Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in the Options module. NOTE: vector 3 can be leveraged for code execution by using a .. to include and execute arbitrary local files.
Max CVSS
3.5
EPSS Score
0.37%
Published
2009-11-30
Updated
2018-10-10
Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the (1) category and (2) Icon URL fields; or (3) inject arbitrary PHP code into data/ipban.php via the add_ip parameter.
Max CVSS
6.5
EPSS Score
0.42%
Published
2009-11-30
Updated
2018-10-10
kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other versions before 9.0.0.736, does not properly validate input to IOCTL 0x0022c008, which allows local users to cause a denial of service (system crash) via IOCTL requests using crafted kernel addresses that trigger memory corruption, possibly related to klavemu.kdl.
Max CVSS
4.9
EPSS Score
0.04%
Published
2009-11-30
Updated
2018-10-10
Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field.
Max CVSS
6.5
EPSS Score
0.31%
Published
2009-11-30
Updated
2018-10-10
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
Max CVSS
9.0
EPSS Score
5.81%
Published
2009-11-30
Updated
2018-10-10
Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
Max CVSS
6.8
EPSS Score
3.16%
Published
2009-11-29
Updated
2010-12-07
Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not properly filtered before display in a custom results page.
Max CVSS
4.3
EPSS Score
0.25%
Published
2009-11-29
Updated
2017-08-17
The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.
Max CVSS
5.0
EPSS Score
0.20%
Published
2009-11-29
Updated
2009-11-30
XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to cause a denial of service (crash) by uploading or creating a large number of files or directories, then performing a LIST command.
Max CVSS
4.0
EPSS Score
0.47%
Published
2009-11-29
Updated
2018-10-10
Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remote attackers to execute arbitrary code via a crafted .ibkey file containing a long string.
Max CVSS
9.3
EPSS Score
10.69%
Published
2009-11-29
Updated
2017-09-19
Unrestricted file upload vulnerability in admintools/editpage-2.php in Agoko CMS 0.4 and earlier allows remote attackers to inject and execute arbitrary PHP code via the filename and text parameters.
Max CVSS
7.5
EPSS Score
1.02%
Published
2009-11-29
Updated
2017-09-19
TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (crash) by sending an APPE (append) command immediately followed by a DELE (delete) command without sending file data in between these two commands.
Max CVSS
3.5
EPSS Score
1.80%
Published
2009-11-29
Updated
2018-10-10
SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyftenbloggie) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter to index.php.
Max CVSS
7.5
EPSS Score
0.12%
Published
2009-11-29
Updated
2011-07-26
Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allows remote FTP servers to cause a denial of service and possibly execute arbitrary code via unspecified FTP server responses. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
9.3
EPSS Score
0.10%
Published
2009-11-29
Updated
2009-11-30
Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
Max CVSS
9.3
EPSS Score
1.79%
Published
2009-11-29
Updated
2017-08-17
infoRSS 1.1.4.2 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
Max CVSS
9.3
EPSS Score
0.86%
Published
2009-11-29
Updated
2017-08-17
Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via DOM event handlers such as onload.
Max CVSS
9.3
EPSS Score
1.21%
Published
2009-11-29
Updated
2017-08-17
SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information.
Max CVSS
7.5
EPSS Score
0.13%
Published
2009-11-29
Updated
2017-08-17

CVE-2009-4098

Public exploit
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.
Max CVSS
6.0
EPSS Score
12.83%
Published
2009-11-29
Updated
2018-10-10
Stack-based buffer overflow in the MplayInputFile function in Serenity Audio Player 3.2.3 and earlier allows remote attackers to execute arbitrary code via a long URL in an M3U file. NOTE: some of these details are obtained from third party information.
Max CVSS
9.3
EPSS Score
10.95%
Published
2009-11-29
Updated
2017-08-17
RADIO istek scripti 2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user credentials via a direct request for estafresgaftesantusyan.inc.
Max CVSS
7.5
EPSS Score
0.88%
Published
2009-11-29
Updated
2009-12-02
myPhile 1.2.1 allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.
Max CVSS
7.5
EPSS Score
0.65%
Published
2009-11-29
Updated
2017-08-17
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
Max CVSS
7.5
EPSS Score
0.72%
Published
2009-11-29
Updated
2017-08-17
Multiple cross-site scripting (XSS) vulnerabilities in comments.php in Simplog 0.9.3.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cname (Name) or (2) email parameters.
Max CVSS
4.3
EPSS Score
0.22%
Published
2009-11-29
Updated
2017-08-17
Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.
Max CVSS
6.8
EPSS Score
0.33%
Published
2009-11-29
Updated
2017-08-17
308 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!