CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-0748 20 DoS 2009-02-27 2013-01-22
4.9
None Local Low Not required None None Complete
The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.
2 CVE-2009-0747 399 DoS 2009-02-27 2013-01-22
4.9
None Local Low Not required None None Complete
The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.
3 CVE-2009-0746 20 DoS 2009-02-27 2013-01-22
4.9
None Local Low Not required None None Complete
The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.
4 CVE-2009-0745 20 DoS 2009-02-27 2013-01-22
4.9
None Local Low Not required None None Complete
The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.
5 CVE-2009-0744 20 DoS 2009-02-27 2010-08-21
5.0
None Remote Low Not required None None Partial
Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character.
6 CVE-2009-0743 79 XSS 2009-02-27 2009-03-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the edit account page in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote authenticated users to inject arbitrary web script or HTML via the E-mail Address field.
7 CVE-2009-0742 310 +Info 2009-02-26 2009-02-27
7.8
None Remote Low Not required Complete None None
The username command in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers and Cisco ACE 4710 Application Control Engine Appliance stores a cleartext password by default, which allows context-dependent attackers to obtain sensitive information.
8 CVE-2009-0741 89 Exec Code Sql 2009-02-25 2009-02-25
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter.
9 CVE-2009-0740 89 1 Exec Code Sql 2009-02-25 2009-07-22
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
10 CVE-2009-0739 89 1 Exec Code Sql 2009-02-25 2009-02-25
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
11 CVE-2009-0738 89 1 Exec Code Sql 2009-02-25 2009-07-22
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
12 CVE-2009-0737 79 XSS 2009-02-25 2009-10-14
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
13 CVE-2009-0736 79 XSS 2009-02-25 2012-11-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Pebble before 2.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14 CVE-2009-0735 22 1 Dir. Trav. 2009-02-25 2009-02-25
5.1
User Remote High Not required Partial Partial Partial
Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the pfadhier parameter. NOTE: some of these details are obtained from third party information.
15 CVE-2009-0734 119 Exec Code Overflow 2009-02-25 2009-02-25
9.3
Admin Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia PC Suite 6.86.9.3 allows remote attackers to execute arbitrary code via a long string in a .m3u playlist file.
16 CVE-2009-0732 264 +Info 2009-02-24 2009-02-25
5.0
None Remote Low Not required Partial None None
Downloadcenter 2.1 stores common.h under the web root with insufficient access control, which allows remote attackers to obtain user credentials and other sensitive information via a direct request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
17 CVE-2009-0731 22 1 Dir. Trav. 2009-02-24 2009-02-25
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in pages/play.php in Free Arcade Script 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter.
18 CVE-2009-0730 89 Exec Code Sql 2009-02-24 2009-06-23
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726.
19 CVE-2009-0729 22 Dir. Trav. 2009-02-24 2009-06-23
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Page Engine CMS 2.0 Basic and Pro allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the fPrefix parameter to (1) modules/recent_poll_include.php, (2) modules/login_include.php, and (3) modules/statistics_include.php and (4) configuration.inc.php in includes/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
20 CVE-2009-0728 89 1 Exec Code Sql 2009-02-24 2009-02-25
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the My_eGallery module for MAXdev MDPro (MD-Pro) and Postnuke allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showpic action to index.php.
21 CVE-2009-0727 89 1 Exec Code Sql 2009-02-24 2009-06-09
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
22 CVE-2009-0726 89 1 Exec Code Sql 2009-02-24 2009-02-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the gigcal_gigs_id parameter in a details action to index.php.
23 CVE-2009-0722 22 1 Dir. Trav. 2009-02-24 2009-02-24
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in admin.php in Potato News 1.0.0 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the user cookie parameter.
24 CVE-2009-0711 200 1 Sql +Info 2009-02-23 2009-06-23
5.0
None Remote Low Not required Partial None None
filter.php in PHPFootball 1.6 and earlier allows remote attackers to retrieve password hashes via a request with an Accounts value for the dbtable parameter, in conjunction with a Password value for the dbfield parameter. NOTE: this has been reported as a SQL injection vulnerability by some sources, but the provenance of that information is unknown.
25 CVE-2009-0710 79 XSS 2009-02-23 2009-02-24
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
26 CVE-2009-0709 89 Exec Code Sql 2009-02-23 2009-02-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in PHPFootball 1.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
27 CVE-2009-0708 352 CSRF 2009-02-23 2012-01-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in SemanticScuttle before 0.91 allow remote attackers to (1) hijack the authentication of administrators via unknown vectors or (2) hijack the authentication of arbitrary users via vectors involving the profile page.
28 CVE-2009-0707 89 1 Exec Code Sql 2009-02-23 2009-02-24
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/index.php in PowerClan 1.14a allows remote attackers to execute arbitrary SQL commands via the loginemail parameter (aka login field). NOTE: some of these details are obtained from third party information.
29 CVE-2009-0706 89 1 Exec Code Sql 2009-02-23 2009-02-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Simple Review (com_simple_review) component 1.3.5 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the category parameter to index.php.
30 CVE-2009-0705 89 1 Exec Code Sql 2009-02-23 2009-02-24
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in news.php in PowerScripts PowerNews 2.5.4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the newsid parameter.
31 CVE-2009-0704 89 1 Exec Code Sql 2009-02-23 2009-02-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search.php in WSN Guest 1.23 allows remote attackers to execute arbitrary SQL commands via the search parameter in an advanced action.
32 CVE-2009-0703 89 1 Exec Code Sql 2009-02-23 2009-06-09
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in bview.asp in ASPThai.Net Webboard 6.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
33 CVE-2009-0702 89 1 Exec Code Sql 2009-02-23 2009-02-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Phoca Documentation (com_phocadocumentation) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action to index.php.
34 CVE-2009-0701 94 1 Exec Code File Inclusion 2009-02-23 2009-02-24
6.8
None Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters.
35 CVE-2009-0700 264 Bypass 2009-02-23 2009-02-24
4.0
None Remote Low Single system Partial None None
Plunet BusinessManager 4.1 and earlier allows remote authenticated users to bypass access restrictions and (1) read sensitive Customer or Order data via a modified Pfad parameter to pagesUTF8/Sys_DirAnzeige.jsp, or (2) list sensitive Jobs via a direct request to pagesUTF8/auftrag_job.jsp.
36 CVE-2009-0699 79 XSS 2009-02-23 2009-02-24
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters.
37 CVE-2009-0698 189 DoS Exec Code Overflow 2009-02-23 2009-11-24
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385.
38 CVE-2009-0680 22 1 DoS Dir. Trav. 2009-02-22 2009-02-23
7.8
None Remote Low Not required None None Complete
cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows remote attackers to cause a denial of service (device crash) via a crafted query string, as demonstrated using directory traversal sequences.
39 CVE-2009-0679 79 XSS 2009-02-22 2009-06-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Your Account module in RavenNuke 2.30 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
40 CVE-2009-0678 200 1 +Info 2009-02-22 2009-02-23
5.0
None Remote Low Not required Partial None None
images/captcha.php in RavenNuke 2.30 allows remote attackers to obtain sensitive information via an aFonts array parameter value that does not correspond to a valid font file, which reveals the installation path in an error message.
41 CVE-2009-0677 94 1 Exec Code 2009-02-22 2009-02-23
6.5
User Remote Low Single system Partial Partial Partial
avatarlist.php in the Your Account module, reached through modules.php, in Raven Web Services RavenNuke 2.30 allows remote authenticated users to execute arbitrary code via PHP sequences in an element of the replacements array, which is processed by the preg_replace function with the eval switch, as specified in an element of the patterns array.
42 CVE-2009-0676 264 +Info 2009-02-22 2012-04-12
2.1
None Local Low Not required Partial None None
The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.
43 CVE-2009-0675 264 2009-02-22 2012-03-19
2.1
None Local Low Not required None Partial None
The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue.
44 CVE-2009-0674 94 1 2009-02-22 2009-03-06
6.0
User Remote Medium Single system Partial Partial Partial
images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, and then observing the error messages, which differ between existing and nonexistent pathnames.
45 CVE-2009-0673 94 1 Exec Code 2009-02-22 2009-02-26
6.5
None Remote Low Single system Partial Partial Partial
Eval injection vulnerability in the Custom Fields feature in the Your Account module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary PHP code via the ID Field Name box in a yaCustomFields action to admin.php.
46 CVE-2009-0672 89 1 Exec Code Sql 2009-02-22 2009-06-09
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Resend_Email module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary SQL commands via the user_prefix parameter to modules.php.
47 CVE-2009-0671 Exec Code 2009-02-22 2009-02-26
0.0
None ??? ??? ??? ??? ??? ???
** REJECT ** Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions.
48 CVE-2009-0659 119 Overflow 2009-02-20 2009-06-09
5.0
None Remote Low Not required None None Partial
Stack-based buffer overflow in the GetStatsFromLine function in TPTEST 3.1.7 allows remote attackers to have an unknown impact via a STATS line with a long email field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
49 CVE-2009-0658 119 2 Exec Code Overflow 2009-02-20 2009-04-28
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.
50 CVE-2009-0657 255 2009-02-20 2009-06-09
6.9
Admin Local Medium Not required Complete Complete Complete
Toshiba Face Recognition 2.0.2.32 allows physically proximate attackers to obtain notebook access by presenting a large number of images for which the viewpoint and lighting have been modified to match a stored image of the authorized notebook user.
Total number of vulnerabilities : 687   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.