032

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.ph…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2009-4031

The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many…

CVSS: 7.8 CWE: CWE-20
Read more
2009-11-25
Medium

CVE-2009-4079

Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors.

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2009-4078

Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2009-4077

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary email…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2009-4076

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user informat…

CVSS: 6.8 CWE: CWE-352
Read more
Critical

CVE-2009-3033

Buffer overflow in the RunCmd method in the Altiris eXpress NS Console Utilities ActiveX control in AeXNSConsoleUtilities.dll in the web console in Symantec Altiris Deployment Solution 6.9.x, Altiris…

CVSS: 9.3 CWE: CWE-119
Read more
2009-11-24
Medium

CVE-2009-4073

The printing functionality in Microsoft Internet Explorer 8 allows remote attackers to discover a local pathname, and possibly a local username, by reading the dc:title element of a PDF document that…

CVSS: 5.0 CWE: CWE-200
Read more
High

CVE-2009-4070

SQL injection vulnerability in GForge 4.5.14, 4.7.3, and possibly other versions allows remote attackers to execute arbitrary SQL commands via unknown vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2009-4069

Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5.14, 4.7.3, and possibly other versions allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more