| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2009-3832 |
20 |
|
|
2009-10-30 |
2010-08-21 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Opera before 10.01 on Windows does not prevent use of Web fonts in rendering the product's own user interface, which allows remote attackers to spoof the address field via a crafted web site. |
|
2 |
CVE-2009-3831 |
94 |
|
DoS Exec Code Mem. Corr. |
2009-10-30 |
2010-08-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Opera before 10.01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted domain name. |
|
3 |
CVE-2009-3830 |
20 |
|
|
2009-10-30 |
2009-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The download functionality in Team Services in Microsoft Office SharePoint Server 2007 12.0.0.4518 and 12.0.0.6219 allows remote attackers to read ASP.NET source code via pathnames in the SourceUrl and Source parameters to _layouts/download.aspx. |
|
4 |
CVE-2009-3829 |
189 |
|
DoS Exec Code Overflow |
2009-10-30 |
2010-08-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." |
|
5 |
CVE-2009-3828 |
287 |
|
Bypass |
2009-10-30 |
2009-11-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors. |
|
6 |
CVE-2009-3826 |
119 |
|
Overflow Bypass |
2009-10-28 |
2010-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple buffer overflows in squidGuard 1.4 allow remote attackers to bypass intended URL blocking via a long URL, related to (1) the relationship between a certain buffer size in squidGuard and a certain buffer size in Squid and (2) a redirect URL that contains information about the originally requested URL. |
|
7 |
CVE-2009-3825 |
22 |
1
|
Dir. Trav. |
2009-10-28 |
2011-12-14 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple directory traversal vulnerabilities in GenCMS 2006 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) p parameter to show.php and the (2) Template parameter to admin/pages/SiteNew.php. |
|
8 |
CVE-2009-3824 |
22 |
1
|
Dir. Trav. |
2009-10-28 |
2009-10-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in include/processor.php in Greenwood PHP Content Manager 0.3.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the content_path parameter. |
|
9 |
CVE-2009-3823 |
22 |
1
|
Dir. Trav. |
2009-10-28 |
2011-12-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, when magic_quotes_gpc is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the GLOBALS[page] parameter. |
|
10 |
CVE-2009-3822 |
94 |
|
Exec Code File Inclusion |
2009-10-28 |
2009-10-28 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php. |
|
11 |
CVE-2009-3821 |
79 |
|
XSS |
2009-10-28 |
2011-12-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
12 |
CVE-2009-3820 |
89 |
|
Exec Code Sql |
2009-10-28 |
2011-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
13 |
CVE-2009-3819 |
|
|
Exec Code |
2009-10-28 |
2011-12-14 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the Random Images (maag_randomimage) extension 1.6.4 and earlier for TYPO3 allows remote attackers to execute arbitrary shell commands via unspecified vectors. |
|
14 |
CVE-2009-3818 |
|
|
|
2009-10-28 |
2009-10-28 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the session handling feature in freeCap CAPTCHA (sr_freecap) extension 1.2.0 and earlier for TYPO3 has unknown impact and attack vectors. |
|
15 |
CVE-2009-3817 |
94 |
|
Exec Code File Inclusion |
2009-10-28 |
2009-10-28 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
16 |
CVE-2009-3816 |
79 |
|
XSS |
2009-10-28 |
2009-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Activities pages in the Mobile subsystem in IBM Lotus Connections 2.5.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
17 |
CVE-2009-3815 |
200 |
|
+Info |
2009-10-27 |
2009-10-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RunCMS 2M1, when running with certain error_reporting levels, allows remote attackers to obtain sensitive information via (1) the op[] parameter to modules/contact/index.php or (2) uid[] parameter to userinfo.php, which leaks the installation path in an error message when these parameters are used in a call to the preg_match function. |
|
18 |
CVE-2009-3814 |
94 |
|
Exec Code |
2009-10-27 |
2009-10-28 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other unspecified filters. |
|
19 |
CVE-2009-3813 |
89 |
|
Exec Code Sql |
2009-10-27 |
2009-10-28 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php. |
|
20 |
CVE-2009-3812 |
119 |
2
|
Exec Code Overflow |
2009-10-27 |
2009-10-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in OtsAV DJ trial version 1.85.64.0, Radio trial version 1.85.64.0, TV trial version 1.85.64.0, and Free version 1.77.001 allows remote attackers to execute arbitrary code via a long playlist in an Ots File List (.ofl) file. |
|
21 |
CVE-2009-3811 |
119 |
1
|
Exec Code Overflow |
2009-10-27 |
2009-10-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in Music Tag Editor 1.61 build 212 allows remote attackers to execute arbitrary code via an MP3 file with a long ID3 tag. NOTE: some of these details are obtained from third party information. |
|
22 |
CVE-2009-3810 |
119 |
1
|
DoS Exec Code Overflow |
2009-10-27 |
2009-10-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in Acoustica MP3 Audio Mixer 2.471 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long string in a .M3U playlist file. |
|
23 |
CVE-2009-3809 |
119 |
1
|
DoS Overflow |
2009-10-27 |
2009-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Acoustica MP3 Audio Mixer 1.0 and possibly 2.471 allows remote attackers to cause a denial of service (crash) via a long string in a .sgp playlist file. |
|
24 |
CVE-2009-3808 |
|
1
|
DoS Exec Code |
2009-10-27 |
2009-10-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
MixSense DJ Studio 1.0.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string in an .mp3 playlist file. |
|
25 |
CVE-2009-3807 |
119 |
1
|
DoS Overflow |
2009-10-27 |
2009-10-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in MixVibes 7.043 Pro allows remote attackers to cause a denial of service (crash) via a long string in a .vib file. |
|
26 |
CVE-2009-3806 |
89 |
|
Exec Code Sql |
2009-10-27 |
2009-10-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows remote attackers to execute arbitrary SQL commands via the arcurl parameter. |
|
27 |
CVE-2009-3805 |
|
1
|
DoS |
2009-10-27 |
2009-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
gpg2.exe in Gpg4win 2.0.1, as used in KDE Kleopatra 2.0.11, allows remote attackers to cause a denial of service (application crash) via a long certificate signature. |
|
28 |
CVE-2009-3804 |
89 |
|
Exec Code Sql |
2009-10-27 |
2009-10-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter. |
|
29 |
CVE-2009-3803 |
79 |
1
|
XSS |
2009-10-27 |
2009-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Amiro.CMS 5.4.0.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the status_message parameter to (1) /news, (2) /comment, (3) /forum, (4) /blog, and (5) /tags; the status_message parameter to (6) forum.php, (7) discussion.php, (8) guestbook.php, (9) blog.php, (10) news.php, (11) srv_updates.php, (12) srv_backups.php, (13) srv_twist_prevention.php, (14) srv_tags.php, (15) srv_tags_reindex.php, (16) google_sitemap.php, (17) sitemap_history.php, (18) srv_options.php, (19) locales.php and (20) plugins_wizard.php in _admin/; a crafted IMG BBcode tag in the message body of a (21) forum, (22) guestbook, or (23) comment; (24) the content of an avatar file, which is not properly handled by Internet Explorer; and (25) the loginname parameter (aka username) in _admin/index.php. |
|
30 |
CVE-2009-3802 |
20 |
1
|
+Info |
2009-10-27 |
2009-10-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Amiro.CMS 5.4.0.0 and earlier allows remote attackers to obtain sensitive information via an invalid loginname ("%%%") to _admin/index.php, which reveals the installation path and other information in an error message. |
|
31 |
CVE-2009-3801 |
89 |
|
Exec Code Sql |
2009-10-27 |
2009-10-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmpass (aka Password) parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
32 |
CVE-2009-3790 |
119 |
|
DoS Exec Code Overflow |
2009-10-26 |
2009-10-27 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3.5 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted FormMax import (.aim) file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
33 |
CVE-2009-3789 |
79 |
|
XSS |
2009-10-26 |
2009-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php. |
|
34 |
CVE-2009-3788 |
89 |
|
Exec Code Sql |
2009-10-26 |
2009-10-31 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmuser (aka Username) parameter. |
|
35 |
CVE-2009-3787 |
22 |
|
Dir. Trav. |
2009-10-26 |
2009-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
files.php in Vivvo CMS 4.1.5.1 allows remote attackers to conduct directory traversal attacks and read arbitrary files via the file parameter with "logs/" in between two . (dot) characters, which is filtered into a "../" sequence. |
|
36 |
CVE-2009-3786 |
79 |
|
XSS |
2009-10-26 |
2009-11-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabulary 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the group title. |
|
37 |
CVE-2009-3785 |
352 |
|
CSRF |
2009-10-26 |
2009-10-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allow remote attackers to hijack the authentication of arbitrary users via unknown vectors. |
|
38 |
CVE-2009-3784 |
352 |
|
|
2009-10-26 |
2009-10-27 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
39 |
CVE-2009-3783 |
79 |
|
XSS |
2009-10-26 |
2009-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector. |
|
40 |
CVE-2009-3782 |
200 |
|
+Info |
2009-10-26 |
2009-10-27 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with "View own userpoints" permissions to read the userpoint data of arbitrary users via unknown attack vectors. |
|
41 |
CVE-2009-3781 |
264 |
|
|
2009-10-26 |
2009-10-27 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors. |
|
42 |
CVE-2009-3780 |
79 |
|
XSS |
2009-10-26 |
2009-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 and 6.x before 6.x-1.1-alpha1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
43 |
CVE-2009-3779 |
79 |
|
XSS |
2009-10-26 |
2009-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the addition of the theme_vcard function to a theme and the use of default content. |
|
44 |
CVE-2009-3778 |
89 |
|
Exec Code Sql |
2009-10-26 |
2009-10-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
45 |
CVE-2009-3767 |
310 |
|
|
2009-10-23 |
2011-08-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
|
46 |
CVE-2009-3766 |
310 |
|
|
2009-10-23 |
2010-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
47 |
CVE-2009-3765 |
310 |
|
|
2009-10-23 |
2009-10-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
|
48 |
CVE-2009-3760 |
94 |
1
|
|
2009-10-22 |
2009-10-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. NOTE: some of these details are obtained from third party information. |
|
49 |
CVE-2009-3759 |
352 |
1
|
CSRF |
2009-10-22 |
2009-10-23 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information. |
|
50 |
CVE-2009-3758 |
89 |
1
|
Exec Code Sql |
2009-10-22 |
2009-10-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. |
