CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2002-2427 287 Bypass 2009-02-06 2009-07-23
5.0
None Remote Low Not required Partial None None
The security handler in GoAhead WebServer before 2.1.1 allows remote attackers to bypass authentication and obtain access to protected web content via "an extra slash in a URL," a different vulnerability than CVE-2002-1603.
2 CVE-2002-2428 20 DoS 2009-02-06 2009-07-23
5.0
None Remote Low Not required None None Partial
webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP POST request that contains a Content-Length header but no body data.
3 CVE-2002-2429 20 DoS 2009-02-06 2009-02-06
5.0
None Remote Low Not required None None Partial
webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request that contains a negative integer in the Content-Length header.
4 CVE-2002-2430 399 DoS 2009-02-06 2009-02-06
5.0
None Remote Low Not required None None Partial
GoAhead WebServer before 2.1.1 allows remote attackers to cause a denial of service (CPU consumption) by performing a socket disconnect to terminate a request before it has been fully processed by the server.
5 CVE-2002-2431 2009-02-06 2009-02-09
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in GoAhead WebServer before 2.1.4 allows remote attackers to cause "incorrect behavior" via unknown "malicious code," related to incorrect use of the socketInputBuffered function by sockGen.c.
6 CVE-2003-1568 20 DoS 2009-02-06 2009-02-09
5.0
None Remote Low Not required None None Partial
GoAhead WebServer before 2.1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an invalid URL, related to the websSafeUrl function.
7 CVE-2003-1569 20 DoS 2009-02-06 2009-02-09
5.0
None Remote Low Not required None None Partial
GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote attackers to cause a denial of service (daemon crash) via an HTTP request with a (1) con, (2) nul, (3) clock$, or (4) config$ device name in a path component, different vectors than CVE-2001-0385.
8 CVE-2005-4878 79 XSS 2009-02-18 2017-08-16
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in (1) acid_qry_main.php in Analysis Console for Intrusion Databases (ACID) 0.9.6b20 and (2) base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.2, and unspecified other console scripts in these products, allow remote attackers to inject arbitrary web script or HTML via the sig[1] parameter and possibly other parameters, a different vulnerability than CVE-2007-6156.
9 CVE-2007-5289 264 Exec Code 2009-02-24 2018-10-15
7.6
Admin Remote High Not required Complete Complete Complete
HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.
10 CVE-2008-3074 78 Exec Code 2009-02-21 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
11 CVE-2008-3075 94 Exec Code 2009-02-21 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
12 CVE-2008-3076 78 Exec Code 2009-02-21 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
13 CVE-2008-4283 20 Http R.Spl. 2009-02-10 2017-08-07
10.0
Admin Remote Low Not required Complete Complete Complete
CRLF injection vulnerability in the WebContainer component in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.1.x versions allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
14 CVE-2008-4284 59 2009-02-10 2017-08-07
5.8
None Remote Medium Not required Partial None Partial
Open redirect vulnerability in the ibm_security_logout servlet in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage feature.
15 CVE-2008-4285 399 DoS 2009-02-17 2017-08-07
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the Performance Monitoring Infrastructure (PMI) feature in the Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.19, when a component statistic is enabled, allows attackers to cause a denial of service (daemon crash) via vectors related to "a gradual degradation in performance."
16 CVE-2008-4308 200 +Info 2009-02-26 2009-02-27
2.6
None Remote High Not required Partial None None
The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request.
17 CVE-2008-4392 362 2009-02-19 2017-08-07
6.4
None Remote Low Not required None Partial Partial
dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent simultaneous identical outbound DNS queries, which makes it easier for remote attackers to spoof DNS responses, as demonstrated by a spoofed A record in the Additional section of a response to a Start of Authority (SOA) query.
18 CVE-2008-4419 22 Dir. Trav. 2009-02-04 2018-10-11
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI.
19 CVE-2008-4559 20 Exec Code 2009-02-08 2019-10-09
10.0
Admin Remote Low Not required Complete Complete Complete
HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via shell metacharacters in argument fields to the (1) webappmon.exe or (2) OpenView5.exe CGI program. NOTE: this issue may be partially covered by CVE-2009-0205.
20 CVE-2008-4560 200 +Info 2009-02-08 2019-10-09
7.8
None Remote Low Not required Complete None None
HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to obtain sensitive information via (1) a crafted request to the nnmRptConfig.exe CGI program, which reveals the pathname of log directories; or (2) a crafted parameter in a request to the ovlaunch.exe CGI program, which reveals configuration details. NOTE: this issue may be partially covered by CVE-2009-0205.
21 CVE-2008-4562 119 Exec Code Overflow 2009-02-08 2019-10-09
10.0
Admin Remote Low Not required Complete Complete Complete
Buffer overflow in the ovlaunch CGI program in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 on Windows allows remote attackers to execute arbitrary code via a crafted Host parameter. NOTE: this issue may be partially covered by CVE-2009-0205.
22 CVE-2008-4914 DoS 2009-02-03 2017-09-28
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401-I-SG and ESX 3.5 before ESX350-200901401-SG allows local administrators to cause a denial of service (host crash) via a snapshot with a malformed VMDK delta disk.
23 CVE-2008-4990 59 2009-02-02 2018-10-11
6.9
Admin Local Medium Not required Complete Complete Complete
Enomaly Elastic Computing Platform (ECP), formerly Enomalism, before 2.1.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/enomalism2.pid temporary file.
24 CVE-2008-5263 119 Exec Code Overflow 2009-02-26 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Multiple stack-based buffer overflows in the mt_codec::getHdrHead function in kernel/kls_hdr/fmt_codec_hdr.cpp in ksquirrel-libs 0.8.0 allow context-dependent attackers to execute arbitrary code via a crafted Radiance RGBE image (aka .hdr file).
25 CVE-2008-6017 89 Exec Code Sql 2009-02-02 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in messages.php in I-Rater Basic allows remote attackers to execute arbitrary SQL commands via the idp parameter.
26 CVE-2008-6018 22 Dir. Trav. 2009-02-02 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in MyPHPSite, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the mod parameter.
27 CVE-2008-6019 89 Exec Code Sql 2009-02-02 2017-08-07
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in EACOMM DO-CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the p parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
28 CVE-2008-6020 89 Exec Code Sql 2009-02-02 2017-08-07
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Views module 6.x before 6.x-2.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "an exposed filter on CCK text fields."
29 CVE-2008-6021 2009-02-02 2017-08-07
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Attachmate Reflection for Secure IT UNIX Client and Server before 7.0 SP1 have unknown impact and attack vectors, aka "security vulnerabilities found by 3rd party analysis."
30 CVE-2008-6022 94 Exec Code File Inclusion 2009-02-02 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/todofleetcontrol.php in an older version of Xnova, possibly 0.8 sp1, allows remote attackers to execute arbitrary PHP code via a URL in the ugamela_root_path parameter.
31 CVE-2008-6023 94 Exec Code File Inclusion 2009-02-02 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/todofleetcontrol.php in a newer version of Xnova, possibly 0.8 sp1, allows remote attackers to execute arbitrary PHP code via a URL in the xnova_root_path parameter.
32 CVE-2008-6024 399 DoS 2009-02-02 2017-08-07
5.4
None Remote High Not required None None Complete
Unspecified vulnerability in the NFSv4 client module in the kernel on Sun Solaris 10 and OpenSolaris before snv_37, when automountd is used, allows user-assisted remote attackers to cause a denial of service (unresponsive NFS filesystems) via unknown vectors.
33 CVE-2008-6025 22 Dir. Trav. 2009-02-03 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in scr/form.php in openElec 3.01 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the obj parameter.
34 CVE-2008-6026 89 Exec Code Sql 2009-02-03 2017-08-07
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tienda.php in BlueCUBE CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.
35 CVE-2008-6027 79 XSS 2009-02-03 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in index.php in BLUEPAGE CMS 2.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) whl, (2) var_1, and (3) search parameters.
36 CVE-2008-6028 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in list.php in University of Queensland Library Fez 1.3 and 2.0 RC1 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter in a subject action.
37 CVE-2008-6029 89 Exec Code Sql 2009-02-03 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in search.php in BuzzyWall 1.3.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search parameter.
38 CVE-2008-6030 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in NetArtMedia Jobs Portal 1.3 allow remote attackers to execute arbitrary SQL commands via (1) the job parameter to index.php in the search module or (2) the news_id parameter to index.php.
39 CVE-2008-6031 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in vote.php in WSN Links 2.22 and 2.23 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: it was later reported that 2.34 is also vulnerable.
40 CVE-2008-6032 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in comments.php in WSN Links Free 4.0.34P allows remote attackers to execute arbitrary SQL commands via the id parameter.
41 CVE-2008-6033 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in comments.php in WSN Links 2.20 allows remote attackers to execute arbitrary SQL commands via the id parameter.
42 CVE-2008-6034 79 XSS 2009-02-03 2017-08-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the atkaction parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
43 CVE-2008-6035 79 1 XSS 2009-02-03 2017-08-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2-STABLE allows remote attackers to inject arbitrary web script or HTML via the atknodetype parameter.
44 CVE-2008-6036 94 Exec Code File Inclusion 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in main.inc.php in BaseBuilder 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the mj_config[src_path] parameter.
45 CVE-2008-6037 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in view.php in AvailScript Article Script allows remote attackers to execute arbitrary SQL commands via the v parameter.
46 CVE-2008-6038 89 Exec Code Sql 2009-02-03 2018-10-11
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in MapCal 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in an editevent action, possibly related to dsp_editevent.php.
47 CVE-2008-6039 287 2009-02-03 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in BLUEPAGE CMS 2.5 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
48 CVE-2008-6040 89 Exec Code Sql 2009-02-03 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Arcadem Pro 2.700 through 2.802 allows remote attackers to execute arbitrary SQL commands via the articlecat parameter, probably related to includes/articleblock.php.
49 CVE-2008-6041 79 XSS 2009-02-03 2009-02-03
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Index.asp in Dataspade 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) ViewName, (2) TableName, (3) OrderBy, and (4) FilterField parameters.
50 CVE-2008-6042 89 Exec Code Sql 2009-02-03 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the re_search module in NetArtMedia Real Estate Portal 2.0 allows remote attackers to execute arbitrary SQL commands via the ad parameter to index.php.
Total number of vulnerabilities : 687   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.