| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
60501 |
CVE-2008-4481 |
79 |
|
XSS |
2008-10-07 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Redmine 0.7.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
60502 |
CVE-2008-4476 |
59 |
|
|
2008-10-07 |
2017-08-07 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
sympa.pl in sympa 5.3.4 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/sympa_aliases.$$ temporary file. NOTE: wwsympa.fcgi was also reported, but the issue occurred in a dead function, so it is not a vulnerability. |
|
60503 |
CVE-2008-4457 |
89 |
|
Exec Code Sql |
2008-10-06 |
2017-09-28 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal 3.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a stats_res cookie to index.php. |
|
60504 |
CVE-2008-4456 |
79 |
|
XSS |
2008-10-06 |
2018-10-11 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67. |
|
60505 |
CVE-2008-4455 |
22 |
|
Dir. Trav. |
2008-10-06 |
2017-10-18 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in index.php in EKINdesigns MySQL Quick Admin 1.5.5 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the language cookie. |
|
60506 |
CVE-2008-4454 |
22 |
|
Dir. Trav. |
2008-10-06 |
2009-07-23 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in EKINdesigns MySQL Quick Admin 1.5.5 allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the lang parameter to actions.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60507 |
CVE-2008-4450 |
79 |
|
XSS |
2008-10-06 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Windows 1.6.8 allows remote attackers to inject arbitrary web script or HTML via the (1) dbserver, (2) host, (3) user, (4) password, (5) database, and (6) table parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60508 |
CVE-2008-4448 |
352 |
1
|
CSRF |
2008-10-06 |
2017-08-07 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to perform unauthorized actions as an administrator, including file deletion and creation, via a link or IMG tag to the (1) overkill, (2) futils, or (3) edit actions. |
|
60509 |
CVE-2008-4447 |
79 |
1
|
XSS |
2008-10-06 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the mask parameter during a search action, and (3) the tab parameter during a sysinfo action. |
|
60510 |
CVE-2008-4446 |
79 |
|
XSS |
2008-10-06 |
2017-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
60511 |
CVE-2008-4445 |
200 |
|
+Info |
2008-10-06 |
2012-10-29 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113. |
|
60512 |
CVE-2008-4438 |
79 |
|
XSS |
2008-10-03 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in search.php in Datafeed Studio 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60513 |
CVE-2008-4435 |
79 |
|
XSS |
2008-10-03 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the RMSOFT Downloads Plus (rmdp) module 1.5 and 1.7 for Xoops allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to search.php and the (2) id parameter to down.php. |
|
60514 |
CVE-2008-4432 |
79 |
|
XSS |
2008-10-03 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops allows remote attackers to inject arbitrary web script or HTML via the itemsxpag parameter. |
|
60515 |
CVE-2008-4426 |
79 |
|
XSS |
2008-10-03 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in events.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a new action. |
|
60516 |
CVE-2008-4424 |
79 |
|
XSS |
2008-10-03 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in index.php in Domain Group Network GooCMS 1.02 allows remote attackers to inject arbitrary web script or HTML via the s parameter in a comments action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60517 |
CVE-2008-4423 |
89 |
|
Exec Code Sql |
2008-10-03 |
2018-10-11 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action. |
|
60518 |
CVE-2008-4416 |
|
|
DoS |
2008-12-04 |
2017-09-28 |
4.6 |
None |
Local |
Low |
Single system |
None |
None |
Complete |
|
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. |
|
60519 |
CVE-2008-4413 |
264 |
|
|
2008-11-04 |
2017-08-07 |
6.2 |
None |
Local |
Low |
Single system |
Complete |
Complete |
None |
|
Unspecified vulnerability in HP System Management Homepage (SMH) 2.2.6 and earlier on HP-UX B.11.11 and B.11.23, and SMH 2.2.6 and 2.2.8 and earlier on HP-UX B.11.23 and B.11.31, allows local users to gain "unauthorized access" via unknown vectors, possibly related to temporary file permissions. |
|
60520 |
CVE-2008-4412 |
200 |
|
+Info |
2008-10-17 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in HP Systems Insight Manager (SIM) before 5.2 Update 2 (C.05.02.02.00) allows remote attackers to obtain sensitive information via unspecified vectors. |
|
60521 |
CVE-2008-4411 |
79 |
|
XSS |
2008-10-13 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663. |
|
60522 |
CVE-2008-4410 |
20 |
|
DoS |
2008-10-03 |
2017-08-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247. |
|
60523 |
CVE-2008-4409 |
399 |
|
DoS |
2008-10-03 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. |
|
60524 |
CVE-2008-4408 |
79 |
|
XSS |
2008-10-03 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0, and possibly other versions before 1.13.2 allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component. |
|
60525 |
CVE-2008-4407 |
|
|
DoS |
2008-10-03 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create /tmp/sabre.log, which allows local users to cause a denial of service (application unavailability) by creating a /tmp/sabre.log file that cannot be overwritten. |
|
60526 |
CVE-2008-4403 |
399 |
|
DoS |
2008-10-03 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The CGI modules in the server in Trend Micro OfficeScan 8.0 SP1 before build 2439 and 8.0 SP1 Patch 1 before build 3087 allow remote attackers to cause a denial of service (NULL pointer dereference and child process crash) via crafted HTTP headers, related to the "error handling mechanism." |
|
60527 |
CVE-2008-4400 |
20 |
|
DoS |
2008-10-14 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in asdbapi.dll in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to cause a denial of service (crash of multiple services) via crafted authentication credentials, related to "insufficient validation." |
|
60528 |
CVE-2008-4399 |
20 |
|
DoS |
2008-10-14 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the database engine service in asdbapi.dll in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to cause a denial of service (crash) via a crafted request, related to "insufficient validation." |
|
60529 |
CVE-2008-4398 |
20 |
|
DoS |
2008-10-14 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the tape engine service in asdbapi.dll in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to cause a denial of service (crash) via a crafted request. |
|
60530 |
CVE-2008-4394 |
|
|
Exec Code |
2008-10-10 |
2017-08-07 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple untrusted search path vulnerabilities in Portage before 2.1.4.5 include the current working directory in the Python search path, which allows local users to execute arbitrary code via a modified Python module that is loaded by the (1) ys-apps/portage, (2) net-mail/fetchmail, (3) app-editors/leo ebuilds, and other ebuilds. |
|
60531 |
CVE-2008-4393 |
79 |
|
XSS |
2008-10-07 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in VeriSign Kontiki Delivery Management System (DMS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to zodiac/servlet/zodiac. |
|
60532 |
CVE-2008-4392 |
362 |
|
|
2009-02-19 |
2017-08-07 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent simultaneous identical outbound DNS queries, which makes it easier for remote attackers to spoof DNS responses, as demonstrated by a spoofed A record in the Additional section of a response to a Start of Authority (SOA) query. |
|
60533 |
CVE-2008-4382 |
399 |
|
DoS |
2008-10-02 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Konqueror in KDE 3.5.9 allows remote attackers to cause a denial of service (application crash) via Javascript that calls the alert function with a URL-encoded string of a large number of invalid characters. |
|
60534 |
CVE-2008-4381 |
399 |
|
DoS |
2008-10-02 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Microsoft Internet Explorer 7 allows remote attackers to cause a denial of service (application crash) via Javascript that calls the alert function with a URL-encoded string of a large number of invalid characters. |
|
60535 |
CVE-2008-4379 |
89 |
|
Sql XSS |
2008-10-01 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in report.php in Mr. CGI Guy Hot Links SQL-PHP 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the id parameter. |
|
60536 |
CVE-2008-4372 |
79 |
|
XSS |
2008-10-01 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in articles.php in AvailScript Article Script allows remote attackers to inject arbitrary web script or HTML via the aIDS parameter. |
|
60537 |
CVE-2008-4370 |
79 |
|
XSS |
2008-10-01 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Availscript Photo Album allow remote attackers to inject arbitrary web script or HTML via the (1) sid parameter to pics.php and the (2) a parameter to view.php. |
|
60538 |
CVE-2008-4368 |
310 |
|
|
2008-10-01 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of Java 1.5 on Apple Mac OS X 10.5.4 and 10.5.5 contains a jurisdiction policy that limits Java Cryptography Extension (JCE) key sizes to 128 bits, which makes it easier for attackers to decrypt ciphertext produced by JCE. |
|
60539 |
CVE-2008-4366 |
20 |
|
Exec Code |
2008-09-30 |
2017-09-28 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in the image upload component in Camera Life 2.6.2b4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a user directory under images/photos/upload. |
|
60540 |
CVE-2008-4365 |
79 |
|
XSS |
2008-09-30 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in search.php in Siteman 1.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60541 |
CVE-2008-4362 |
399 |
|
DoS |
2008-09-30 |
2017-09-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The Virtual Token driver (vdlptokn.sys) 1.0.2.43 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) via a crafted IOCTL request to \Device\DLPTokenWalter0. |
|
60542 |
CVE-2008-4349 |
79 |
|
XSS |
2008-09-30 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in news.php in s0nic Paranews 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) page parameter in a details action. |
|
60543 |
CVE-2008-4340 |
20 |
|
DoS |
2008-09-30 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome 0.2.149.29 and 0.2.149.30 allows remote attackers to cause a denial of service (memory consumption) via an HTML document containing a carriage return ("\r\n\r\n") argument to the window.open function. |
|
60544 |
CVE-2008-4339 |
264 |
|
+Priv |
2008-09-30 |
2017-08-07 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the Java Administration GUI (jnbSA) in Symantec Veritas NetBackup Server and NetBackup Enterprise Server 5.1 before MP7, 6.0 before MP7, and 6.5 before 6.5.2 allows remote authenticated users to gain privileges via unknown attack vectors related to "bpjava* binaries." |
|
60545 |
CVE-2008-4338 |
89 |
|
Exec Code Sql |
2008-09-30 |
2018-10-11 |
6.0 |
User |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via the (1) nid, (2) qid, (3) state, and possibly (4) user parameters. |
|
60546 |
CVE-2008-4337 |
79 |
|
XSS |
2008-09-30 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Bitweaver 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to (1) edit.php and (2) list.php in articles/; (3) list_blogs.php and (4) rankings.php in blogs/; (5) calendar/index.php; (6) calendar.php, (7) index.php, and (8) list_events.php in events/; (9) index.php and (10) list_galleries.php in fisheye/; (11) liberty/list_content.php; (12) newsletters/edition.php; (13) pigeonholes/list.php; (14) recommends/index.php; (15) rss/index.php; (16) stars/index.php; (17) users/remind_password.php; (18) wiki/orphan_pages.php; and (19) stats/index.php, different vectors than CVE-2007-0526 and CVE-2005-4379. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
60547 |
CVE-2008-4336 |
79 |
|
XSS |
2008-09-30 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to inject arbitrary web script or HTML via the apa_album_ID parameter. |
|
60548 |
CVE-2008-4333 |
79 |
|
XSS |
2008-09-30 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in PHP infoBoard V.7 Plus allows remote attackers to inject arbitrary web script or HTML via the isname parameter in a newtopic action. |
|
60549 |
CVE-2008-4327 |
189 |
|
DoS |
2008-09-30 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
gdiplus.dll in GDI+ in Microsoft Windows XP SP3 does not properly handle crafted .ico files, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a certain crash.ico file on a web site, and allows user-assisted attackers to cause a denial of service (divide-by-zero error and persistent application crash) via this crash.ico file on the desktop, a different vulnerability than CVE-2007-2237. |
|
60550 |
CVE-2008-4326 |
79 |
|
XSS Bypass |
2008-09-30 |
2009-08-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence. |
