| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
58351 |
CVE-2009-1615 |
|
|
Exec Code |
2009-05-11 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in Leap CMS 0.1.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via an admin.system.files (aka Manage Files) request to the default URI, then accessing the file via a direct request. |
|
58352 |
CVE-2009-1614 |
79 |
|
XSS |
2009-05-11 |
2017-09-28 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Leap CMS 0.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter (aka the message in an article comment) or (2) the searchterm parameter (aka the search post form). NOTE: some of these details are obtained from third party information. |
|
58353 |
CVE-2009-1613 |
89 |
|
Exec Code Sql |
2009-05-11 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in leap.php in Leap CMS 0.1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) searchterm or (2) email parameter. |
|
58354 |
CVE-2009-1609 |
20 |
|
Exec Code |
2009-05-11 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in admin/uploadform.asp in Battle Blog 1.25 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file. |
|
58355 |
CVE-2009-1607 |
79 |
|
XSS |
2009-05-11 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the administrator panel in phpForm.net LinkBase 2.0 allows remote attackers to inject arbitrary web script or HTML via the username in a registration, which is not properly handled when the administrator accesses the Users menu. |
|
58356 |
CVE-2009-1603 |
310 |
|
|
2009-05-11 |
2009-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted. |
|
58357 |
CVE-2009-1602 |
119 |
|
DoS Overflow |
2009-05-11 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Pablo Software Solutions Quick 'n Easy Mail Server 3.3 allows remote attackers to cause a denial of service (daemon outage or CPU consumption) via multiple long SMTP commands, as demonstrated by HELO commands. |
|
58358 |
CVE-2009-1601 |
264 |
|
Bypass |
2009-05-11 |
2017-08-16 |
6.8 |
None |
Local |
Low |
Single system |
Complete |
Complete |
Complete |
|
The Ubuntu clamav-milter.init script in clamav-milter before 0.95.1+dfsg-1ubuntu1.2 in Ubuntu 9.04 sets the ownership of the current working directory to the clamav account, which might allow local users to bypass intended access restrictions via read or write operations involving this directory. |
|
58359 |
CVE-2009-1596 |
16 |
|
Bypass |
2009-05-11 |
2017-08-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet. |
|
58360 |
CVE-2009-1595 |
287 |
|
|
2009-05-11 |
2017-08-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. |
|
58361 |
CVE-2009-1593 |
79 |
|
XSS |
2009-05-21 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the "negative model," which allows remote attackers to conduct cross-site scripting (XSS) attacks via a modified end tag of a SCRIPT element. |
|
58362 |
CVE-2009-1591 |
79 |
|
XSS Http R.Spl. |
2009-05-08 |
2009-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in CGI RESCUE Web Mailer before 1.04 allows remote attackers to inject arbitrary HTTP headers, and conduct cross-site scripting (XSS) or HTTP response splitting attacks, via CRLF sequences in an unspecified web form. |
|
58363 |
CVE-2009-1590 |
|
|
|
2009-05-08 |
2009-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in CGI RESCUE FORM2MAIL before 1.42 allows remote attackers to send email to arbitrary recipients via a web form. |
|
58364 |
CVE-2009-1589 |
|
|
|
2009-05-08 |
2009-06-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in CGI RESCUE MiniBBS22 before 1.01 allows remote attackers to send email to arbitrary recipients via unknown vectors. |
|
58365 |
CVE-2009-1588 |
79 |
|
XSS |
2009-05-08 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in CGI RESCUE MiniBBS 8t before 8.95t, 8 before 8.95, 9 before 9.08, and 10 before 10.32 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
58366 |
CVE-2009-1585 |
89 |
|
Exec Code Sql |
2009-05-07 |
2009-05-13 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in TemaTres 1.031, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id_correo_electronico and (2) id_password parameters to login.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
58367 |
CVE-2009-1584 |
89 |
|
Exec Code Sql |
2009-05-07 |
2018-10-10 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in TemaTres 1.0.3 and 1.031, when magic_quotes_gpc is disabled, allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) mail, (2) password, and (3) letra parameters to index.php; (4) y and (5) m parameters to sobre.php; and the (6) dcTema, (7) madsTema, (8) zthesTema, (9) skosTema, and (10) xtmTema parameters to xml.php. |
|
58368 |
CVE-2009-1583 |
79 |
|
XSS |
2009-05-07 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in TemaTres 1.0.3 and 1.031 allow remote attackers to inject arbitrary web script or HTML via the (1) search form; (2) _expresion_de_busqueda, (3) letra, (4) estado_id, and (5) tema parameters to index.php; the (6) PATH_INFO to index.php; (7) unspecified parameters when editing a term as specified by the edit_id and tema parameters to index.php; and the (7) y, (8) ord, and (9) m parameters to sobre.php. |
|
58369 |
CVE-2009-1581 |
79 |
|
XSS |
2009-05-14 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. |
|
58370 |
CVE-2009-1580 |
287 |
|
|
2009-05-14 |
2017-09-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. |
|
58371 |
CVE-2009-1579 |
94 |
|
Exec Code |
2009-05-14 |
2017-09-28 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. |
|
58372 |
CVE-2009-1578 |
79 |
|
XSS |
2009-05-14 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). |
|
58373 |
CVE-2009-1576 |
|
|
+Info CSRF |
2009-05-06 |
2009-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks. |
|
58374 |
CVE-2009-1575 |
79 |
|
XSS |
2009-05-06 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. |
|
58375 |
CVE-2009-1574 |
|
|
DoS |
2009-05-06 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference. |
|
58376 |
CVE-2009-1573 |
264 |
|
+Priv |
2009-05-06 |
2017-08-16 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems place the magic cookie (MCOOKIE) on the command line, which allows local users to gain privileges by listing the process and its arguments. |
|
58377 |
CVE-2009-1572 |
|
|
DoS |
2009-05-06 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote attackers to cause a denial of service (crash) via an AS path containing ASN elements whose string representation is longer than expected, which triggers an assert error. |
|
58378 |
CVE-2009-1561 |
352 |
1
|
CSRF |
2009-05-06 |
2009-05-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in administration.cgi on the Cisco Linksys WRT54GC router with firmware 1.05.7 allows remote attackers to hijack the intranet connectivity of arbitrary users for requests that change the administrator password via the sysPasswd and sysConfirmPasswd parameters. |
|
58379 |
CVE-2009-1557 |
79 |
|
XSS |
2009-05-06 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allow remote attackers to inject arbitrary web script or HTML via the next_file parameter to (1) main.cgi, (2) img/main.cgi, or (3) adm/file.cgi; or (4) the this_file parameter to adm/file.cgi. |
|
58380 |
CVE-2009-1556 |
200 |
|
+Info |
2009-05-06 |
2009-05-23 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
img/main.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote authenticated users to read arbitrary files in img/ via a filename in the next_file parameter, as demonstrated by reading .htpasswd to obtain the admin password, a different vulnerability than CVE-2004-2507. |
|
58381 |
CVE-2009-1555 |
200 |
|
+Info |
2009-05-06 |
2009-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 sends configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain sensitive information such as passwords by reading the SetupWizard.exe process memory, a related issue to CVE-2008-4390. |
|
58382 |
CVE-2009-1554 |
79 |
|
XSS |
2009-05-06 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ThemeServlet.java in Sun Woodstock 4.2, as used in Sun GlassFish Enterprise Server and other products, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 string in the PATH_INFO, which is displayed on the 404 error page, as demonstrated by the PATH_INFO to theme/META-INF. |
|
58383 |
CVE-2009-1553 |
79 |
|
XSS |
2009-05-06 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Admin Console in Sun GlassFish Enterprise Server 2.1 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) applications/applications.jsf, (2) configuration/configuration.jsf, (3) customMBeans/customMBeans.jsf, (4) resourceNode/resources.jsf, (5) sysnet/registration.jsf, or (6) webService/webServicesGeneral.jsf; or the name parameter to (7) configuration/auditModuleEdit.jsf, (8) configuration/httpListenerEdit.jsf, or (9) resourceNode/jdbcResourceEdit.jsf. |
|
58384 |
CVE-2009-1550 |
264 |
|
|
2009-05-06 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zakkis Technology ABC Advertise 1.0 does not properly restrict access to admin.inc.php, which allows remote attackers to obtain the administrator login name and password via a direct request. |
|
58385 |
CVE-2009-1536 |
20 |
|
DoS |
2009-08-12 |
2018-10-12 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability." |
|
58386 |
CVE-2009-1527 |
362 |
|
+Priv |
2009-05-05 |
2018-10-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the ptrace_attach function in kernel/ptrace.c in the Linux kernel before 2.6.30-rc4 allows local users to gain privileges via a PTRACE_ATTACH ptrace call during an exec system call that is launching a setuid application, related to locking an incorrect cred_exec_mutex object. |
|
58387 |
CVE-2009-1526 |
59 |
|
|
2009-05-05 |
2010-03-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
JBMC Software DirectAdmin before 1.334 allows local users to create or overwrite any file via a symlink attack on an arbitrary file in a certain temporary directory, related to a request for this temporary file in the PATH_INFO to the CMD_DB script during a backup action. |
|
58388 |
CVE-2009-1524 |
79 |
|
XSS |
2009-05-05 |
2010-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. |
|
58389 |
CVE-2009-1523 |
22 |
|
Dir. Trav. |
2009-05-05 |
2012-10-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. |
|
58390 |
CVE-2009-1519 |
22 |
|
Dir. Trav. |
2009-05-04 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in index.php in Pecio CMS 1.1.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the language parameter. |
|
58391 |
CVE-2009-1518 |
352 |
|
CSRF |
2009-05-04 |
2009-05-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Beltane before 2.3.11 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
58392 |
CVE-2009-1517 |
|
|
DoS Exec Code |
2009-05-04 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Multiple insecure method vulnerabilities in the Symantec.EasySetup.1 ActiveX control in EasySetupInt.dll 14.0.4.30167 in the EasySetup wizard in Symantec Norton Ghost 14.0 allow remote attackers to cause a denial of service (browser crash) and possibly execute arbitrary code via unspecified input to the (1) GetBackupLocationPath, (2) CallUninstall, (3) SetupDeleteVolume, (4) CanUseEasySetup, (5) CallAddInitialProtection, and (6) CallTour methods. |
|
58393 |
CVE-2009-1515 |
119 |
|
Exec Code Overflow |
2009-05-04 |
2009-11-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. NOTE: some of these details are obtained from third party information. |
|
58394 |
CVE-2009-1514 |
399 |
|
DoS |
2009-05-04 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Google Chrome 1.0.154.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a throw statement with a long exception value. |
|
58395 |
CVE-2009-1513 |
119 |
|
DoS Exec Code Overflow |
2009-05-04 |
2009-08-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name. |
|
58396 |
CVE-2009-1512 |
94 |
|
|
2009-05-01 |
2017-09-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php. |
|
58397 |
CVE-2009-1506 |
89 |
|
Exec Code Sql |
2009-05-01 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to banner-details.php. |
|
58398 |
CVE-2009-1505 |
89 |
|
Exec Code Sql |
2009-05-01 |
2017-08-16 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field. |
|
58399 |
CVE-2009-1501 |
79 |
|
XSS |
2009-05-01 |
2009-05-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x before 5.x-1.2 and 6.x-1.x-dev before April 13, 2009, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via EXIF tags in an image. |
|
58400 |
CVE-2009-1500 |
89 |
|
Exec Code Sql |
2009-05-01 |
2018-10-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows remote attackers to execute arbitrary SQL commands via the sn parameter. |
