CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
12951 CVE-2008-4091 89 Exec Code Sql 2008-09-15 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Web Directory Script 1.5.3 allows remote attackers to execute arbitrary SQL commands via the site parameter in an open action.
12952 CVE-2008-4087 119 DoS Exec Code Overflow 2008-09-15 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Acoustica Beatcraft 1.02 Build 19 allows user-assisted attackers to cause a denial of service or execute arbitrary code via a Beatcraft Project (aka bcproj) file with a long string in a certain instruments title field.
12953 CVE-2008-4084 89 Exec Code Sql 2008-09-15 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in staticpages/easyclassifields/index.php in MyioSoft EasyClassifields 3.0 allows remote attackers to execute arbitrary SQL commands via the go parameter in a browse action.
12954 CVE-2008-4080 89 Exec Code Sql 2008-09-15 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in Stash 1.0.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) username parameter to admin/library/authenticate.php and the (2) download parameter to downloadmp3.php. NOTE: some of these details are obtained from third party information.
12955 CVE-2008-4078 89 Exec Code Sql 2008-09-15 2018-10-11
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
12956 CVE-2008-4075 22 Dir. Trav. 2008-09-15 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in D-iscussion Board 3.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the topic parameter.
12957 CVE-2008-4049 20 2008-09-11 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
A certain ActiveX control in fwRemoteCfg.dll 3.3.3.1 in Friendly Technologies FriendlyPPPoE Client 3.0.0.57 allows remote attackers to execute arbitrary programs via arguments to the RunApp method.
12958 CVE-2008-4048 119 Exec Code Overflow 2008-09-11 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in a certain ActiveX control in fwRemoteCfg.dll 3.3.3.1 in Friendly Technologies FriendlyPPPoE Client 3.0.0.57 allows remote attackers to execute arbitrary code via a long third argument to the CreateURLShortcut method.
12959 CVE-2008-4013 2008-10-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
12960 CVE-2008-4010 2008-10-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the WebLogic Workshop component in BEA Product Suite 10.3, 10.2, 10.0 MP1, 9.2 MP3, and 8.1 SP6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to "some NetUI tags."
12961 CVE-2008-4007 2009-01-13 2012-10-22
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the PeopleSoft Enterprise Components component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
12962 CVE-2008-4000 Bypass 2008-10-14 2018-10-11
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.18 and 8.49.14 allows remote attackers to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the Oracle October 2008 CPU. Oracle has not commented on reliable researcher claims that this issue allows bypass of the lockout mechanism using brute force guessing of credentials and a response discrepancy information leak when the password is correct.
12963 CVE-2008-3989 2008-10-14 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Oracle Data Mining component in Oracle Database 10.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability, related to DMSYS.ODM_MODEL_UTIL.
12964 CVE-2008-3972 264 2008-09-10 2017-08-07
6.6
None Local Low Not required None Complete Complete
pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235.
12965 CVE-2008-3970 264 Bypass 2008-09-10 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount.
12966 CVE-2008-3931 59 2008-09-04 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files.
12967 CVE-2008-3930 59 2008-09-04 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
migrate_aliases.sh in Citadel Server 7.37 allows local users to overwrite arbitrary files via a symlink attack on a temporary file.
12968 CVE-2008-3928 59 2008-09-04 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
test.sh in Honeyd 1.5c might allow local users to overwrite arbitrary files via a symlink attack on a temporary file.
12969 CVE-2008-3907 20 Exec Code 2008-09-04 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.
12970 CVE-2008-3887 89 Exec Code Sql 2008-09-02 2017-08-07
6.0
None Remote Medium Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in dotProject 2.1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the tab parameter in a projects action, and (2) remote authenticated administrators to execute arbitrary SQL commands via the user_id parameter in a viewuser action.
12971 CVE-2008-3885 352 CSRF 2008-09-02 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Blogn (BURO GUN) 1.9.7 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make content modifications. NOTE: some of these details are obtained from third party information.
12972 CVE-2008-3868 352 CSRF 2008-11-03 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Interact 2.4.1 allows remote attackers to hijack the authentication of super administrators for requests that create super administrator accounts.
12973 CVE-2008-3867 89 Exec Code Sql 2008-11-03 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in spaces/emailuser.php in Interact 2.4.1 allows remote attackers to execute arbitrary SQL commands via the email_user_key parameter.
12974 CVE-2008-3852 264 Exec Code 2008-08-28 2018-10-11
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the CLR stored procedure deployment from IBM Database Add-Ins for Visual Studio in the Visual Studio Net component in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 2 allows remote authenticated users to execute arbitrary code via unknown vectors.
12975 CVE-2008-3820 2009-01-22 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event Viewer (IEV) is used, exposes TCP ports used by the MySQL daemon and IEV server, which allows remote attackers to obtain "root access" to IEV via unspecified use of TCP sessions to these ports.
12976 CVE-2008-3794 189 Exec Code Overflow Bypass 2008-08-26 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Integer signedness error in the mms_ReceiveCommand function in modules/access/mms/mmstu.c in VLC Media Player 0.8.6i allows remote attackers to execute arbitrary code via a crafted mmst link with a negative size value, which bypasses a size check and triggers an integer overflow followed by a heap-based buffer overflow.
12977 CVE-2008-3788 89 1 Exec Code Sql 2008-08-26 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) qtitle, (2) qid, and (3) qyear parameters to (a) search.php, and the (4) email and (5) password parameters to (b) _login.php.
12978 CVE-2008-3783 89 Exec Code Sql 2008-08-26 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in Matterdaddy Market 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters.
12979 CVE-2008-3770 22 Dir. Trav. 2008-08-22 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to (1) includes/events_application_top.php; (2) english/account.php, (3) french/account.php, and (4) french/account_newsletters.php in includes/languages/; (5) includes/modules/faqdesk/faqdesk_article_require.php; (6) includes/modules/newsdesk/newsdesk_article_require.php; (7) card1.php, (8) loginbox.php, and (9) whos_online.php in templates/Freeway/boxes/; and (10) templates/Freeway/mainpage_modules/mainpage.php. NOTE: vector 1 may be the same as CVE-2008-3677.
12980 CVE-2008-3769 94 Exec Code File Inclusion 2008-08-22 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter.
12981 CVE-2008-3763 20 2008-08-21 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Variable overwrite vulnerability in libsecure.php in Turnkey PHP Live Helper 2.0.1 and earlier, when register_globals is enabled, allows remote attackers to overwrite arbitrary variables related to the db config file. NOTE: this can be leveraged for code injection by overwriting the language file.
12982 CVE-2008-3742 264 Exec Code 2008-08-27 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
12983 CVE-2008-3738 287 2008-08-27 2008-09-05
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
12984 CVE-2008-3736 352 CSRF 2008-08-27 2017-08-07
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (a) change passwords or (b) change configurations.
12985 CVE-2008-3723 22 1 Dir. Trav. 2008-08-20 2017-08-07
6.3
None Remote Medium Single system Complete None None
Directory traversal vulnerability in index.php in PHPizabi 0.848b C1 HFP3 allows remote authenticated administrators to read arbitrary files via (1) a .. (dot dot), (2) a URL, or possibly (3) a full pathname in the id parameter in an admin.templates.edittemplate action. NOTE: some of these details are obtained from third party information.
12986 CVE-2008-3718 89 Exec Code Sql 2008-08-20 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter to show_topic.php and the (2) user parameter to profile.php.
12987 CVE-2008-3716 352 CSRF 2008-08-19 2017-09-28
6.0
User Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component.
12988 CVE-2008-3701 89 Exec Code Sql 2008-08-15 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action.
12989 CVE-2008-3687 119 Exec Code Overflow 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the flask_security_label function in Xen 3.3, when compiled with the XSM:FLASK module, allows unprivileged domain users (domU) to execute arbitrary code via the flask_op hypercall.
12990 CVE-2008-3682 89 Exec Code Sql 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in dpage.php in YPN PHP Realty allows remote attackers to execute arbitrary SQL commands via the docID parameter.
12991 CVE-2008-3677 22 Dir. Trav. 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in includes/events_application_top.php in Freeway before 1.4.2.197 allows remote attackers to include and execute arbitrary local files via unspecified vectors.
12992 CVE-2008-3670 89 Exec Code Sql 2008-08-13 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in authordetail.php in Article Friendly Pro allows remote attackers to execute arbitrary SQL commands via the autid parameter.
12993 CVE-2008-3667 119 Exec Code Overflow 2008-08-13 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Maxthon Browser 2.0 and earlier allows remote attackers to execute arbitrary code via a long Content-type HTTP header.
12994 CVE-2008-3659 119 DoS Exec Code Overflow 2008-08-14 2018-10-11
6.4
None Remote Low Not required None Partial Partial
Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function. NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.
12995 CVE-2008-3649 89 Exec Code Sql 2008-08-12 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in categorydetail.php in Article Friendly Standard allows remote attackers to execute arbitrary SQL commands via the Cat parameter.
12996 CVE-2008-3646 362 2008-10-10 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
The Postfix configuration file in Mac OS X 10.5.5 causes Postfix to be network-accessible when mail is sent from a local command-line tool, which allows remote attackers to send mail to local Mac OS X users.
12997 CVE-2008-3640 189 Exec Code Overflow 2008-10-14 2018-10-03
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.
12998 CVE-2008-3630 2008-09-10 2018-10-30
6.4
None Remote Low Not required None Partial Partial
mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an application uses the Bonjour API for unicast DNS, does not choose random values for transaction IDs or source ports in DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.
12999 CVE-2008-3626 119 DoS Exec Code Overflow Mem. Corr. 2008-09-10 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
The CallComponentFunctionWithStorage function in Apple QuickTime before 7.5.5 does not properly handle a large entry in the sample_size_table in STSZ atoms, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.
13000 CVE-2008-3624 119 DoS Exec Code Overflow 2008-09-10 2018-10-30
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted panorama atoms.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.