CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2010

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2010-3688 22 Dir. Trav. 2010-09-29 2010-09-30
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA WebSiteAdmin allows remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the lng parameter.
2 CVE-2010-3687 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to bypass validation have an unspecified impact by "[injecting] arbitrary values into validated fields," as demonstrated using the (1) Email and (2) URL fields.
3 CVE-2010-3686 287 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
4 CVE-2010-3685 287 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
5 CVE-2010-3684 255 +Info 2010-09-29 2010-09-30
2.1
None Local Low Not required Partial None None
The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453.
6 CVE-2010-3608 89 2 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) password (pw) parameters to (a) admin.php or (b) user.php.
7 CVE-2010-3607 79 XSS 2010-09-24 2010-09-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in AGENTS/index.php in NetArt MEDIA Real Estate Portal 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the id parameter.
8 CVE-2010-3606 22 Dir. Trav. 2010-09-24 2010-09-27
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in AGENTS/index.php in NetArt MEDIA Real Estate Portal 2.0 allow remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) folder and (2) action parameters.
9 CVE-2010-3605 79 XSS 2010-09-24 2010-09-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
10 CVE-2010-3604 89 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
11 CVE-2010-3603 352 3 DoS CSRF 2010-09-24 2010-09-27
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the file manager service (Services/FileService.ashx) in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to hijack the authentication of administrators for requests that rename arbitrary files, as demonstrated by causing the user.config file to be moved, leading to a denial of service (service stop) and possibly the exposure of sensitive information.
12 CVE-2010-3602 79 3 XSS 2010-09-24 2010-09-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ProfileView.aspx in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to inject arbitrary web script or HTML via the User ID parameter. NOTE: some of these details are obtained from third party information.
13 CVE-2010-3601 89 2 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ibPhotohost 1.1.2 allows remote attackers to execute arbitrary SQL commands via the img parameter.
14 CVE-2010-3490 22 1 Dir. Trav. 2010-09-28 2013-09-03
6.5
None Remote Low Single system Partial Partial Partial
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.
15 CVE-2010-3489 79 1 XSS 2010-09-22 2010-09-23
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in netautor/napro4/home/login2.php in CMS Digital Workroom (formerly Netautor Professional) 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the goback parameter.
16 CVE-2010-3488 22 1 Dir. Trav. 2010-09-22 2010-09-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in QuickShare 1.0 allows remote attackers to read arbitrary files via a ... (triple dot) in the URL.
17 CVE-2010-3487 22 1 Dir. Trav. 2010-09-22 2010-09-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in YelloSoft Pinky 1.0 for Windows allows remote attackers to read arbitrary files via a %5C (encoded backslash) in the URL.
18 CVE-2010-3486 22 2 Dir. Trav. 2010-09-22 2010-09-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in FileStorageUpload.ashx in SmarterMail 7.1.3876 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash) in the name parameter.
19 CVE-2010-3485 89 Exec Code Sql 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the userhandle cookie to LightNEasy.php, a different vector than CVE-2008-6593. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
20 CVE-2010-3484 89 2 Exec Code Sql 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the handle parameter to LightNEasy.php, a different vector than CVE-2008-6593.
21 CVE-2010-3483 264 2 +Priv XSS 2010-09-22 2010-09-23
7.5
User Remote Low Not required Partial Partial Partial
cms_write.php in Primitive CMS 1.0.9 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request. NOTE: this vulnerability can be leveraged to conduct cross-site scripting attacks, as demonstrated using the (1) title, (2) content, and (3) menutitle parameters.
22 CVE-2010-3482 89 2 Exec Code Sql 2010-09-22 2010-09-23
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in cms_write.php in Primitive CMS 1.0.9 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) title and (2) menutitle parameters. NOTE: this can be leveraged with CVE-2010-3483 to conduct attacks without authentication.
23 CVE-2010-3481 89 1 Exec Code Sql 2010-09-22 2010-09-23
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in login.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user_name and (2) password variables, possibly related to include/classes/Login.php. NOTE: some of these details are obtained from third party information. NOTE: the password vector might not be vulnerable.
24 CVE-2010-3480 22 1 Dir. Trav. 2010-09-22 2010-09-23
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.
25 CVE-2010-3479 89 2 Exec Code Sql 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in list.php in BoutikOne 1.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
26 CVE-2010-3477 399 +Info 2010-09-21 2012-03-19
2.1
None Local Low Not required Partial None None
The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.
27 CVE-2010-3476 20 DoS 2010-09-20 2011-01-22
5.0
None Remote Low Not required None None Partial
Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080.
28 CVE-2010-3475 264 Bypass 2010-09-20 2012-01-26
4.0
None Remote Low Single system None Partial None
IBM DB2 9.7 before FP3 does not properly enforce privilege requirements for execution of entries in the dynamic SQL cache, which allows remote authenticated users to bypass intended access restrictions by leveraging the cache to execute an UPDATE statement contained in a compiled compound SQL statement.
29 CVE-2010-3474 264 Bypass 2010-09-20 2012-01-26
5.0
None Remote Low Not required None Partial None
IBM DB2 9.7 before FP3 does not perform the expected drops or invalidations of dependent functions upon a loss of privileges by the functions' owners, which allows remote authenticated users to bypass intended access restrictions via calls to these functions, a different vulnerability than CVE-2009-3471.
30 CVE-2010-3473 20 2010-09-20 2010-09-21
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
31 CVE-2010-3472 79 XSS 2010-09-20 2010-09-21
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
32 CVE-2010-3471 287 2010-09-20 2010-09-21
4.3
None Remote Medium Not required None Partial None
Session fixation vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.7-P8AE-FP007 allows remote attackers to hijack web sessions via unspecified vectors.
33 CVE-2010-3470 79 XSS 2010-09-20 2010-09-21
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 and 4.0.2.x before 4.0.2.7-P8AE-FP007 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
34 CVE-2010-3468 22 1 Dir. Trav. 2010-09-29 2010-09-30
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in fileManager.cfc in Mura CMS 5.1 before 5.1.498 and 5.2 before 5.2.2809, and Sava CMS 5 through 5.2, allows remote attackers to read arbitrary files via a .. (dot dot) in the FILEID parameter to the default URI under tasks/render/file/.
35 CVE-2010-3467 89 2 Exec Code Sql 2010-09-17 2010-09-20
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in modules/sections/index.php in E-Xoopport Samsara 3.1 and earlier, when the Tutorial module is enabled, allows remote attackers to execute arbitrary SQL commands via the secid parameter in a listarticles action.
36 CVE-2010-3466 79 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in the hosted_signup module in NetArt Media iBoutique.MALL 1.2 allows remote attackers to inject arbitrary web script or HTML via the tmpl parameter. NOTE: some of these details are obtained from third party information.
37 CVE-2010-3465 79 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in XSE Shopping Cart 1.5.2.1 and 1.5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to Default.aspx and the (2) type parameter to SearchResults.aspx.
38 CVE-2010-3464 352 1 CSRF 2010-09-17 2010-09-20
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin/manager_users.class.php in SantaFox 2.02, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests, as demonstrated by adding administrative users via the save_admin action to admin/index.php.
39 CVE-2010-3463 79 1 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in modules/search/search.class.php in SantaFox 2.02, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the search parameter to search.html.
40 CVE-2010-3462 79 1 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in backend/plugin/Registration/index.php in Mollify 1.6, 1.6.5.5, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the confirm parameter. NOTE: some of these details are obtained from third party information.
41 CVE-2010-3461 89 1 Exec Code Sql 2010-09-17 2010-09-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Publisher module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printarticle action to mod.php, a different vector than CVE-2007-3394.
42 CVE-2010-3460 22 1 Dir. Trav. 2010-09-17 2010-09-20
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the HTTP interface in AXIGEN Mail Server 7.4.1 for Windows allows remote attackers to read arbitrary files via a %5C (encoded backslash) in the URL.
43 CVE-2010-3459 79 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Ajax WebMail interface in AXIGEN Mail Server before 7.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
44 CVE-2010-3458 89 2 Exec Code Sql 2010-09-17 2010-09-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
45 CVE-2010-3457 79 2 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
46 CVE-2010-3456 22 2 Dir. Trav. 2010-09-17 2013-07-29
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in download.php in EnergyScripts (ES) Simple Download 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
47 CVE-2010-3455 79 1 XSS 2010-09-17 2010-09-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in AChecker 1.0 allows remote attackers to inject arbitrary web script or HTML via the uri parameter.
48 CVE-2010-3434 119 DoS Exec Code Overflow 2010-09-30 2011-03-23
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the find_stream_bounds function in pdf.c in libclamav in ClamAV before 0.96.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document. NOTE: some of these details are obtained from third party information.
49 CVE-2010-3429 94 Exec Code 2010-09-30 2011-10-25
6.8
None Remote Medium Not required Partial Partial Partial
flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an "arbitrary offset dereference vulnerability."
50 CVE-2010-3428 89 1 Exec Code Sql 2010-09-16 2010-09-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in modules/notes/json.php in Intermesh Group-Office 3.5.9 allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a category action.
Total number of vulnerabilities : 301   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.