CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2009 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-3026 310 2009-08-31 2017-09-18
5.0
None Remote Low Not required Partial None None
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
2 CVE-2009-3023 119 2 Exec Code Overflow Mem. Corr. 2009-08-31 2019-07-03
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
3 CVE-2009-3022 352 CSRF 2009-08-31 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors.
4 CVE-2009-3020 1 DoS 2009-08-31 2017-09-18
7.1
None Remote Medium Not required None None Complete
win32k.sys in Microsoft Windows Server 2003 SP2 allows remote attackers to cause a denial of service (system crash) by referencing a crafted .eot file in the src descriptor of an @font-face Cascading Style Sheets (CSS) rule in an HTML document, possibly related to the Embedded OpenType (EOT) Font Engine, a different vulnerability than CVE-2006-0010, CVE-2009-0231, and CVE-2009-0232. NOTE: some of these details are obtained from third party information.
5 CVE-2009-3019 94 1 DoS 2009-08-31 2017-09-18
5.0
None Remote Low Not required None None Partial
Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet Explorer 7 on Vista, allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls createElement to create an instance of the LI element, and then calls setAttribute to set the value attribute.
6 CVE-2009-3000 399 DoS 2009-08-28 2009-08-31
7.1
None Remote Medium Not required None None Complete
The sockfs module in the kernel in Sun Solaris 10 and OpenSolaris snv_41 through snv_122, when Network Cache Accelerator (NCA) logging is enabled, allows remote attackers to cause a denial of service (panic) via unspecified web-server traffic that triggers a NULL pointer dereference in the nl7c_http_log function, related to "improper http response handling."
7 CVE-2009-2978 89 Exec Code Sql 2009-08-27 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
8 CVE-2009-2976 310 2009-08-27 2009-08-28
7.8
None Remote Low Not required Complete None None
Cisco Aironet Lightweight Access Point (AP) devices send the contents of certain multicast data frames in cleartext, which allows remote attackers to discover Wireless LAN Controller MAC addresses and IP addresses, and AP configuration details, by sniffing the wireless network.
9 CVE-2009-2975 DoS 2009-08-27 2017-08-16
5.0
None Remote Low Not required None None Partial
Mozilla Firefox 3.5.2 on Windows XP, in some situations possibly involving an incompletely configured protocol handler, does not properly implement setting the document.location property to a value specifying a protocol associated with an external application, which allows remote attackers to cause a denial of service (memory consumption) via vectors involving a series of function calls that set this property, as demonstrated by (1) the chromehtml: protocol and (2) the aim: protocol.
10 CVE-2009-2974 DoS 2009-08-27 2009-08-28
5.0
None Remote Low Not required None None Partial
Google Chrome 1.0.154.65, 1.0.154.48, and earlier allows remote attackers to (1) cause a denial of service (application hang) via vectors involving a chromehtml: URI value for the document.location property or (2) cause a denial of service (application hang and CPU consumption) via vectors involving a series of function calls that set a chromehtml: URI value for the document.location property.
11 CVE-2009-2973 310 2009-08-27 2017-08-16
6.4
None Remote Low Not required None Partial Partial
Google Chrome before 2.0.172.43 does not prevent SSL connections to a site with an X.509 certificate signed with the (1) MD2 or (2) MD4 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary HTTPS servers via a crafted certificate, a related issue to CVE-2009-2409.
12 CVE-2009-2972 399 DoS 2009-08-27 2017-09-18
7.8
None Remote Low Not required None None Complete
in.lpd in the print service in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors that trigger a "fork()/exec() bomb."
13 CVE-2009-2964 352 CSRF 2009-08-25 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
14 CVE-2009-2963 2009-08-25 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in the update feature in Toolbar Uninstaller 1.0.2 allows remote attackers to force the download and execution of arbitrary files via attack vectors related to a "malformed update url and a malformed update website."
15 CVE-2009-2961 119 1 DoS Exec Code Overflow 2009-08-25 2017-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Thaddy de Konng KOL Player 1.0 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long URL in a .MP3 playlist file.
16 CVE-2009-2960 264 2009-08-25 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
CuteFlow 2.10.3 and 2.11.0_c does not properly restrict access to pages/edituser.php, which allows remote attackers to modify usernames and passwords via a direct request.
17 CVE-2009-2956 200 +Info 2009-08-24 2017-08-16
5.0
None Remote Low Not required Partial None None
The (1) Net.Commerce and (2) Net.Data components in IBM WebSphere Commerce Suite store sensitive information under the web root with insufficient access control, which allows remote attackers to discover passwords, and database and filesystem details, via direct requests for configuration files.
18 CVE-2009-2955 20 DoS 2009-08-24 2018-10-10
5.0
None Remote Low Not required None None Partial
Google Chrome 1.0.154.48 and earlier allows remote attackers to cause a denial of service (CPU consumption and application hang) via JavaScript code with a long string value for the hash property (aka location.hash), a related issue to CVE-2008-5715.
19 CVE-2009-2954 20 DoS 2009-08-24 2018-10-10
5.0
None Remote Low Not required None None Partial
Microsoft Internet Explorer 6.0.2900.2180 and earlier allows remote attackers to cause a denial of service (CPU consumption and application hang) via JavaScript code with a long string value for the hash property (aka location.hash), a related issue to CVE-2008-5715.
20 CVE-2009-2953 399 DoS 2009-08-24 2018-10-10
5.0
None Remote Low Not required None None Partial
Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote attackers to cause a denial of service (CPU consumption) via JavaScript code with a long string value for the hash property (aka location.hash), a related issue to CVE-2008-5715.
21 CVE-2009-2951 310 2009-08-24 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Phenotype CMS before 2.9 does not use a random salt value for password encryption, which makes it easier for context-dependent attackers to determine cleartext passwords.
22 CVE-2009-2944 2009-08-31 2017-08-16
5.0
None Remote Low Not required Partial None None
Incomplete blacklist vulnerability in the teximg plugin in ikiwiki before 3.1415926 and 2.x before 2.53.4 allows context-dependent attackers to read arbitrary files via crafted TeX commands.
23 CVE-2009-2935 264 Exec Code Bypass +Info 2009-08-27 2017-08-16
10.0
None Remote Low Not required Complete Complete Complete
Google V8, as used in Google Chrome before 2.0.172.43, allows remote attackers to bypass intended restrictions on reading memory, and possibly obtain sensitive information or execute arbitrary code in the Chrome sandbox, via crafted JavaScript.
24 CVE-2009-2934 119 1 Exec Code Overflow 2009-08-21 2017-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in xaudio.dll in Programmed Integration PIPL 2.5.0 and 2.5.0D allow remote attackers to execute arbitrary code via a long string in a (1) .pls or (2) .pl playlist file.
25 CVE-2009-2933 89 Exec Code Sql 2009-08-21 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
26 CVE-2009-2931 22 Dir. Trav. 2009-08-21 2018-10-10
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in p.php in SlideShowPro Director 1.1 through 1.3.8 allows remote attackers to read arbitrary files via directory traversal sequences in the a parameter.
27 CVE-2009-2929 89 1 Exec Code Sql 2009-08-21 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in TGS Content Management 0.x allow remote attackers to execute arbitrary SQL commands via the (1) tgs_language_id, (2) tpl_dir, (3) referer, (4) user-agent, (5) site, (6) option, (7) db_optimization, (8) owner, (9) admin_email, (10) default_language, and (11) db_host parameters to cms/index.php; and the (12) cmd, (13) s_dir, (14) minutes, (15) s_mask, (16) test3_mp, (17) test15_file1, (18) submit, (19) brute_method, (20) ftp_server_port, (21) userfile14, (22) subj, (23) mysql_l, (24) action, and (25) userfile1 parameters to cms/frontpage_ception.php. NOTE: some of these parameters may be applicable only in nonstandard versions of the product, and cms/frontpage_ception.php may be cms/frontpage_caption.php in all released versions.
28 CVE-2009-2927 89 1 Exec Code Sql 2009-08-21 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in DetailFile.php in DigitalSpinners DS CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the nFileId parameter.
29 CVE-2009-2926 89 1 Exec Code Sql 2009-08-21 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PHP Competition System BETA 0.84 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) day parameter to show_matchs.php and (2) pageno parameter to persons.php.
30 CVE-2009-2925 22 1 Dir. Trav. 2009-08-21 2017-09-18
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in DJcalendar.cgi in DJCalendar allows remote attackers to read arbitrary files via a .. (dot dot) in the TEMPLATE parameter.
31 CVE-2009-2924 89 1 Exec Code Sql 2009-08-21 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Videos Broadcast Yourself 2 allow remote attackers to execute arbitrary SQL commands via the (1) UploadID parameter to videoint.php, and possibly the (2) cat_id parameter to catvideo.php and (3) uid parameter to cviewchannels.php.
32 CVE-2009-2923 22 1 Dir. Trav. 2009-08-21 2017-09-18
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in BitmixSoft PHP-Lance 1.52 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to show.php and (2) in parameter to advanced_search.php.
33 CVE-2009-2922 22 1 Dir. Trav. 2009-08-21 2017-09-18
7.8
None Remote Low Not required Complete None None
Absolute path traversal vulnerability in pixaria.image.php in Pixaria Gallery 2.0.0 through 2.3.5 allows remote attackers to read arbitrary files via a base64-encoded file parameter.
34 CVE-2009-2921 89 1 Exec Code Sql 2009-08-21 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in login.php in MOC Designs PHP News 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) newsuser parameter (User field) and (2) newspassword parameter (Password field).
35 CVE-2009-2916 134 Exec Code 2009-08-21 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
Format string vulnerability in the CNS_AddTxt function in logs.dll in 2K Games Vietcong 2 1.10 and earlier might allow remote attackers to execute arbitrary code via format string specifiers in the nickname.
36 CVE-2009-2915 89 1 Exec Code Sql 2009-08-21 2009-08-21
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in 2fly_gift.php in 2FLY Gift Delivery System 6.0 allows remote attackers to execute arbitrary SQL commands via the gameid parameter in a content action.
37 CVE-2009-2896 119 1 DoS Exec Code Overflow 2009-08-20 2017-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long string in a subtitle (.srt) playlist file. NOTE: some of these details are obtained from third party information.
38 CVE-2009-2895 89 1 Exec Code Sql 2009-08-20 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in rss.php in Ultimate Regnow Affiliate (URA) 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter.
39 CVE-2009-2894 89 1 Exec Code Sql 2009-08-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to product_desc.php, and the cid parameter to (2) showcategory.php and (3) gallery.php.
40 CVE-2009-2892 89 1 Exec Code Sql 2009-08-20 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in header.php in Scripteen Free Image Hosting Script 2.3 allow remote attackers to execute arbitrary SQL commands via a (1) cookid or (2) cookgid cookie.
41 CVE-2009-2891 89 1 Exec Code Sql 2009-08-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in list.php in PHP Scripts Now Riddles allows remote attackers to execute arbitrary SQL commands via the catid parameter.
42 CVE-2009-2888 89 1 Exec Code Sql 2009-08-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in PHP Scripts Now Hangman allows remote attackers to execute arbitrary SQL commands via the n parameter.
43 CVE-2009-2886 89 1 Exec Code Sql 2009-08-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in bios.php in PHP Scripts Now President Bios allows remote attackers to execute arbitrary SQL commands via the rank parameter.
44 CVE-2009-2885 89 1 Exec Code Sql 2009-08-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in bios.php in PHP Scripts Now World's Tallest Buildings allows remote attackers to execute arbitrary SQL commands via the rank parameter.
45 CVE-2009-2883 89 1 Exec Code Sql 2009-08-20 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in admin/login.php in SaphpLesson 4.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cp_username parameter, related to an error in the CleanVar function in includes/functions.php.
46 CVE-2009-2881 89 1 Exec Code Sql 2009-08-20 2017-09-18
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Basilic 1.5.13 allow remote attackers to execute arbitrary SQL commands via the idAuthor parameter to (1) index.php and possibly (2) allpubs.php in publications/.
47 CVE-2009-2861 DoS 2009-08-27 2009-08-28
7.3
None Local Network Medium Not required None Complete Complete
The Over-the-Air Provisioning (OTAP) functionality on Cisco Aironet Lightweight Access Point 1100 and 1200 devices does not properly implement access-point association, which allows remote attackers to spoof a controller and cause a denial of service (service outage) via crafted remote radio management (RRM) packets, aka "SkyJack" or Bug ID CSCtb56664.
48 CVE-2009-2860 DoS 2009-08-19 2009-08-21
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows remote attackers to cause a denial of service (service crash) via "malicious packets."
49 CVE-2009-2858 399 DoS 2009-08-19 2009-08-21
5.0
None Remote Low Not required None None Partial
Memory leak in the Security component in IBM DB2 8.1 before FP18 on Unix platforms allows attackers to cause a denial of service (memory consumption) via unspecified vectors, related to private memory within the DB2 memory structure.
50 CVE-2009-2855 20 DoS 2009-08-18 2017-09-18
5.0
None Remote Low Not required None None Partial
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
Total number of vulnerabilities : 394   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.