CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
13001 CVE-2008-3614 189 DoS Exec Code Overflow 2008-09-10 2018-10-30
6.8
User Remote Medium Not required Partial Partial Partial
Integer overflow in Apple QuickTime before 7.5.5 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image, which triggers heap corruption.
13002 CVE-2008-3613 399 DoS 2008-09-16 2017-08-07
6.1
None Local Network Low Not required None None Complete
Finder in Apple Mac OS X 10.5.2 through 10.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors involving a search for a remote disk on the local network.
13003 CVE-2008-3611 287 Bypass 2008-09-16 2017-08-07
6.3
None Local Medium Not required None Complete Complete
Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.
13004 CVE-2008-3606 119 DoS Exec Code Overflow 2008-08-12 2018-10-11
6.5
None Remote Low Single system Partial Partial Partial
Heap-based buffer overflow in the IMAP service in Qbik WinGate 6.2.2.1137 and earlier allows remote authenticated users to cause a denial of service (resource exhaustion) or possibly execute arbitrary code via a long argument to the LIST command. NOTE: some of these details are obtained from third party information.
13005 CVE-2008-3605 264 2008-08-12 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in McAfee Encrypted USB Manager 3.1.0.0, when the Re-use Threshold for passwords is nonzero, allows remote attackers to conduct offline brute force attacks via unknown vectors.
13006 CVE-2008-3600 22 Dir. Trav. 2008-08-12 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1.5.7 and 1.6-alpha3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter within a modload action.
13007 CVE-2008-3582 89 Exec Code Sql 2008-08-10 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in login.php in Keld PHP-MySQL News Script 0.7.1 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13008 CVE-2008-3561 89 Exec Code Sql 2008-08-10 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in s03.php in Powergap Shopsystem, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the ag parameter.
13009 CVE-2008-3555 22 Dir. Trav. 2008-08-08 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in (1) WSN Forum 4.1.43 and earlier, (2) Gallery 4.1.30 and earlier, (3) Knowledge Base (WSNKB) 4.1.36 and earlier, (4) Links 4.1.44 and earlier, and possibly (5) Classifieds before 4.1.30 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the TID parameter, as demonstrated by uploading a .jpg file containing PHP sequences.
13010 CVE-2008-3532 310 2008-08-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
13011 CVE-2008-3531 119 Overflow +Priv 2008-09-05 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."
13012 CVE-2008-3497 89 Exec Code Sql 2008-08-06 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in pages.php in MyPHP CMS 0.3.1 allows remote attackers to execute arbitrary SQL commands via the pid parameter.
13013 CVE-2008-3490 89 Exec Code Sql 2008-08-06 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in members/mail.php in E-topbiz Online Dating 3 1.0 allows remote authenticated users to execute arbitrary SQL commands via the mail_id parameter in a veiw action.
13014 CVE-2008-3456 59 2008-08-04 2017-08-07
6.4
None Remote Low Not required None Partial Partial
phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack.
13015 CVE-2008-3452 89 Exec Code Sql 2008-08-04 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the Calendar module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the loc_id parameter in a list_events action to mod.php.
13016 CVE-2008-3446 22 Dir. Trav. 2008-08-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in inc/wysiwyg.php in LetterIt 2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
13017 CVE-2008-3432 119 Exec Code Overflow 2008-10-10 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.
13018 CVE-2008-3429 119 DoS Exec Code Overflow 2008-07-31 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in URI processing in HTTrack and WinHTTrack before 3.42-3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long URL.
13019 CVE-2008-3428 287 2008-07-31 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
Session fixation vulnerability in phpFreeChat 1.1 allows remote authenticated users to hijack web sessions by setting the session_id parameter to match the victim's nickid parameter.
13020 CVE-2008-3425 287 2008-07-31 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Sun Java System Web Server 7.0 plugin in Sun N1 Service Provisioning System (SPS) 5.2 and 6.0 allows remote authenticated SPS users to gain administrative access to the web server via unknown attack vectors.
13021 CVE-2008-3408 119 1 Exec Code Overflow 2008-07-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in CoolPlayer 2.18, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a crafted m3u file.
13022 CVE-2008-3405 22 Dir. Trav. 2008-07-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in Ricardo Amaral nzFotolog 0.4.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action_file parameter.
13023 CVE-2008-3399 94 Exec Code File Inclusion 2008-07-31 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in activities/workflow-activities.php in XRMS CRM 1.99.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the include_directory parameter.
13024 CVE-2008-3390 22 Dir. Trav. 2008-07-31 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in libraries/general.init.php in Minishowcase Image Gallery 09b136, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
13025 CVE-2008-3385 22 Dir. Trav. File Inclusion 2008-07-30 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in include/head_chat.inc.php in php Help Agent 1.0 and 1.1 Full allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the content parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
13026 CVE-2008-3368 94 Exec Code File Inclusion 2008-07-30 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter.
13027 CVE-2008-3365 22 Dir. Trav. 2008-07-30 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on Windows, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language_full parameter.
13028 CVE-2008-3345 89 Exec Code Sql 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in staticpages/easyecards/index.php in MyioSoft EasyE-Cards 3.5 trial edition (tr) and 3.10a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a pickup action.
13029 CVE-2008-3339 200 +Info 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
search_result.cfm in Jobbex JobSite allows remote attackers to obtain sensitive information via unspecified vectors that reveal the installation path in an error message.
13030 CVE-2008-3337 20 2008-08-08 2017-08-07
6.4
None Remote Low Not required None Partial Partial
PowerDNS Authoritative Server before 2.9.21.1 drops malformed queries, which might make it easier for remote attackers to poison DNS caches of other products running on other servers, a different issue than CVE-2008-1447 and CVE-2008-3217.
13031 CVE-2008-3332 94 Exec Code 2008-07-27 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter.
13032 CVE-2008-3325 352 +Priv CSRF 2008-07-25 2018-11-01
6.0
User Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.
13033 CVE-2008-3312 22 Dir. Trav. 2008-07-25 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in lemon_includes/FCKeditor/editor/filemanager/browser/browser.php in Lemon CMS 1.10 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might be an issue in FCKeditor.
13034 CVE-2008-3308 94 Exec Code File Inclusion 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in cuenta/cuerpo.php in C. Desseno YouTube Blog (ytb) 0.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_archivo parameter.
13035 CVE-2008-3303 264 Bypass 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
admin/login.php in BilboBlog 0.2.1, when register_globals is enabled, allows remote attackers to bypass authentication and obtain administrative access via a direct request that sets the login, admin_login, password, and admin_passwd parameters.
13036 CVE-2008-3302 89 Exec Code Sql 2008-07-25 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in admin/delete.php in BilboBlog 0.2.1, when magic_quotes_gpc is disabled, allows remote authenticated administrators to execute arbitrary SQL commands via the num parameter.
13037 CVE-2008-3298 94 Exec Code 2008-07-25 2018-10-11
6.0
None Remote Medium Single system Partial Partial Partial
SocialEngine (SE) before 2.83 grants certain write privileges for templates, which allows remote authenticated administrators to execute arbitrary PHP code.
13038 CVE-2008-3292 287 +Priv Bypass 2008-07-24 2017-09-28
6.4
None Remote Low Not required Partial Partial None
constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php.
13039 CVE-2008-3279 264 +Priv 2010-04-05 2017-09-28
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in libbrlttybba.so in brltty 3.7.2 allows local users to gain privileges via a crafted library, related to an incorrect RPATH setting.
13040 CVE-2008-3272 189 +Info 2008-08-08 2018-10-30
6.6
None Local Low Not required Complete None Complete
The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.
13041 CVE-2008-3268 264 +Priv Bypass 2008-07-24 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in phpScheduleIt 1.2.0 through 1.2.9, when useLogonName is enabled, allows remote attackers with administrator email address knowledge to bypass restrictions and gain privileges via unspecified vectors related to login names. NOTE: some of these details are obtained from third party information.
13042 CVE-2008-3265 89 Exec Code Sql 2008-07-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the DT Register (com_dtregister) 2.2.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the eventId parameter in a pay_options action to index.php.
13043 CVE-2008-3254 89 Exec Code Sql 2008-07-22 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in preCMS 1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a UserProfil action.
13044 CVE-2008-3234 264 2008-07-18 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
13045 CVE-2008-3229 119 Overflow +Priv 2008-07-18 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in op before Changeset 563, when xauth support is enabled, allows local users to gain privileges via a long XAUTHORITY environment variable.
13046 CVE-2008-3222 287 2008-07-18 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
13047 CVE-2008-3220 352 CSRF 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
13048 CVE-2008-3217 189 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source port selection, which makes it easier for remote attack vectors to conduct DNS cache poisoning. NOTE: this is related to incomplete integration of security improvements associated with addressing CVE-2008-1637.
13049 CVE-2008-3195 22 Dir. Trav. 2008-09-18 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable, and execute arbitrary files via unspecified vectors.
13050 CVE-2008-3194 22 Dir. Trav. 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in data/inc/themes/predefined_variables.php in pluck 4.5.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) langpref, (2) file, (3) blogpost, or (4) cat parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.