# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
59201 |
CVE-2008-7242 |
79 |
|
XSS |
2009-09-17 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in MODx CMS 0.9.6.1 and 0.9.6.1p1 allo remote attackers to inject arbitrary web script or HTML via the (1) search, (2) "a," (3) messagesubject, and (4) messagebody parameters to certain pages as reachable from manager/index.php; (5) highlight, (6) id, (7) email, (8) name, and (9) parent parameters to index.php; and the (10) docgrp and (11) moreResultsPage parameters to index-ajax.php. |
59202 |
CVE-2008-7241 |
352 |
|
CSRF |
2009-09-17 |
2009-09-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in PunBB before 1.2.17 allows remote attackers to hijack the authentication of unspecified users for requests related to a logout, probably a forced logout. |
59203 |
CVE-2008-7239 |
|
|
|
2009-09-14 |
2012-10-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 allow remote attackers to affect confidentiality via unknown vectors related to the (1) Oracle Application Object Library (APP02) and (2) Oracle Applications Manager (APP04). |
59204 |
CVE-2008-7238 |
|
|
|
2009-09-14 |
2012-10-22 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
Multiple unspecified vulnerabilities in Oracle E-Business Suite 12.0.3 allow (1) local users to affect confidentiality and integrity via unknown vectors related to the Mobile Application Server component (APP01); (2) remote attackers to affect confidentiality via unknown vectors related to the Oracle Applications Framework (APP03); remote authenticated users to affect confidentiality and integrity via unknown vectors related to the (3) CRM Technical Foundation (APP05) and (4) Oracle Application Object Library (APP06); and remote authenticated users to affect integrity and availability via unknown vectors related to (5) Oracle Applications Technology Stack (APP07). |
59205 |
CVE-2008-7237 |
|
|
|
2009-09-14 |
2012-10-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Unspecified vulnerability in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3 and 10.1.2.2 allows remote authenticated users to affect confidentiality via unknown vectors, aka AS06. |
59206 |
CVE-2008-7236 |
|
|
|
2009-09-14 |
2012-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Unspecified vulnerability in the Oracle JDeveloper component in Oracle Application Server 10.1.2.2 and 10.1.3.1 allows remote attackers to affect integrity via unknown vectors, aka AS05. |
59207 |
CVE-2008-7235 |
|
|
|
2009-09-14 |
2012-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Unspecified vulnerability in the Oracle Forms component in Oracle Application Server 10.1.2.2 and E-Business Suite 12.0.3 allows remote attackers to affect integrity via unknown vectors, aka AS04. |
59208 |
CVE-2008-7234 |
|
|
|
2009-09-14 |
2012-10-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Unspecified vulnerability in the Oracle BPEL Worklist Application component in Oracle Application Server 10.1.2.2 and 10.1.3.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, aka AS03. |
59209 |
CVE-2008-7231 |
79 |
|
XSS |
2009-09-14 |
2017-08-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Meridio Document and Records Management before 4.3 SR1 allows remote authenticated users to inject arbitrary web script or HTML via the Title field in a (1) document (subGeneralProps:dmpvDocTitle:PROP_W_title) or (2) container (subGeneralProps:dmpvContainerTitle:PROP_W_title). |
59210 |
CVE-2008-7227 |
119 |
|
Overflow |
2009-09-14 |
2009-09-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors. |
59211 |
CVE-2008-7223 |
79 |
|
XSS |
2009-09-14 |
2009-09-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.3 allow remote attackers to inject arbitrary web script or HTML via (1) ftp/index.php, (2) viewer.php, (3) functions/other.php, (4) include/left_menu.class.php, or (5) plugins/stats/stats_view.php. |
59212 |
CVE-2008-7222 |
79 |
|
XSS |
2009-09-14 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in system/admin.php in RunCMS 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter in a RankForumAdd action. |
59213 |
CVE-2008-7221 |
352 |
|
CSRF |
2009-09-14 |
2018-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in RunCMS 1.6.1 allows remote attackers to hijack the authentication of administrators for requests that (1) add new administrators or (2) modify user profiles via a crafted request to system/admin.php. |
59214 |
CVE-2008-7217 |
264 |
|
Bypass |
2009-09-13 |
2009-09-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Microsoft Office 2008 for Mac, when running on Macintosh systems that restrict Office access to administrators, does not enforce this restriction for user ID 502, which allows local users with that ID to bypass intended security policy and access Office programs, related to permissions and ownership for certain directories. |
59215 |
CVE-2008-7216 |
264 |
|
Bypass |
2009-09-11 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Peter's Math Anti-Spam Spinoff plugin for WordPress generates audio CAPTCHA clips by concatenating static audio files without any additional distortion, which allows remote attackers to bypass CAPTCHA protection by reading certain bytes from the generated clip. |
59216 |
CVE-2008-7215 |
20 |
|
DoS |
2009-09-11 |
2018-10-11 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
The Image Manager in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to rename arbitrary files and cause a denial of service via modified file[NewFile][name], file[NewFile][tmp_name], and file[NewFile][size] parameters in a FileUpload command, which are used to modify equivalent variables in $_FILES that are accessed when the is_uploaded_file check fails. |
59217 |
CVE-2008-7214 |
352 |
|
XSS CSRF |
2009-09-11 |
2018-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php. |
59218 |
CVE-2008-7213 |
79 |
|
XSS |
2009-09-11 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to inject arbitrary web script or HTML via the Command parameter. |
59219 |
CVE-2008-7212 |
264 |
|
+Info |
2009-09-11 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to obtain sensitive information via certain requests to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php, which reveals the installation path in an error message. |
59220 |
CVE-2008-7211 |
|
|
+Priv |
2009-09-11 |
2018-10-11 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
CreativeLabs es1371mp.sys 5.1.3612.0 WDM audio driver, as used in Ensoniq PCI 1371 sound cards and when running on Windows Vista, does not create a Functional Device Object (FDO) to prevent user-moade access to the Physical Device Object (PDO), which allows local users to gain SYSTEM privileges via a crafted IRP request that dereferences a NULL FsContext pointer. |
59221 |
CVE-2008-7208 |
89 |
|
Exec Code Sql |
2009-09-11 |
2018-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in OneCMS 2.4, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) username parameter ($usernameb variable) to a_login.php or (2) user parameter to staff.php. |
59222 |
CVE-2008-7207 |
310 |
|
|
2009-09-11 |
2009-09-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
RivetTracker before 1.0 stores passwords in cleartext in config.php, which allows local users to discover passwords by reading config.php. |
59223 |
CVE-2008-7206 |
79 |
|
XSS |
2009-09-11 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Unspecified vulnerability in Electronic Logbook (ELOG) before 2.7.2 has unknown impact and attack vectors when the "logbook contains HTML code," probably cross-site scripting (XSS). |
59224 |
CVE-2008-7205 |
20 |
|
|
2009-09-11 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Unspecified vulnerability in the product view functionality in VirtueMart 1.0.13a and earlier allows remote attackers to read arbitrary files via vectors related to a template file. |
59225 |
CVE-2008-7204 |
352 |
|
CSRF |
2009-09-11 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in VirtueMart 1.0.13a and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
59226 |
CVE-2008-7203 |
399 |
|
DoS |
2009-09-11 |
2017-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Valve Software Half-Life Counter-Strike 1.6 allows remote attackers to cause a denial of service (crash) via multiple crafted login packets. |
59227 |
CVE-2008-7202 |
79 |
|
XSS |
2009-09-10 |
2009-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in OpenWebMail before 2.53 (Stable) allow remote attackers to inject arbitrary web script or HTML via unknown vectors. |
59228 |
CVE-2008-7199 |
|
|
DoS |
2009-09-10 |
2009-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Phoenix Contact FL IL 24 BK-PAC allows remote attackers to cause a denial of service (hang) via (1) unspecified manipulations as demonstrated by a Nessus scan or (2) malformed input to TCP port 502. |
59229 |
CVE-2008-7195 |
|
|
DoS |
2009-09-10 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used in Interstage Application Server Enterprise Edition 7.0.1 for Solaris, allows attackers to cause a denial of service via unknown vectors related to SSL. |
59230 |
CVE-2008-7194 |
|
|
DoS |
2009-09-10 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used in Interstage Application Server 5.0, 7.0, 7.0.1, and 8.0.0 for Windows, allows attackers to cause a denial of service via a crafted request. |
59231 |
CVE-2008-7193 |
352 |
|
CSRF |
2009-09-09 |
2018-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php. |
59232 |
CVE-2008-7192 |
352 |
|
CSRF |
2009-09-09 |
2018-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in index.php in WoltLab Burning Board (wBB) 3.0.1, and possibly other 3.x versions, allows remote attackers to hijack the authentication of users for requests that delete private messages via the pmID parameter in a delete action in a PM page, a different vulnerability than CVE-2008-0472. |
59233 |
CVE-2008-7191 |
|
|
DoS |
2009-09-09 |
2009-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Unspecified vulnerability in Polipo before 1.0.4 allows remote attackers to cause a denial of service (crash) via a long request URL. |
59234 |
CVE-2008-7187 |
200 |
|
+Info |
2009-09-09 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Coppermine Photo Gallery (CPG) 1.4.14 allows remote attackers to obtain sensitive information via a direct request to include/slideshow.inc.php, which leaks the installation path in an error message. |
59235 |
CVE-2008-7186 |
264 |
|
+Info |
2009-09-09 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Coppermine Photo Gallery (CPG) 1.4.14 does not restrict access to update.php, which allows remote attackers to obtain sensitive information such as the database table prefix via a direct request. NOTE: this might be leveraged for attacks against CVE-2008-0504. |
59236 |
CVE-2008-7185 |
20 |
1
|
DoS |
2009-09-08 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
GNOME Rhythmbox 0.11.5 allows remote attackers to cause a denial of service (segmentation fault and crash) via a playlist (.pls) file with a long Title field, possibly related to the g_hash_table_lookup function in b-playlist-manager.c. |
59237 |
CVE-2008-7184 |
79 |
|
XSS |
2009-09-08 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Diigo Toolbar and Diigolet allows remote attackers to inject arbitrary web script or HTML via a public comment. |
59238 |
CVE-2008-7183 |
94 |
|
Exec Code File Inclusion |
2009-09-08 |
2017-08-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in eva/index.php in EVA CMS 2.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the eva[caminho] parameter to index.php. |
59239 |
CVE-2008-7182 |
119 |
|
DoS Exec Code Overflow |
2009-09-08 |
2017-09-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
Buffer overflow in the IMAP service in NetWin Surgemail 3.9e, and possibly other versions before 3.9g2, allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long first argument to the APPEND command, a different vector than CVE-2008-1497 and CVE-2008-1498. NOTE: due to lack of details, it is not certain whether this is the same issue as CVE-2008-2859. |
59240 |
CVE-2008-7180 |
20 |
|
|
2009-09-08 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
del_query1.php in Telephone Directory 2008 allows remote attackers to delete arbitrary contacts via a direct request with a modified id variable. |
59241 |
CVE-2008-7176 |
22 |
|
Dir. Trav. |
2009-09-08 |
2017-09-28 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple directory traversal vulnerabilities in Facil CMS 0.1RC allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) change_lang parameter to index.php or (2) modload parameter to modules.php. |
59242 |
CVE-2008-7175 |
79 |
|
XSS |
2009-09-08 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in NextGEN Gallery 0.96 and earlier plugin for Wordpress allows remote attackers to inject arbitrary web script or HTML via the picture description field in a page edit action. |
59243 |
CVE-2008-7171 |
79 |
|
XSS |
2009-09-08 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Lightweight news portal (LNP) 1.0b allow remote attackers to inject arbitrary web script or HTML via the (1) photo parameter to show_photo.php, (2) potd parameter to show_potd.php, or (3) the Current question field in a vote action to admin.php. |
59244 |
CVE-2008-7166 |
119 |
|
DoS Overflow |
2009-09-04 |
2009-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Buffer overflow in the web interface in BitTorrent 6.0.1 (build 7859) and earlier, and uTorrent 1.7.6 (build 7859) and earlier, allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted Range header. NOTE: this is probably a different vulnerability than CVE-2008-0071 and CVE-2008-0364. |
59245 |
CVE-2008-7165 |
352 |
|
CSRF |
2009-09-04 |
2018-10-11 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery in cp06_wifi_m_nocifr.cgi in the administrator panel in TELECOM ITALIA Alice Gate2 Plus Wi-Fi allows remote attackers to hijack the authentication of administrators for requests that disable Wi-Fi encryption via certain values for the wlChannel and wlRadioEnable parameters. |
59246 |
CVE-2008-7163 |
22 |
|
Dir. Trav. |
2009-09-04 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Directory traversal vulnerability in mods/Integrated/index.php in SineCMS 2.3.5 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the sine[config][index_main] parameter. |
59247 |
CVE-2008-7160 |
134 |
|
Exec Code |
2009-09-10 |
2012-10-22 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string. |
59248 |
CVE-2008-7159 |
134 |
|
Exec Code |
2009-09-10 |
2017-08-16 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string. |
59249 |
CVE-2008-7157 |
264 |
|
Exec Code |
2009-09-02 |
2017-09-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in EkinBoard 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading an avatar file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in uploaded/avatars/. |
59250 |
CVE-2008-7156 |
287 |
|
+Priv Bypass |
2009-09-02 |
2017-09-28 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows remote attackers to bypass authorization and gain administrator privileges by setting the _groups[] parameter to 2, as demonstrated via backup.php. |