CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2009 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-4117 119 DoS Exec Code Overflow 2009-11-30 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in pdf_shade4.c in MuPDF before commit 20091125231942, as used in SumatraPDF before 1.0.1, allow remote attackers to cause a denial of service and possibly execute arbitrary code via a /Decode array for certain types of shading that are not properly handled by the (1) pdf_loadtype4shade, (2) pdf_loadtype5shade, (3) pdf_loadtype6shade, and (4) pdf_loadtype7shade functions. NOTE: some of these details are obtained from third party information.
2 CVE-2009-4112 264 +Priv 2009-11-30 2018-10-10
9.0
Admin Remote Low Single system Complete Complete Complete
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
3 CVE-2009-4107 119 1 Exec Code Overflow 2009-11-29 2017-09-18
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remote attackers to execute arbitrary code via a crafted .ibkey file containing a long string.
4 CVE-2009-4106 20 1 Exec Code 2009-11-29 2017-09-18
7.5
User Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in admintools/editpage-2.php in Agoko CMS 0.4 and earlier allows remote attackers to inject and execute arbitrary PHP code via the filename and text parameters.
5 CVE-2009-4104 89 Exec Code Sql 2009-11-29 2011-07-26
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyftenbloggie) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter to index.php.
6 CVE-2009-4103 119 DoS Exec Code Overflow 2009-11-29 2009-11-30
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allows remote FTP servers to cause a denial of service and possibly execute arbitrary code via unspecified FTP server responses. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
7 CVE-2009-4102 20 Exec Code 2009-11-29 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
8 CVE-2009-4101 20 Exec Code 2009-11-29 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
infoRSS 1.1.4.2 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
9 CVE-2009-4100 20 Exec Code 2009-11-29 2017-08-16
9.3
None Remote Medium Not required Complete Complete Complete
Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via DOM event handlers such as onload.
10 CVE-2009-4099 89 1 Exec Code Sql 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information.
11 CVE-2009-4097 119 2 Exec Code Overflow 2009-11-29 2017-08-16
9.3
Admin Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the MplayInputFile function in Serenity Audio Player 3.2.3 and earlier allows remote attackers to execute arbitrary code via a long URL in an M3U file. NOTE: some of these details are obtained from third party information.
12 CVE-2009-4096 255 2 +Info 2009-11-29 2009-12-02
7.5
User Remote Low Not required Partial Partial Partial
RADIO istek scripti 2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user credentials via a direct request for estafresgaftesantusyan.inc.
13 CVE-2009-4095 287 Bypass 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
myPhile 1.2.1 allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.
14 CVE-2009-4094 94 Exec Code File Inclusion 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
15 CVE-2009-4090 20 1 Exec Code 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in ajax/addComment.php in telepark.wiki 2.4.23 and earlier script allows remote attackers to execute arbitrary code by uploading a file with a name containing a NULL byte.
16 CVE-2009-4085 94 Exec Code File Inclusion 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_id.php in PHP Traverser 0.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[BASE] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
17 CVE-2009-4084 89 Exec Code Sql 2009-11-29 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the search feature in e107 0.7.16 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
18 CVE-2009-4082 94 2 Exec Code File Inclusion 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in forums/Forum_Include/index.php in Outreach Project Tool (OPT) 1.2.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CRM_path parameter.
19 CVE-2009-4072 2009-11-24 2018-10-30
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Opera before 10.10 has unknown impact and attack vectors, related to a "moderately severe issue."
20 CVE-2009-4070 89 Exec Code Sql 2009-11-24 2009-11-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in GForge 4.5.14, 4.7.3, and possibly other versions allows remote attackers to execute arbitrary SQL commands via unknown vectors.
21 CVE-2009-4060 89 Exec Code Sql 2009-11-23 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.
22 CVE-2009-4058 89 Exec Code Sql 2009-11-23 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in allauctions.php in Telebid Auction Script allows remote attackers to execute arbitrary SQL commands via the aid parameter.
23 CVE-2009-4057 89 Exec Code Sql 2009-11-23 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an item action to index.php.
24 CVE-2009-4056 22 Dir. Trav. 2009-11-23 2009-11-24
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in admin/popup.php in Betsy CMS 3.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the popup parameter.
25 CVE-2009-4049 119 DoS Overflow +Priv Mem. Corr. 2009-11-23 2018-10-10
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in avast! Home and Professional 4.8.1356.0 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted arguments to IOCTL 0x80002024.
26 CVE-2009-4046 89 Exec Code Sql 2009-11-20 2009-11-23
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
27 CVE-2009-4045 89 Exec Code Sql 2009-11-20 2009-11-23
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to various .inc and .php files in (1) reporting/, (2) sales/, (3) sales/includes/, (4) sales/includes/db/, (5) sales/inquiry/, (6) sales/manage/, (7) sales/view/, (8) taxes/, and (9) taxes/db/.
28 CVE-2009-4044 264 2009-11-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
29 CVE-2009-4037 89 Exec Code Sql 2009-11-20 2009-11-23
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.
30 CVE-2009-4031 20 DoS 2009-11-29 2018-11-16
7.8
None Remote Low Not required None None Complete
The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
31 CVE-2009-4025 78 Exec Code 2009-11-29 2017-08-16
10.0
None Remote Low Not required Complete Complete Complete
Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information.
32 CVE-2009-4024 94 Exec Code 2009-11-29 2017-08-16
10.0
None Remote Low Not required Complete Complete Complete
Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem.
33 CVE-2009-4023 94 2009-11-29 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.
34 CVE-2009-4018 264 2009-11-29 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.
35 CVE-2009-4006 119 Exec Code Overflow 2009-11-20 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.
36 CVE-2009-4005 119 Overflow 2009-11-19 2017-09-18
7.2
None Local Low Not required Complete Complete Complete
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read.
37 CVE-2009-4004 119 DoS Overflow +Priv Mem. Corr. 2009-11-19 2017-08-16
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.
38 CVE-2009-3976 119 1 DoS Exec Code Overflow 2009-11-18 2017-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply (aka connection greeting or welcome message).
39 CVE-2009-3974 89 Exec Code Sql 2009-11-18 2011-12-12
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number.
40 CVE-2009-3973 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Turnkey Arcade Script allows remote attackers to execute arbitrary SQL commands via the id parameter in a browse action, a different vector than CVE-2008-5629.
41 CVE-2009-3972 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php.
42 CVE-2009-3971 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php.
43 CVE-2009-3969 119 1 DoS Exec Code Overflow 2009-11-18 2017-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Faslo Player 7.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .m3u playlist file.
44 CVE-2009-3968 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php, (2) cate_id parameter to category.php, (3) id parameter to news.php, and (4) productid parameter to itechd.php. NOTE: the sellers_othersitem.php, classifieds.php, and shop.php vectors are already covered by CVE-2008-3238.
45 CVE-2009-3967 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in browse.php in Ed Charkow SuperCharged Linking allows remote attackers to execute arbitrary SQL commands via the id parameter.
46 CVE-2009-3966 287 1 Bypass 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true.
47 CVE-2009-3965 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in rating.php in New 5 star Rating 1.0 allows remote attackers to execute arbitrary SQL commands via the det parameter.
48 CVE-2009-3964 89 1 Exec Code Sql 2009-11-18 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php.
49 CVE-2009-3963 2009-11-17 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.
50 CVE-2009-3962 20 DoS 2009-11-17 2018-10-10
7.8
None Remote Low Not required None None Complete
The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001, a related issue to CVE-2006-4523.
Total number of vulnerabilities : 132   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.