CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-3874 79 XSS 2008-08-29 2009-01-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in account.php in Lussumo Vanilla 1.1.5-rc1, 1.1.4, and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Value field (aka Label ==> Value pairs). NOTE: some of these details are obtained from third party information.
2 CVE-2008-3873 2008-08-29 2009-09-01
4.3
None Remote Medium Not required None None Partial
The System.setClipboard method in ActionScript in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to populate the clipboard with a URL that is difficult to delete and does not require user interaction to populate the clipboard, as exploited in the wild in August 2008.
3 CVE-2008-3861 89 1 Exec Code Sql 2008-08-29 2009-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in pages.php and (2) the price_max parameter in search.php.
4 CVE-2008-3860 79 XSS 2008-08-29 2009-08-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG editors, (2) during local group creation, (3) during HTML redirects, (4) in the HTML import, (5) in the Rich text editor, and (6) in link-page in IBM Lotus Quickr 8.1 services for Lotus Domino before Hotfix 15 allow remote attackers to inject arbitrary web script or HTML via unknown vectors, including (7) the Imported Page. NOTE: the vulnerability in the WYSIWYG editors may exist because of an incomplete fix for CVE-2008-2163.
5 CVE-2008-3859 255 1 2008-08-29 2009-03-13
5.0
None Remote Low Not required Partial None None
Davlin Thickbox Gallery 2 allows remote attackers to obtain the administrative username and MD5 password hash via a direct request to conf/admins.php.
6 CVE-2008-3858 264 DoS 2008-08-28 2008-11-15
4.3
None Remote Medium Not required None None Partial
The Downlevel DB2RA Support component in IBM DB2 9.1 before Fixpak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT data stream that simulates a V7 client connect request.
7 CVE-2008-3857 200 +Info 2008-08-28 2008-09-24
4.6
User Local Low Not required Partial Partial Partial
The Base Service Utilities component in IBM DB2 9.1 before Fixpak 5 retains a cleartext password in memory after the database connection that sent the password is fully established, which might allow local users to obtain sensitive information by reading a memory dump.
8 CVE-2008-3856 264 2008-08-28 2009-08-12
7.5
None Remote Low Not required Partial Partial Partial
The routine infrastructure component in IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP1 on Unix and Linux does not change the ownership of the db2fmp process, which has unknown impact and attack vectors.
9 CVE-2008-3855 264 +Priv 2008-08-28 2008-09-05
4.6
User Local Low Not required Partial Partial Partial
Unspecified vulnerability in the DB2 Administration Server (DAS) in the Core DAS function component in IBM DB2 9.1 before Fixpak 5 allows local users to gain privileges, aka a "FILE CREATION VULNERABILITY." NOTE: this may be the same as CVE-2007-5664.
10 CVE-2008-3854 119 DoS Overflow 2008-08-28 2011-09-06
7.8
None Remote Low Not required None None Complete
Multiple stack-based buffer overflows in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 1 allow remote attackers to cause a denial of service (system outage) via vectors related to (1) use of XQuery to issue statements; the (2) XMLQUERY, (3) XMLEXISTS, and (4) XMLTABLE statements; and the (5) sqlrlaka function.
11 CVE-2008-3853 119 DoS Exec Code Overflow 2008-08-28 2009-06-05
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the DAS server program in the Core DAS function component in IBM DB2 9.1 before FP4a and 9.5 before FP1 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via unspecified vectors. NOTE: this might be related to CVE-2007-3676.
12 CVE-2008-3852 264 Exec Code 2008-08-28 2008-09-24
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the CLR stored procedure deployment from IBM Database Add-Ins for Visual Studio in the Visual Studio Net component in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 2 allows remote authenticated users to execute arbitrary code via unknown vectors.
13 CVE-2008-3851 22 1 Dir. Trav. 2008-08-27 2009-01-29
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Windows allow remote attackers to include and execute arbitrary local files via a ..\ (dot dot backslash) in the (1) blogpost, (2) cat, and (3) file parameters to data/inc/themes/predefined_variables.php, as reachable through index.php; and the (4) blogpost and (5) cat parameters to data/inc/blog_include_react.php, as reachable through index.php. NOTE: the issue involving vectors 1 through 3 reportedly exists because of an incomplete fix for CVE-2008-3194.
14 CVE-2008-3850 79 XSS 2008-08-27 2009-03-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Accellion File Transfer FTA_7_0_135 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to courier/forgot_password.html.
15 CVE-2008-3849 79 XSS 2008-08-27 2008-09-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the calendar controller in Civic Website Manager before 1.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably involving (1) month, (2) day, and (3) year fields.
16 CVE-2008-3848 89 1 Exec Code Sql 2008-08-27 2008-09-10
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in single.php in Z-Breaknews 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
17 CVE-2008-3847 79 XSS 2008-08-27 2008-09-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in AN Guestbook (ANG) before 0.7.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
18 CVE-2008-3846 79 XSS 2008-08-27 2009-08-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in mysql-lists 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
19 CVE-2008-3845 89 1 Exec Code Sql 2008-08-27 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Crafty Syntax Live Help (CSLH) 2.14.6 and earlier allow remote attackers to execute arbitrary SQL commands via the department parameter to (1) is_xmlhttp.php and (2) is_flush.php.
20 CVE-2008-3844 2008-08-27 2009-02-21
9.3
None Remote Medium Not required Complete Complete Complete
Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
21 CVE-2008-3843 79 XSS 2008-08-27 2009-08-15
4.3
None Remote Medium Not required None Partial None
Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework with the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "<~/" (less-than tilde slash) sequence followed by a crafted STYLE element.
22 CVE-2008-3842 79 XSS 2008-08-27 2009-01-29
4.3
None Remote Medium Not required None Partial None
Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework without the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "</" (less-than slash) sequence.
23 CVE-2008-3841 79 XSS 2008-08-27 2009-01-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/search_links.php in Freeway eCommerce 1.4.1.171 allows remote attackers to inject arbitrary web script or HTML via the search_link parameter.
24 CVE-2008-3840 255 +Info 2008-08-27 2009-01-29
5.0
None Remote Low Not required Partial None None
Crafty Syntax Live Help (CSLH) 2.14.6 and earlier stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information.
25 CVE-2008-3839 DoS 2008-08-27 2009-08-26
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in the NFS module in the kernel in Sun Solaris 10 and OpenSolaris snv_59 through snv_87, when configured as an NFS server without the nodevices option, allows local users to cause a denial of service (panic) via unspecified vectors.
26 CVE-2008-3838 20 DoS 2008-08-27 2008-09-10
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in the NFS Remote Procedure Calls (RPC) zones implementation in Sun Solaris 10 and OpenSolaris before snv_88 allows local administrators of non-global zones to read and modify NFS traffic for arbitrary non-global zones, possibly leading to file modifications or a denial of service.
27 CVE-2008-3796 20 DoS 2008-08-27 2009-02-20
5.0
None Remote Low Not required None None Partial
Swfdec 0.6 before 0.6.8 allows remote attackers to cause a denial of service (application crash) via a 1x1 JPEG image.
28 CVE-2008-3795 119 1 Overflow 2008-08-27 2009-03-18
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in Ipswitch WS_FTP Home client allows remote FTP servers to have an unknown impact via a long "message response."
29 CVE-2008-3794 189 1 Exec Code Overflow Bypass 2008-08-26 2012-01-27
6.8
User Remote Medium Not required Partial Partial Partial
Integer signedness error in the mms_ReceiveCommand function in modules/access/mms/mmstu.c in VLC Media Player 0.8.6i allows remote attackers to execute arbitrary code via a crafted mmst link with a negative size value, which bypasses a size check and triggers an integer overflow followed by a heap-based buffer overflow.
30 CVE-2008-3790 20 DoS 2008-08-27 2010-08-21
5.0
None Remote Low Not required None None Partial
The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."
31 CVE-2008-3789 264 2008-08-27 2008-11-15
2.1
None Local Low Not required None Partial None
Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) group_mapping.ldb files, which allows local users to modify the membership of Unix groups.
32 CVE-2008-3788 89 2 Exec Code Sql 2008-08-26 2009-01-29
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) qtitle, (2) qid, and (3) qyear parameters to (a) search.php, and the (4) email and (5) password parameters to (b) _login.php.
33 CVE-2008-3787 89 1 Exec Code Sql 2008-08-26 2009-01-29
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in listing_view.php in Web Directory Script 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter.
34 CVE-2008-3786 79 XSS 2008-08-26 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in PICTURESPRO Photo Cart 3.9 allows remote attackers to inject arbitrary web script or HTML via the qtitle parameter (aka "Gallery or event name" field) in a search action.
35 CVE-2008-3785 89 1 Exec Code Sql 2008-08-26 2009-01-29
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the com_content component in MiaCMS 4.6.5 allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) view, (2) category, or (3) blogsection action to index.php.
36 CVE-2008-3784 89 1 Exec Code Sql 2008-08-26 2009-01-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in scrape.php in BtiTracker 1.4.7 and earlier and xBtiTracker 2.0.542 and earlier allows remote attackers to execute arbitrary SQL commands via the info_hash parameter.
37 CVE-2008-3783 89 1 Exec Code Sql 2008-08-26 2009-01-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in Matterdaddy Market 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters.
38 CVE-2008-3782 79 XSS 2008-08-26 2008-09-05
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in ACG-PTP 1.0.6 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Category name field under Advertisement Packages, the (2) Reason field under Credit/Debit Users, and the (3) FAQ question and (4) FAQ answer fields under Add New FAQ Entry.
39 CVE-2008-3781 79 XSS 2008-08-26 2008-09-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in GMOD GBrowse before 1.69 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
40 CVE-2008-3780 89 1 Exec Code Sql 2008-08-26 2009-01-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in recommend.php in Five Star Review Script allows remote attackers to execute arbitrary SQL commands via the item_id parameter.
41 CVE-2008-3779 79 1 XSS 2008-08-26 2009-01-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in search/index.php in Five Star Review Script allows remote attackers to inject arbitrary web script or HTML via the words parameter in a search action.
42 CVE-2008-3778 264 DoS +Priv 2008-08-25 2008-09-08
7.5
User Remote Low Not required Partial Partial Partial
The remote management interface in SIP Enablement Services (SES) Server in Avaya SIP Enablement Services 5.0, and Communication Manager (CM) 5.0 on the S8300C with SES enabled, proceeds with Core router updates even when a login is invalid, which allows remote attackers to cause a denial of service (messaging outage) or gain privileges via an update request.
43 CVE-2008-3777 200 +Info 2008-08-25 2008-09-08
2.1
None Local Low Not required Partial None None
The SIP Enablement Services (SES) Server in Avaya SIP Enablement Services 5.0, and Communication Manager (CM) 5.0 on the S8300C with SES enabled, writes account names and passwords to the (1) alarm and (2) system logs during failed login attempts, which allows local users to obtain login credentials by reading these logs.
44 CVE-2008-3776 22 Dir. Trav. 2008-08-25 2008-09-10
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Fujitsu Web-Based Admin View 2.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
45 CVE-2008-3775 310 +Info 2008-08-22 2009-01-29
2.1
None Local Low Not required Partial None None
Folder Lock 5.9.5 and earlier uses weak encryption (ROT-25) for the password, which allows local administrators to obtain sensitive information by reading and decrypting the QualityControl\_pack registry value.
46 CVE-2008-3774 89 1 Exec Code Sql 2008-08-22 2008-09-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Simasy CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.
47 CVE-2008-3773 79 XSS 2008-08-22 2009-01-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject (aka newpm[title]).
48 CVE-2008-3772 89 1 Exec Code Sql 2008-08-22 2008-09-10
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in categories_portal.php in Pars4u Videosharing 1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
49 CVE-2008-3771 79 1 XSS 2008-08-22 2008-09-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in members.php in Pars4u Videosharing 1 allows remote attackers to inject arbitrary web script or HTML via the PageNo parameter.
50 CVE-2008-3770 22 Dir. Trav. 2008-08-22 2009-01-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to (1) includes/events_application_top.php; (2) english/account.php, (3) french/account.php, and (4) french/account_newsletters.php in includes/languages/; (5) includes/modules/faqdesk/faqdesk_article_require.php; (6) includes/modules/newsdesk/newsdesk_article_require.php; (7) card1.php, (8) loginbox.php, and (9) whos_online.php in templates/Freeway/boxes/; and (10) templates/Freeway/mainpage_modules/mainpage.php. NOTE: vector 1 may be the same as CVE-2008-3677.
Total number of vulnerabilities : 367   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.