CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
12151 CVE-2009-4909 287 1 2010-06-25 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
admin/index.php in oBlog allows remote attackers to conduct brute-force password guessing attacks via HTTP requests.
12152 CVE-2009-4907 352 1 CSRF 2010-06-25 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in oBlog allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) force an admin logout, (3) change the visibility of posts, (4) remove links, and (5) change the name fields of a blog.
12153 CVE-2009-4906 352 2 CSRF 2010-06-25 2010-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in index.php in Acc PHP eMail 1.1 allows remote attackers to hijack the authentication of administrators for requests that change passwords.
12154 CVE-2009-4905 352 1 CSRF 2010-06-25 2010-06-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Acc Statistics 1.1 allow remote attackers to hijack the authentication of administrators for requests that change (1) passwords, (2) usernames, and (3) e-mail addresses.
12155 CVE-2009-4902 119 Overflow +Priv 2010-06-18 2010-08-12
6.8
None Local Low Single system Complete Complete Complete
Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4 and earlier might allow local users to gain privileges via crafted SCARD_CONTROL message data, which is improperly demarshalled. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0407.
12156 CVE-2009-4898 352 CSRF 2010-09-07 2010-11-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339.
12157 CVE-2009-4896 22 Dir. Trav. 2010-08-02 2010-08-03
6.5
None Remote Low Single system Partial Partial Partial
Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.
12158 CVE-2009-4893 119 DoS Exec Code Overflow 2010-06-15 2010-10-28
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in UnrealIRCd 3.2beta11 through 3.2.8, when allow::options::noident is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
12159 CVE-2009-4887 94 1 Exec Code File Inclusion 2010-06-11 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in index.php in CMS S.Builder 3.7 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in a binn_include_path cookie. NOTE: this can also be leveraged to include and execute arbitrary local files.
12160 CVE-2009-4884 89 1 Exec Code Sql 2010-06-11 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in phpCommunity 2 2.1.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the forum_id parameter in a forum action to index.php, (2) the topic_id parameter in a forum action to index.php, (3) the wert parameter in an id search action to index.php, (4) the wert parameter in a nick search action to index.php, or (5) the wert parameter in a forum search action to index.php, related to class_forum.php and class_search.php.
12161 CVE-2009-4877 352 CSRF 2010-05-26 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in WebGUI before 7.7.14 allow remote attackers to hijack the authentication of users for unspecified requests via unknown vectors.
12162 CVE-2009-4874 264 1 2010-05-26 2017-09-18
6.4
None Remote Low Not required Partial Partial None
TalkBack 2.3.14 does not properly restrict access to the edit comment feature (comments.php), which allows remote attackers to modify comments.
12163 CVE-2009-4865 89 1 Exec Code Sql 2010-05-11 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in escorts_search.php in I-Escorts Directory Script and Agency Script, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) search_name and (2) languages parameters. NOTE: some of these details are obtained from third party information.
12164 CVE-2009-4849 352 CSRF 2010-05-07 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in ToutVirtual VirtualIQ Pro 3.2 build 7882 and 3.5 build 8691 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new user account via a save action to tvserver/user/user.do, (2) shutdown a virtual machine, (3) start a virtual machine, (4) restart a virtual machine, or (5) schedule an activity.
12165 CVE-2009-4846 119 Exec Code Overflow 2010-05-07 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in Deliantra Server before 2.82 allow remote attackers to execute arbitrary code via vectors related to (1) the command_gsay function in server/c_party.C and (2) the book implementation.
12166 CVE-2009-4834 94 1 Exec Code 2010-05-04 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.
12167 CVE-2009-4828 352 1 CSRF 2010-04-27 2010-05-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in administration/admins.php in Ad Manager Pro (aka AdManagerPro) 3.0 allows remote attackers to hijack the authentication of administrators for requests that create new administrative users via an admin_created action. NOTE: some of these details are obtained from third party information.
12168 CVE-2009-4827 352 1 CSRF 2010-04-27 2010-05-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin.php in Mail Manager Pro allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a change action.
12169 CVE-2009-4826 352 1 CSRF 2010-04-27 2010-05-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.php in ScriptsEz Mini Hosting Panel allows remote attackers to hijack the authentication of administrators for requests that alter administrative settings via a cp action.
12170 CVE-2009-4819 1 Exec Code 2010-04-27 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple unrestricted file upload vulnerabilities in upload.php in PHPhotoalbum allow remote attackers to execute arbitrary code by uploading a file with a (1) .php.pgif or (2) .php.pjpeg double extension, then accessing it via a direct request to the file in albums/userpics/.
12171 CVE-2009-4818 1 Exec Code 2010-04-27 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in PHPSimplicity Simplicity oF Upload 1.3.2 allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, as demonstrated by .php.gif.
12172 CVE-2009-4817 1 Exec Code 2010-04-27 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in Element-IT Ultimate Uploader 1.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.
12173 CVE-2009-4805 89 1 Exec Code Sql 2010-04-23 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in EZ-Blog Beta 1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the storyid parameter to public/view.php or (2) the kill parameter to admin/remove.php.
12174 CVE-2009-4795 89 Exec Code Sql 2010-04-22 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Xlight FTP Server before 3.2.1, when ODBC authentication is enabled, allow remote attackers to execute arbitrary SQL commands via the (1) USER (aka username) or (2) PASS (aka password) command.
12175 CVE-2009-4793 94 1 Exec Code 2010-04-22 2017-09-18
6.0
None Remote Medium Single system Partial Partial Partial
Unrestricted file upload vulnerability in adminpanel/scripts/addphotos.php in BandSite CMS 1.1.4 allows remote authenticated administrators to execute arbitrary PHP code by uploading a file with an executable extension via an addphotos action to adminpanel/index.php, and then accessing the file via a direct request with an images/gallery/ directory name. NOTE: some of these details are obtained from third party information.
12176 CVE-2009-4787 352 CSRF 2010-04-21 2010-06-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Pligg before 1.0.3 allow remote attackers to hijack the authentication of administrators for requests that create user accounts or have unspecified other impact.
12177 CVE-2009-4773 352 CSRF 2010-04-20 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
12178 CVE-2009-4763 2010-03-30 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the ClickHeat plugin, as used in phpMyVisites before 2.4, has unknown impact and attack vectors. NOTE: due to lack of details from the vendor, it is not clear whether this is related to CVE-2008-5793.
12179 CVE-2009-4750 94 Exec Code File Inclusion 2010-03-26 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in home.php in Top Paidmailer allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
12180 CVE-2009-4739 94 1 Exec Code Dir. Trav. File Inclusion 2010-03-26 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in index.php in SkaDate Dating allows remote attackers to execute arbitrary PHP code via a URL in the language_id parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences.
12181 CVE-2009-4733 89 1 Exec Code Sql 2010-03-18 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in checkuser.php in SimpleLoginSys 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.
12182 CVE-2009-4732 89 1 Exec Code Sql 2010-03-18 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in tt/index.php in TT Web Site Manager 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tt_name parameter. NOTE: some of these details are obtained from third party information.
12183 CVE-2009-4722 89 1 Exec Code Sql 2010-03-18 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the CheckLogin function in includes/functions.php in Limny 1.01, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
12184 CVE-2009-4667 89 1 Exec Code Sql 2010-03-05 2017-09-18
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in form.php in WebMember 1.0 allows remote authenticated users to execute arbitrary SQL commands via the formID parameter.
12185 CVE-2009-4595 89 Exec Code Sql 2010-01-12 2010-01-13
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in index.php in PHP Inventory 1.2 allows remote authenticated users to execute arbitrary SQL commands via the sup_id parameter in a suppliers details action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
12186 CVE-2009-4581 22 2 Dir. Trav. 2010-01-06 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in modules/admincp.php in RoseOnlineCMS 3 B1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the admin parameter.
12187 CVE-2009-4572 352 CSRF 2010-01-05 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in PhpShop 0.8.1 allows remote attackers to hijack the authentication of arbitrary users for requests that invoke the cartAdd function in a shop/cart action to the default URI.
12188 CVE-2009-4564 89 1 Exec Code Sql 2010-01-04 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Zenphoto 1.2.5, when the ZenPage plugin is enabled, allows remote attackers to execute arbitrary SQL commands via the category parameter, related to a URI under news/category/.
12189 CVE-2009-4561 89 1 Exec Code Sql 2010-01-04 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Admin/index.php in WebLeague 2.2.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
12190 CVE-2009-4555 352 CSRF 2010-01-04 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in AgoraCart 5.2.005 and 5.2.006 and AgoraCart GOLD 5.5.005 allow remote attackers to hijack the authentication of administrators for requests that (1) modify a .htaccess file via an unspecified request to protected/manager.cgi or (2) change the password of an administrative account.
12191 CVE-2009-4543 94 1 Exec Code File Inclusion 2010-01-04 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in index.php in Cromosoft Technologies Facil Helpdesk 2.3 Lite allows remote attackers to execute arbitrary PHP code via a URL in the lng parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences.
12192 CVE-2009-4540 89 1 Exec Code Sql 2010-01-04 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in page.php in Mini CMS 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
12193 CVE-2009-4528 264 Bypass 2009-12-31 2017-08-16
6.5
None Remote Low Single system Partial Partial Partial
The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors.
12194 CVE-2009-4517 352 CSRF 2009-12-31 2010-01-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content.
12195 CVE-2009-4498 78 Exec Code 2009-12-31 2010-05-25
6.8
None Remote Medium Not required Partial Partial Partial
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
12196 CVE-2009-4455 264 Bypass 2009-12-29 2018-10-10
6.5
User Remote Low Single system Partial Partial Partial
The default configuration of Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA) 7.0, 7.1, 7.2, 8.0, 8.1, and 8.2 allows portal traffic to access arbitrary backend servers, which might allow remote authenticated users to bypass intended access restrictions and access unauthorized web sites via a crafted URL obfuscated with ROT13 and a certain encoding. NOTE: this issue was originally reported as a vulnerability related to lack of restrictions to URLs listed in the Cisco WebVPN bookmark component, but the vendor states that "The bookmark feature is not a security feature."
12197 CVE-2009-4452 264 1 +Priv 2009-12-29 2018-10-10
6.8
None Local Low Single system Complete Complete Complete
Kaspersky Anti-Virus 5.0 (5.0.712); Antivirus Personal 5.0.x; Anti-Virus 6.0 (6.0.3.837), 7 (7.0.1.325), 2009 (8.0.0.x), and 2010 (9.0.0.463); and Internet Security 7 (7.0.1.325), 2009 (8.0.0.x), and 2010 (9.0.0.463); use weak permissions (Everyone:Full Control) for the BASES directory, which allows local users to gain SYSTEM privileges by replacing an executable or DLL with a Trojan horse.
12198 CVE-2009-4451 1 Exec Code 2009-12-29 2009-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in upper.php in kandalf upper 0.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in fileup/.
12199 CVE-2009-4449 22 Dir. Trav. 2009-12-29 2011-01-04
6.3
None Remote Medium Single system Complete None None
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
12200 CVE-2009-4445 20 2009-12-29 2017-08-16
6.0
User Remote Medium Single system Partial Partial Partial
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.