CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-4366 20 1 Exec Code 2008-09-30 2009-01-29
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the image upload component in Camera Life 2.6.2b4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a user directory under images/photos/upload.
2 CVE-2008-4365 79 XSS 2008-09-30 2008-10-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in search.php in Siteman 1.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
3 CVE-2008-4364 89 1 Exec Code Sql 2008-09-30 2009-01-29
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CMS allows remote attackers to execute arbitrary SQL commands via the (1) id parameter in the "page" page and (2) txtSearch parameter in the "Search" page.
4 CVE-2008-4363 20 1 DoS Exec Code 2008-09-30 2009-01-29
7.2
Admin Local Low Not required Complete Complete Complete
DLMFENC.sys 1.0.0.28 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) or potentially execute arbitrary code via a certain DLMFENC_IOCTL request to \\.\DLKPFSD_Device that overwrites a pointer, probably related to use of the ProbeForRead function when ProbeForWrite was intended.
5 CVE-2008-4362 399 1 DoS 2008-09-30 2009-01-29
4.9
None Local Low Not required None None Complete
The Virtual Token driver (vdlptokn.sys) 1.0.2.43 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) via a crafted IOCTL request to \Device\DLPTokenWalter0.
6 CVE-2008-4361 22 1 Dir. Trav. 2008-09-30 2012-10-29
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in PowerPortal 2.0.13 allows remote attackers to list and possibly read arbitrary files via a .. (dot dot) in the path parameter to the default URI.
7 CVE-2008-4358 20 Dir. Trav. 2008-09-30 2009-08-19
10.0
Admin Remote Low Not required Complete Complete Complete
Unspecified vulnerability in class/theme.class.php in SPAW Editor PHP Edition before 2.0.8.1 has unknown impact and attack vectors, probably related to directory traversal sequences in the theme name.
8 CVE-2008-4357 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows remote attackers to execute arbitrary SQL commands via the id parameter.
9 CVE-2008-4356 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module; (3) the fid parameter to index.php in a ShowForum action to the Forum module; (4) the tid parameter to index.php in a ShowTopic action to the Forum module; (5) the uname parameter to index.php in a UserInfo action to the Account module; or (6) the module parameter to index.php, probably related to the TopSites module.
10 CVE-2008-4355 89 1 Exec Code Sql 2008-09-30 2008-10-01
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum (aka PHP Forum or pForum) 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
11 CVE-2008-4354 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the products module in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.
12 CVE-2008-4353 89 1 Exec Code Sql 2008-09-30 2008-10-01
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in link.php in Linkarity allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: although one component of Linkarity is distributable PHP code, this issue might be site-specific. If so, it should not be included in CVE.
13 CVE-2008-4352 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCom 0.2 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a viewprofile action to index.php.
14 CVE-2008-4351 22 1 Dir. Trav. 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in index.php in phpSmartCom 0.2 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the p parameter.
15 CVE-2008-4350 89 1 Exec Code Sql 2008-09-30 2009-08-20
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
16 CVE-2008-4349 79 XSS 2008-09-30 2009-08-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in news.php in s0nic Paranews 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) page parameter in a details action.
17 CVE-2008-4348 89 1 Exec Code Sql 2008-09-30 2009-08-21
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, allows remote attackers to execute arbitrary SQL commands via the id parameter.
18 CVE-2008-4347 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in newskom.php in Powie pNews 2.03 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.
19 CVE-2008-4346 22 1 Dir. Trav. 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in TalkBack 2.3.6 and 2.3.6.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to comments.php, a different vector than CVE-2008-3371.
20 CVE-2008-4345 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in download.php in WebPortal CMS 0.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter.
21 CVE-2008-4344 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in cat.php in 6rbScript allows remote attackers to execute arbitrary SQL commands via the CatID parameter.
22 CVE-2008-4343 20 1 Exec Code 2008-09-30 2008-10-01
9.3
Admin Remote Medium Not required Complete Complete Complete
The Chilkat XML ChilkatUtil.CkData.1 ActiveX control (ChilkatUtil.dll) 3.0.3.0 and earlier allows remote attackers to create, overwrite, and modify arbitrary files for execution via a call to the (1) SaveToFile, (2) SaveToTempFile, or (3) AppendBinary method. NOTE: this issue might only be exploitable in limited environments or non-default browser settings. NOTE: this can be leveraged for remote code execution by accessing files using hcp:// URLs.
23 CVE-2008-4342 20 1 Exec Code 2008-09-30 2011-08-31
9.3
None Remote Medium Not required Complete Complete Complete
NuMedia Soft NMS DVD Burning SDK Activex NMSDVDX.DVDEngineX.1 ActiveX control (NMSDVDX.dll) 1.013C and earlier, as used in CDBurnerXP 4.2.1.976, BurnAware 2.1.3, Blaze Media Pro 8.02 Special Edition, and possibly other products, allows remote attackers to overwrite and create arbitrary files via calls to the EnableLog and LogMessage methods. NOTE: this issue might only be exploitable in limited environments or non-default browser settings. NOTE: some of these details are obtained from third party information. NOTE: this can be leveraged for remote code execution by accessing files using hcp:// URLs.
24 CVE-2008-4341 264 1 Bypass 2008-09-30 2009-02-12
7.5
User Remote Low Not required Partial Partial Partial
add.php in MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication and gain administrative access by setting a cookie with admin=yes and login=admin.
25 CVE-2008-4340 20 1 DoS 2008-09-30 2009-08-19
4.3
None Remote Medium Not required None None Partial
Google Chrome 0.2.149.29 and 0.2.149.30 allows remote attackers to cause a denial of service (memory consumption) via an HTML document containing a carriage return ("\r\n\r\n") argument to the window.open function.
26 CVE-2008-4339 264 +Priv 2008-09-30 2009-08-19
6.5
User Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Java Administration GUI (jnbSA) in Symantec Veritas NetBackup Server and NetBackup Enterprise Server 5.1 before MP7, 6.0 before MP7, and 6.5 before 6.5.2 allows remote authenticated users to gain privileges via unknown attack vectors related to "bpjava* binaries."
27 CVE-2008-4338 89 Exec Code Sql 2008-09-30 2009-01-29
6.0
User Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via the (1) nid, (2) qid, (3) state, and possibly (4) user parameters.
28 CVE-2008-4337 79 XSS 2008-09-30 2008-10-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Bitweaver 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to (1) edit.php and (2) list.php in articles/; (3) list_blogs.php and (4) rankings.php in blogs/; (5) calendar/index.php; (6) calendar.php, (7) index.php, and (8) list_events.php in events/; (9) index.php and (10) list_galleries.php in fisheye/; (11) liberty/list_content.php; (12) newsletters/edition.php; (13) pigeonholes/list.php; (14) recommends/index.php; (15) rss/index.php; (16) stars/index.php; (17) users/remind_password.php; (18) wiki/orphan_pages.php; and (19) stats/index.php, different vectors than CVE-2007-0526 and CVE-2005-4379. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
29 CVE-2008-4336 79 1 XSS 2008-09-30 2009-08-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to inject arbitrary web script or HTML via the apa_album_ID parameter.
30 CVE-2008-4335 89 2 Exec Code Sql 2008-09-30 2009-08-25
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to execute arbitrary SQL commands via the apa_album_ID parameter.
31 CVE-2008-4334 264 1 Bypass 2008-09-30 2008-10-01
7.5
User Remote Low Not required Partial Partial Partial
PHP infoBoard V.7 Plus allows remote attackers to bypass authentication and gain administrative access by setting the infouser cookie to 1.
32 CVE-2008-4333 79 1 XSS 2008-09-30 2009-08-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in PHP infoBoard V.7 Plus allows remote attackers to inject arbitrary web script or HTML via the isname parameter in a newtopic action.
33 CVE-2008-4332 89 1 Exec Code Sql 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the showjavatopic function in func.php in PHP infoBoard V.7 Plus allows remote attackers to execute arbitrary SQL commands via the idcat parameter to showtopic.php.
34 CVE-2008-4331 22 1 Dir. Trav. 2008-09-30 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in library/pagefunctions.inc.php in phpOCS 0.1 beta3 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to index.php.
35 CVE-2008-4330 22 1 Dir. Trav. 2008-09-30 2008-10-15
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in index.php in LanSuite 3.3.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the design parameter.
36 CVE-2008-4329 20 1 Exec Code File Inclusion 2008-09-30 2009-08-19
10.0
None Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in cms/system/openengine.php in openEngine 2.0 beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the oe_classpath parameter.
37 CVE-2008-4328 89 Exec Code Sql 2008-09-30 2009-08-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in site_search.php in EasyRealtorPRO 2008 allows remote attackers to execute arbitrary SQL commands via the (1) item, (2) search_ordermethod, and (3) search_order parameters.
38 CVE-2008-4327 189 1 DoS 2008-09-30 2008-10-23
4.3
None Remote Medium Not required None None Partial
gdiplus.dll in GDI+ in Microsoft Windows XP SP3 does not properly handle crafted .ico files, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a certain crash.ico file on a web site, and allows user-assisted attackers to cause a denial of service (divide-by-zero error and persistent application crash) via this crash.ico file on the desktop, a different vulnerability than CVE-2007-2237.
39 CVE-2008-4326 79 XSS Bypass 2008-09-30 2009-08-25
4.3
None Remote Medium Not required None Partial None
The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.
40 CVE-2008-4325 2008-09-30 2010-08-30
5.8
None Remote Medium Not required None Partial Partial
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
41 CVE-2008-4324 399 1 DoS 2008-09-29 2009-10-06
5.0
None Remote Low Not required None None Partial
The user interface event dispatcher in Mozilla Firefox 3.0.3 on Windows XP SP2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a series of keypress, click, onkeydown, onkeyup, onmousedown, and onmouseup events. NOTE: it was later reported that Firefox 3.0.2 on Mac OS X 10.5 is also affected.
42 CVE-2008-4323 1 DoS 2008-09-29 2008-09-30
4.3
None Remote Medium Not required None None Partial
Windows Explorer in Microsoft Windows XP SP3 allows user-assisted attackers to cause a denial of service (application crash) via a crafted .ZIP file.
43 CVE-2008-4322 119 Exec Code Overflow 2008-09-29 2008-12-10
10.0
Admin Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a crafted FC_INFOTAG/SET_CONTROL packet.
44 CVE-2008-4321 119 3 Exec Code Overflow 2008-09-29 2009-03-18
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in FlashGet (formerly JetCar) FTP 1.9 allows remote FTP servers to execute arbitrary code via a long response to the PWD command.
45 CVE-2008-4320 79 XSS 2008-09-29 2009-08-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.5.94 allow remote attackers to inject arbitrary web script or HTML via (1) the j_username parameter to j_acegi_security_check, (2) the username parameter to notification/list.jsp, and (3) the filter parameter to event/list.
46 CVE-2008-4319 287 1 Bypass 2008-09-29 2009-08-19
6.4
None Remote Low Not required Partial Partial None
fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 and earlier allows remote attackers to bypass authentication, and read arbitrary files, modify arbitrary files, and list arbitrary directories, by inserting certain user and isadmin parameters in the query string.
47 CVE-2008-4318 20 1 Exec Code 2008-09-29 2009-01-29
10.0
None Remote Low Not required Complete Complete Complete
Observer 0.3.2.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the query parameter to (1) whois.php or (2) netcmd.php.
48 CVE-2008-4302 399 DoS 2008-09-29 2012-03-19
4.9
None Local Low Not required None None Complete
fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.
49 CVE-2008-4301 255 2008-09-29 2008-10-07
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** A certain ActiveX control in iisext.dll in Microsoft Internet Information Services (IIS) allows remote attackers to set a password via a string argument to the SetPassword method. NOTE: this issue could not be reproduced by a reliable third party. In addition, the original researcher is unreliable. Therefore the original disclosure is probably erroneous.
50 CVE-2008-4300 20 DoS 2008-09-29 2009-01-29
5.0
None Remote Low Not required None None Partial
A certain ActiveX control in adsiis.dll in Microsoft Internet Information Services (IIS) allows remote attackers to cause a denial of service (browser crash) via a long string in the second argument to the GetObject method. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.
Total number of vulnerabilities : 449   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.