CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
12901 CVE-2008-6773 94 Exec Code 2009-04-29 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url, (2) fav1_name, (3) fav2_url, (4) fav2_name, (5) fav3_url, (6) fav3_name, (7) fav4_url, (8) fav4_name, (9) fav5_url, or (10) fav5_name parameters.
12902 CVE-2008-6769 Exec Code 2009-04-29 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.
12903 CVE-2008-6768 Exec Code 2009-04-29 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/upload/.
12904 CVE-2008-6758 352 XSS CSRF 2009-04-28 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to hijack the authentication of arbitrary users for requests that conduct persistent cross-site scripting (XSS) attacks via the cart_name parameter in a save action.
12905 CVE-2008-6751 20 Exec Code 2009-04-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in index.php in the Twitter Clone (TClone) plugin for ReVou Micro Blogging allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in settings/my_photo.
12906 CVE-2008-6750 20 Exec Code 2009-04-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in add.php in FlexPHPDirectory 0.0.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in photo/.
12907 CVE-2008-6749 89 Exec Code Sql 2009-04-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters.
12908 CVE-2008-6747 264 +Priv 2009-04-23 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
dotProject before 2.1.2 does not properly restrict access to administrative pages, which allows remote attackers to gain privileges. NOTE: some of these details are obtained from third party information.
12909 CVE-2008-6744 352 CSRF 2009-04-23 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cybozu Office 6, Cybozu Dezie before 6.0(1.0), and Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
12910 CVE-2008-6740 94 Exec Code File Inclusion 2009-04-21 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
12911 CVE-2008-6736 264 2009-04-21 2018-10-11
6.4
None Remote Low Not required None Partial Partial
Flat Calendar 1.1 does not properly restrict access to administrative functions, which allows remote attackers to (1) add new events via calAdd.php, as reachable from admin/add.php, or (2) delete events via admin/deleteEvent.php. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.
12912 CVE-2008-6730 89 Exec Code Sql 2009-04-20 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php.
12913 CVE-2008-6729 352 CSRF 2009-04-20 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in password.php in PHPmotion 2.1 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that modify an account via the (1) password or (2) email_address parameter.
12914 CVE-2008-6726 22 Dir. Trav. 2009-04-17 2017-09-28
6.0
User Remote Medium Single system Partial Partial Partial
Multiple directory traversal vulnerabilities in CMScout 2.06, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the bit parameter to (1) admin.php and (2) index.php, different vectors than CVE-2008-3415.
12915 CVE-2008-6725 89 Exec Code Sql 2009-04-17 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) index.php in a mythings page (mythings.php) and (2) the users page in admin.php.
12916 CVE-2008-6707 287 +Info 2009-04-10 2017-08-16
6.4
None Remote Low Not required Partial Partial None
The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help."
12917 CVE-2008-6684 20 Exec Code 2009-04-10 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in editimage.php in Apartment Search Script allows remote attackers to execute arbitrary code by uploading a file with an executable extension and a GIF header, then accessing this file via a direct request to a renamed file in Member_Admin/logo/.
12918 CVE-2008-6665 94 +Priv 2009-04-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
change.php in Ananta CMS 1.0b5, with magic_quotes_gpc disabled, allows remote attackers to gain administrator privileges via a crafted email parameter, possibly related to code injection.
12919 CVE-2008-6660 Exec Code 2009-04-07 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in bigdump.php in Alexey Ozerov BigDump 0.29b allows remote attackers to execute arbitrary code by uploading a file with an executable extension followed by a .sql extension, then accessing this file via a direct request. NOTE: some of these details are obtained from third party information.
12920 CVE-2008-6657 352 CSRF 2009-04-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote attackers to hijack the authentication of admins for requests that install packages via the package parameter in an install2 action.
12921 CVE-2008-6641 89 Exec Code Sql 2009-04-07 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Shader TV (Beta) allow remote authenticated administrators to execute arbitrary SQL commands via the sid parameter to (1) kanal.asp, (2) google.asp, and (3) hakk.asp in yonet/; and allow remote attackers to execute arbitrary SQL commands via the (4) username or (5) password fields to yonet/default.asp.
12922 CVE-2008-6639 352 CSRF 2009-04-07 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin.php in AjaXplorer 2.3.3 and 2.3.4 allows remote attackers to hijack the authentication of administrators for requests that modify passwords via the update_user_pwd action.
12923 CVE-2008-6636 94 Exec Code File Inclusion 2009-04-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the dir_edge_skins parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
12924 CVE-2008-6635 94 Exec Code File Inclusion 2009-04-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the dir_inc parameter.
12925 CVE-2008-6619 264 Exec Code 2009-04-06 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in class/ApplyDB.php in ClassSystem 2.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in class/UploadHomepage/.
12926 CVE-2008-6617 264 Exec Code 2009-04-06 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in adm/visual/upload.php in SiteXS CMS 0.1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/.
12927 CVE-2008-6612 94 Exec Code 2009-04-06 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/uploader.php in Minimal ABlog 0.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in img/.
12928 CVE-2008-6610 22 1 Dir. Trav. 2009-04-06 2017-08-16
6.4
None Remote Low Not required Partial Partial None
Absolute path traversal vulnerability in phpcksec.php in Stefan Ott phpcksec 0.2.0 allows remote attackers to list arbitrary directories and read arbitrary files via a full pathname in the file parameter.
12929 CVE-2008-6605 352 DoS CSRF 2009-04-06 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the xslt script in the web-based management interface on the 2wire 1701HG, 1800HW, 2071HG, and 2700HG with firmware 3.17.5, 3.7.1, 4.25.19, or 5.29.51 allows remote attackers to hijack the intranet connectivity of arbitrary users for requests that cause a denial of service (network outage) via a page parameter with a % (percent) character followed by a non-alphanumeric character.
12930 CVE-2008-6603 264 Bypass 2009-04-03 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937.
12931 CVE-2008-6587 352 CSRF 2009-04-03 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in index.tmpl in Vuze (formerly Azureus HTML WebUI), probably 0.7.6, allows remote attackers to hijack the authentication of users for requests that force the download of arbitrary torrent files via the upurl parameter.
12932 CVE-2008-6586 352 CSRF 2009-04-03 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in gui/index.php in ĀµTorrent (uTorrent) WebUI 0.315 allows remote attackers to (1) hijack the authentication of users for requests that force the download of arbitrary torrent files via the add-url action and (2) hijack the authentication of administrators for requests that modify the administrator account via the setsetting action.
12933 CVE-2008-6585 352 CSRF 2009-04-03 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in html/admin.php in TorrentFlux 2.3 allows remote attackers to hijack the authentication of administrators for requests that add new accounts via the addUser action.
12934 CVE-2008-6584 94 Exec Code 2009-04-03 2018-10-11
6.0
None Remote Medium Single system Partial Partial Partial
html/index.php in TorrentFlux 2.3 allows remote authenticated users to execute arbitrary code via a URL with a file containing an executable extension in the url_upload parameter, which is downloaded by TorrentFlux and can be accessed via a direct request in a html/downloads/ user directory.
12935 CVE-2008-6575 DoS 2009-04-01 2017-08-16
6.8
None Remote Low Single system None None Complete
Unspecified vulnerability in the SIP server in SIP Enablement Services (SES) in Avaya Communication Manager 3.1.x and 4.x allows remote authenticated users to cause a denial of service (resource consumption) via unknown vectors.
12936 CVE-2008-6573 89 Exec Code Sql 2009-04-01 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Avaya SIP Enablement Services (SES) in Avaya Avaya Communication Manager 3.x, 4.0, and 5.0 (1) allow remote attackers to execute arbitrary SQL commands via unspecified vectors related to profiles in the SIP Personal Information Manager (SPIM) in the web interface; and allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to (2) permissions for SPIM profiles in the web interface and (3) a crafted SIP request to the SIP server.
12937 CVE-2008-6572 89 Exec Code Sql 2009-03-31 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to execute arbitrary SQL commands via the keyword parameter.
12938 CVE-2008-6569 287 2009-03-31 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack web sessions via the session ID in the login page.
12939 CVE-2008-6568 20 Exec Code 2009-03-31 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in Yehe 2.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the envoyer feature. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
12940 CVE-2008-6552 59 2009-03-30 2017-09-28
6.9
None Local Medium Not required Complete Complete Complete
Red Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks on files in /tmp, involving unspecified components in Resource Group Manager (aka rgmanager) before 2.03.09-1, gfs2-utils before 2.03.09-1, and CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9.
12941 CVE-2008-6541 20 +Priv 2009-03-29 2009-08-19
6.8
User Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in the file manager module in DotNetNuke before 4.8.2 allows remote administrators to upload arbitrary files and gain privileges to the server via unspecified vectors.
12942 CVE-2008-6539 94 2009-03-29 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in user/settings/ in DeStar 0.2.2-5 allows remote authenticated users to add arbitrary administrators and inject arbitrary Python code into destar_cfg.py via a crafted pin parameter.
12943 CVE-2008-6532 352 CSRF 2009-03-26 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.
12944 CVE-2008-6531 94 2009-03-26 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."
12945 CVE-2008-6530 Exec Code 2009-03-26 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in editimage.php in eZoneScripts Living Local 1.1 allows remote authenticated administrators to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the uploaded file.
12946 CVE-2008-6524 255 2009-03-25 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
resetpass.php in openInvoice 0.90 beta and earlier allows remote authenticated users to change the passwords of arbitrary users via a modified uid parameter. NOTE: this can be leveraged with a separate vulnerability in auth.php to modify passwords without authentication.
12947 CVE-2008-6522 22 Dir. Trav. 2009-03-25 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in the RenderFile function in ContentRender.class.php in Terracotta (aka OpenTerracotta) 0.6.1, and possibly other versions, allow remote attackers to list arbitrary directories and read arbitrary files via a .. (dot dot) in the (1) CurrentDirectory and (2) File parameters to index.php.
12948 CVE-2008-6518 94 Exec Code 2009-03-25 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the profile feature in VidiScript allows registered remote authenticated users to execute arbitrary code by uploading a PHP file as an Avatar, then accessing the avatar via a direct request.
12949 CVE-2008-6514 264 2009-03-24 2017-08-16
6.2
None Local High Not required Complete Complete Complete
The Expo plugin in Compiz Fusion 0.7.8 allows local users with physical access to drag the screen saver aside and access the locked desktop by using Expo mouse shortcuts, a related issue to CVE-2007-3920.
12950 CVE-2008-6513 94 Exec Code 2009-03-24 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in saa.php in Andy's PHP Knowledgebase (aphpkb) 0.92.9 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a link that is listed by authors.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.