CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2008-6181 89 Exec Code Sql 2009-02-19 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Mad4Joomla Mailforms (com_mad4joomla) component before 1.1.8.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the jid parameter to index.php.
502 CVE-2008-6180 89 Exec Code Sql 2009-02-19 2018-10-11
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in system/nlb_user.class.php in NewLife Blogger 3.0 and earlier, and possibly 3.3.1, allows remote attackers to execute arbitrary SQL commands via the nlb3 cookie.
503 CVE-2008-6179 89 Exec Code Sql 2009-02-19 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sug_cat.php in IndexScript 3.0 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter, a different vector than CVE-2007-4069.
504 CVE-2008-6178 94 Exec Code 2009-02-19 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.
505 CVE-2008-6177 22 Dir. Trav. 2009-02-19 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in LightBlog 9.8, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) username parameter to view_member.php, (2) username_post parameter to login.php, and the (3) Lightblog_username cookie parameter to check_user.php.
506 CVE-2008-6175 20 DoS 2009-02-19 2017-09-28
5.0
None Remote Low Not required None None Partial
SilverSHielD 1.0.2.34 allows remote attackers to cause a denial of service (application crash) via a crafted argument to the opendir SFTP command.
507 CVE-2008-6174 79 XSS 2009-02-19 2017-08-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/postlister/index.php in Jetbox CMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the liste parameter.
508 CVE-2008-6173 79 XSS 2009-02-19 2017-08-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in fullscreen.php in ClipShare Pro 4.0 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
509 CVE-2008-6172 22 Dir. Trav. 2009-02-19 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
510 CVE-2008-6171 20 2009-02-19 2017-08-16
9.3
Admin Remote Medium Not required Complete Complete Complete
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
511 CVE-2008-6170 79 XSS 2009-02-19 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
512 CVE-2008-6169 352 CSRF 2009-02-19 2017-08-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface."
513 CVE-2008-6168 79 XSS 2009-02-19 2017-09-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in search.php in miniPortail 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified argument, probably the search string.
514 CVE-2008-6167 22 Dir. Trav. 2009-02-19 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in search.php in miniPortail 2.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lng parameter.
515 CVE-2008-6166 89 Exec Code Sql 2009-02-18 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the KBase (com_kbase) 1.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to index.php.
516 CVE-2008-6165 89 Exec Code Sql 2009-02-18 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in gestion.php in CSPartner 0.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) pseudo and (2) passe parameters.
517 CVE-2008-6164 79 XSS 2009-02-20 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in DreamCost HostAdmin 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
518 CVE-2008-6163 89 Exec Code Sql 2009-02-20 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in www/delivery/ac.php in OpenX 2.6.1 allows remote attackers to execute arbitrary SQL commands via the bannerid parameter.
519 CVE-2008-6162 287 Bypass 2009-02-20 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Bux.to Clone script allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1 and the usNick cookie to admin.
520 CVE-2008-6161 79 XSS 2009-02-18 2009-02-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WOW Raid Manager (WRM) before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
521 CVE-2008-6160 264 2009-02-18 2017-08-16
5.0
None Remote Low Not required Partial None None
Semantically-Interconnected Online Communities (SIOC) 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, does not properly implement menu and database APIs, which allows remote attackers to obtain usernames and read hashed emails and comments via unspecified vectors.
522 CVE-2008-6159 200 +Info 2009-02-18 2018-10-11
5.0
None Remote Low Not required Partial None None
Content Management Made Easy (CMME) 1.19 allows remote attackers to obtain system information via a direct request to info.php, which invokes the phpinfo function.
523 CVE-2008-6158 2009-02-17 2017-08-16
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the admin backend in w3b>cms (aka w3blabor CMS) before 3.2.0 have unknown impact and remote attack vectors.
524 CVE-2008-6157 310 +Info 2009-02-17 2017-10-18
5.0
None Remote Low Not required Partial None None
SepCity Classified Ads stores the admin password in cleartext in data/classifieds.mdb, which allows context-dependent attackers to obtain sensitive information.
525 CVE-2008-6156 89 Exec Code Sql 2009-02-16 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in editCampaign.php in AdMan 1.1.20070907 allows remote authenticated users to execute arbitrary SQL commands via the campaignId parameter.
526 CVE-2008-6155 89 Exec Code Sql 2009-02-16 2017-08-16
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 allows remote attackers to execute arbitrary SQL commands via the idtl parameter in a buy action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
527 CVE-2008-6154 89 Exec Code Sql 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 allows remote attackers to execute arbitrary SQL commands via the idcat parameter.
528 CVE-2008-6153 89 Exec Code Sql 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Photo.asp in Jay Patel Pixel8 Web Photo Album 3.0 allows remote attackers to execute arbitrary SQL commands via the AlbumID parameter.
529 CVE-2008-6152 89 Exec Code Sql 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in deptdisplay.asp in SepCity Faculty Portal allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: this was originally reported for Lawyer Portal, which does not have a deptdisplay.asp file.
530 CVE-2008-6151 89 Exec Code Sql 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in shpdetails.asp in SepCity Shopping Mall allows remote attackers to execute arbitrary SQL commands via the ID parameter.
531 CVE-2008-6150 89 Exec Code Sql 2009-02-16 2017-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in classdis.asp in SepCity Classified Ads allows remote attackers to execute arbitrary SQL commands via the ID parameter.
532 CVE-2008-6149 89 Exec Code Sql 2009-02-16 2018-10-11
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the mDigg (com_mdigg) component 2.2.8 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cagtegory parameter in a story_lists action to index.php.
533 CVE-2008-6148 89 Exec Code Sql 2009-02-16 2017-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Live Ticker (com_liveticker) module 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the tid parameter in a viewticker action to index.php.
534 CVE-2008-6147 264 2009-02-16 2017-09-28
5.0
None Remote Low Not required Partial None None
ForumApp 3.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/8690.mdb or (2) data/8690BAK.mdb.
535 CVE-2008-6146 89 Exec Code Sql 2009-02-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in pm.php in DeluxeBB 1.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a delete##### parameter in a Delete action, a different vector than CVE-2005-2989.
536 CVE-2008-6145 89 Exec Code Sql 2009-02-16 2009-02-16
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the WEC Discussion Forum (wec_discussion) extension 1.7.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
537 CVE-2008-6144 79 XSS 2009-02-16 2009-02-16
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the WEC Discussion Forum (wec_discussion) extension 1.7.0 and earlier for TYPO3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2008-3029.
538 CVE-2008-6143 287 Bypass 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
OwenPoll 1.0 allows remote attackers to bypass authentication and obtain administrative access via a modified account name in the username cookie.
539 CVE-2008-6142 89 Exec Code Sql 2009-02-16 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPic 0.0.4 and FlexPHPic Pro 0.0.3, and other 0.0.x versions, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php.
540 CVE-2008-6141 399 DoS 2009-02-13 2017-08-16
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Avaya IP Softphone 6.0 SP4 and 6.01.85 allows remote attackers to cause a denial of service (crash) via a large amount of H.323 data.
541 CVE-2008-6140 DoS 2009-02-13 2017-08-16
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Avaya one-X Desktop Edition 2.1.0.78 allows remote attackers to cause a denial of service (crash) via unspecified vectors.
542 CVE-2008-6139 22 Dir. Trav. 2009-02-13 2017-09-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in faqsupport/wce.download.php in WebBiscuits Modules Controller 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the download parameter.
543 CVE-2008-6138 94 Exec Code File Inclusion 2009-02-13 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in adminhead.php in WebBiscuits Modules Controller 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter.
544 CVE-2008-6137 264 Bypass 2009-02-13 2017-08-16
7.5
User Remote Low Not required Partial Partial Partial
EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to bypass access restrictions via unknown vectors.
545 CVE-2008-6136 264 +Priv 2009-02-13 2017-08-16
7.5
User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another user or an administrator via unknown attack vectors.
546 CVE-2008-6135 79 XSS 2009-02-13 2017-08-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
547 CVE-2008-6134 89 Exec Code Sql 2009-02-13 2017-08-16
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
548 CVE-2008-6133 89 Exec Code Sql 2009-02-13 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in arsaprint.php in Full PHP Emlak Script allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3942.
549 CVE-2008-6132 94 2 Exec Code 2009-02-13 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.
550 CVE-2008-6131 287 2009-02-13 2017-08-16
6.0
User Remote Medium Single system Partial Partial Partial
Session fixation vulnerability in moziloWiki 1.0.1 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
Total number of vulnerabilities : 687   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.