CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
13301 CVE-2008-3368 94 Exec Code File Inclusion 2008-07-30 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter.
13302 CVE-2008-3365 22 Dir. Trav. 2008-07-30 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on Windows, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language_full parameter.
13303 CVE-2008-3345 89 Exec Code Sql 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in staticpages/easyecards/index.php in MyioSoft EasyE-Cards 3.5 trial edition (tr) and 3.10a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a pickup action.
13304 CVE-2008-3339 200 +Info 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
search_result.cfm in Jobbex JobSite allows remote attackers to obtain sensitive information via unspecified vectors that reveal the installation path in an error message.
13305 CVE-2008-3337 20 2008-08-08 2017-08-07
6.4
None Remote Low Not required None Partial Partial
PowerDNS Authoritative Server before 2.9.21.1 drops malformed queries, which might make it easier for remote attackers to poison DNS caches of other products running on other servers, a different issue than CVE-2008-1447 and CVE-2008-3217.
13306 CVE-2008-3332 94 Exec Code 2008-07-27 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter.
13307 CVE-2008-3325 352 +Priv CSRF 2008-07-25 2018-11-01
6.0
User Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.
13308 CVE-2008-3312 22 Dir. Trav. 2008-07-25 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in lemon_includes/FCKeditor/editor/filemanager/browser/browser.php in Lemon CMS 1.10 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might be an issue in FCKeditor.
13309 CVE-2008-3308 94 Exec Code File Inclusion 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in cuenta/cuerpo.php in C. Desseno YouTube Blog (ytb) 0.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_archivo parameter.
13310 CVE-2008-3303 264 Bypass 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
admin/login.php in BilboBlog 0.2.1, when register_globals is enabled, allows remote attackers to bypass authentication and obtain administrative access via a direct request that sets the login, admin_login, password, and admin_passwd parameters.
13311 CVE-2008-3302 89 Exec Code Sql 2008-07-25 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in admin/delete.php in BilboBlog 0.2.1, when magic_quotes_gpc is disabled, allows remote authenticated administrators to execute arbitrary SQL commands via the num parameter.
13312 CVE-2008-3298 94 Exec Code 2008-07-25 2018-10-11
6.0
None Remote Medium Single system Partial Partial Partial
SocialEngine (SE) before 2.83 grants certain write privileges for templates, which allows remote authenticated administrators to execute arbitrary PHP code.
13313 CVE-2008-3292 287 +Priv Bypass 2008-07-24 2017-09-28
6.4
None Remote Low Not required Partial Partial None
constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php.
13314 CVE-2008-3279 264 +Priv 2010-04-05 2017-09-28
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in libbrlttybba.so in brltty 3.7.2 allows local users to gain privileges via a crafted library, related to an incorrect RPATH setting.
13315 CVE-2008-3272 189 +Info 2008-08-08 2018-10-30
6.6
None Local Low Not required Complete None Complete
The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.
13316 CVE-2008-3268 264 +Priv Bypass 2008-07-24 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in phpScheduleIt 1.2.0 through 1.2.9, when useLogonName is enabled, allows remote attackers with administrator email address knowledge to bypass restrictions and gain privileges via unspecified vectors related to login names. NOTE: some of these details are obtained from third party information.
13317 CVE-2008-3265 89 Exec Code Sql 2008-07-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the DT Register (com_dtregister) 2.2.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the eventId parameter in a pay_options action to index.php.
13318 CVE-2008-3254 89 Exec Code Sql 2008-07-22 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in preCMS 1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a UserProfil action.
13319 CVE-2008-3234 264 2008-07-18 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
13320 CVE-2008-3229 119 Overflow +Priv 2008-07-18 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in op before Changeset 563, when xauth support is enabled, allows local users to gain privileges via a long XAUTHORITY environment variable.
13321 CVE-2008-3222 287 2008-07-18 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
13322 CVE-2008-3220 352 CSRF 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
13323 CVE-2008-3217 189 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source port selection, which makes it easier for remote attack vectors to conduct DNS cache poisoning. NOTE: this is related to incomplete integration of security improvements associated with addressing CVE-2008-1637.
13324 CVE-2008-3195 22 Dir. Trav. 2008-09-18 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable, and execute arbitrary files via unspecified vectors.
13325 CVE-2008-3194 22 Dir. Trav. 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in data/inc/themes/predefined_variables.php in pluck 4.5.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) langpref, (2) file, (3) blogpost, or (4) cat parameter.
13326 CVE-2008-3192 22 Dir. Trav. 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in jSite 1.0 OE allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
13327 CVE-2008-3191 89 Exec Code Sql 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in usercp.php in mForum 0.1a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) City, (2) Interest, (3) Email, (4) Icq, (5) msn, or (6) Yahoo Messenger field in an edit_profile action.
13328 CVE-2008-3190 22 Exec Code Dir. Trav. 2008-07-16 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in list.php in 1Scripts CodeDB 1.1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
13329 CVE-2008-3188 310 2008-07-22 2017-08-07
6.2
None Local High Not required Complete Complete Complete
libxcrypt in SUSE openSUSE 11.0 uses the DES algorithm when the configuration specifies the MD5 algorithm, which makes it easier for attackers to conduct brute-force attacks against hashed passwords.
13330 CVE-2008-3185 89 Exec Code Sql 2008-07-15 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Relative Real Estate Systems 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the listing_id parameter in a listings action.
13331 CVE-2008-3181 20 Exec Code 2008-07-15 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in ContentNow CMS 1.4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.
13332 CVE-2008-3173 264 2008-07-14 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Microsoft Internet Explorer allows web sites to set cookies for domains that have a public suffix with more than one dot character, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking." NOTE: this issue may exist because of an insufficient fix for CVE-2004-0866.
13333 CVE-2008-3172 264 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Opera allows web sites to set cookies for country-specific top-level domains that have DNS A records, such as co.tv, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking."
13334 CVE-2008-3170 264 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking," a related issue to CVE-2004-0746, CVE-2004-0866, and CVE-2004-0867.
13335 CVE-2008-3165 22 Dir. Trav. 2008-07-14 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in rss.php in fuzzylime (cms) 3.01a and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter, as demonstrated using content.php, a different vector than CVE-2007-4805.
13336 CVE-2008-3163 22 Dir. Trav. 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in dodosmail.php in DodosMail 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dodosmail_header_file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
13337 CVE-2008-3158 264 2008-07-11 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in NWFS.SYS in Novell Client for Windows 4.91 SP4 has unknown impact and attack vectors, possibly related to IOCTL requests that overwrite arbitrary memory.
13338 CVE-2008-3148 119 Exec Code Overflow 2008-07-11 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in (1) OllyDBG 1.10 and (2) ImpREC 1.7f allows user-assisted attackers to execute arbitrary code via a crafted DLL file that contains a long string.
13339 CVE-2008-3133 89 Exec Code Sql 2008-07-10 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the password parameter.
13340 CVE-2008-3131 89 Exec Code Sql 2008-07-10 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in chatbox.php in pSys 0.7.0 Alpha, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showid parameter.
13341 CVE-2008-3127 20 Exec Code File Inclusion 2008-07-10 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in hioxBannerRotate.php in HIOX Banner Rotator (HBR) 1.3, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the hm parameter.
13342 CVE-2008-3126 119 Exec Code Overflow 2008-07-10 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Multiple stack-based buffer overflows in the ServerView web interface (SnmpGetMibValues.exe) in Fujitsu Siemens Computers ServerView 04.60.07 and earlier allow remote authenticated users to execute arbitrary code via a crafted URL.
13343 CVE-2008-3122 89 Exec Code Sql 2008-07-10 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to execute arbitrary SQL commands via the unspecified vectors.
13344 CVE-2008-3117 20 Exec Code 2008-07-10 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in update_profile.php in PHPmotion 2.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a .php file with a content type of (1) image/gif, (2) image/jpeg, or (3) image/pjpeg, then accessing it via a direct request to the file under pictures/.
13345 CVE-2008-3104 264 2008-07-09 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet.
13346 CVE-2008-3096 264 +Priv 2008-07-09 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges.
13347 CVE-2008-3093 94 Exec Code 2008-07-09 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in ImperialBB 2.3.5 and earlier allows remote authenticated users to upload and execute arbitrary PHP code by placing a .php filename in the Upload_Avatar parameter and sending the image/gif content type.
13348 CVE-2008-3092 89 Exec Code Sql 2008-07-09 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.
13349 CVE-2008-3081 20 Exec Code 2008-07-08 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
Multiple unspecified "input validation" vulnerabilities in the Web management interface (aka Messaging Administration interface) in Avaya Message Storage Server (MSS) 3.x and 4.0, and possibly Communication Manager 3.1.x, allow remote authenticated administrators to execute arbitrary commands as user vexvm via vectors related to (1) SFTP Remote Store configuration; (2) remote FTP storage settings; (3) name server lookup; (4) pinging another host; (5) TCP/IP Networking parameter configuration; (6) the external hosts configuration main page; (7) adding and changing external hosts; (8) Windows domain parameter configuration; (9) date, time, and NTP server configuration; (10) alarm settings; (11) the command line history form; (12) the maintenance form; and (13) the server events form.
13350 CVE-2008-3035 89 Exec Code Sql 2008-07-07 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in newThread.php in XchangeBoard 1.70 Final and earlier allows remote authenticated users to execute arbitrary SQL commands via the boardID parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.