CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 8 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
13351 CVE-2008-2894 22 Dir. Trav. 2008-06-27 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the FTP client in NCH Software Classic FTP 1.02 for Windows allows remote FTP servers to create or overwrite arbitrary files via a .. (dot dot) in a response to a LIST command, a related issue to CVE-2002-1345.
13352 CVE-2008-2888 94 Exec Code File Inclusion 2008-06-27 2017-09-28
10.0
None Remote Low Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in MiGCMS 2.0.5, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[application][app_root] parameter to (1) collection.class.php and (2) content_image.class.php in lib/obj/.
13353 CVE-2008-2886 94 Exec Code File Inclusion 2008-06-27 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
PHP remote file inclusion vulnerability in include/plugins/jrBrowser/purchase.php in Jamroom 3.3.0 through 3.3.5, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the jamroom[jm_dir] parameter.
13354 CVE-2008-2885 94 Exec Code File Inclusion 2008-06-27 2017-09-28
9.3
Admin Remote Medium Not required Complete Complete Complete
PHP remote file inclusion vulnerability in src/browser/resource/categories/resource_categories_view.php in Open Digital Assets Repository System (ODARS) 1.0.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the CLASSES_ROOT parameter.
13355 CVE-2008-2884 94 Exec Code File Inclusion 2008-06-27 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
PHP remote file inclusion vulnerability in display.php in RSS-aggregator allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: some of these details are obtained from third party information.
13356 CVE-2008-2880 119 Exec Code Overflow 2008-06-26 2017-08-07
9.3
Admin Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the IBM AFP Viewer Plug-in 2.0.7.1 and 3.2.1.1 allows remote attackers to execute arbitrary code via a long SRC property value. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
13357 CVE-2008-2851 119 Overflow 2008-06-25 2017-08-07
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple buffer overflows in OFF System before 0.19.14 allow remote attackers to have an unknown impact via unspecified vectors related to "parsing of http headers."
13358 CVE-2008-2833 287 Bypass 2008-06-24 2017-09-28
10.0
Admin Remote Low Not required Complete Complete Complete
admin/upload.php in le.cms 1.4 and earlier allows remote attackers to bypass administrative authentication, and upload and execute arbitrary files in images/, via a nonzero value for the submit0 parameter in conjunction with filenames in the filename and upload parameters.
13359 CVE-2008-2832 94 Exec Code 2008-06-24 2017-09-28
10.0
Admin Remote Low Not required Complete Complete Complete
Unrestricted file upload vulnerability in calendar_admin.asp in Full Revolution aspWebCalendar 2008 allows remote attackers to upload and execute arbitrary code via the FILE1 parameter in an uploadfileprocess action, probably followed by a direct request to the file in calendar/eventimages/.
13360 CVE-2008-2828 119 DoS Exec Code Overflow 2008-06-23 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in tmsnc allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an MSN packet with a UBX command containing a large UBX payload length field.
13361 CVE-2008-2824 264 2008-06-23 2017-08-07
10.0
Admin Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Extensible Interface Platform in Web Services in Xerox WorkCentre 7655, 7665, and 7675 allows remote attackers to make configuration changes via unknown vectors.
13362 CVE-2008-2822 22 Dir. Trav. 2008-06-23 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple directory traversal vulnerabilities in the FTP client in 3D-FTP Client 8.01 (8.0 build 1) allow remote FTP servers to create or overwrite arbitrary files via a .. (dot dot) in a response to a (1) LIST or (2) MLSD command.
13363 CVE-2008-2821 22 Dir. Trav. 2008-06-23 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the FTP client in Glub Tech Secure FTP before 2.5.16 on Windows allows remote FTP servers to create or overwrite arbitrary files via a ..\ (dot dot backslash) in a response to a LIST command, a related issue to CVE-2002-1345.
13364 CVE-2008-2811 399 DoS Exec Code Overflow 2008-07-07 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines.
13365 CVE-2008-2799 399 DoS Exec Code 2008-07-07 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine.
13366 CVE-2008-2798 399 DoS Exec Code 2008-07-07 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the layout engine.
13367 CVE-2008-2786 119 Overflow 2008-06-19 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack vectors. NOTE: due to lack of details as of 20080619, it is not clear whether this is the same issue as CVE-2008-2785. A CVE identifier has been assigned for tracking purposes.
13368 CVE-2008-2785 189 Exec Code Overflow 2008-06-19 2018-10-11
9.3
Admin Remote Medium Not required Complete Complete Complete
Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.
13369 CVE-2008-2779 22 Exec Code Dir. Trav. 2008-06-19 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in GlobalSCAPE CuteFTP Home 8.2.0 Build 02.26.2008.4 and CuteFTP Pro 8.2.0 Build 04.01.2008.1 allows remote FTP servers to create or overwrite arbitrary files via ..\ (dot dot backslash) sequences in responses to LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder.
13370 CVE-2008-2745 119 Exec Code Overflow 2008-06-17 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in BiAnno ActiveX Control (BiAnno.ocx) in Black Ice Software Annotation Plugin 10.95 allows remote attackers to execute arbitrary code via a long parameter to the AnnoSaveToTiff method.
13371 CVE-2008-2712 20 Exec Code 2008-06-16 2018-11-01
9.3
None Remote Medium Not required Complete Complete Complete
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
13372 CVE-2008-2705 287 Bypass 2008-06-16 2017-08-07
9.3
Admin Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, when used with certain versions and configurations of Sun Directory Server Enterprise Edition (DSEE), allows remote attackers to bypass authentication via unspecified vectors.
13373 CVE-2008-2703 119 Exec Code Overflow 2008-06-13 2018-10-11
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code via "spoofed server responses" that contain a long string after the NM_A_SZ_TRANSACTION_ID field name.
13374 CVE-2008-2702 22 Exec Code Dir. Trav. 2008-06-13 2017-11-22
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the FTP client in ALTools ESTsoft ALFTP 4.1 beta 2 and 5.0 allows remote FTP servers to create or overwrite arbitrary files via a .. (dot dot) in a response to a LIST command, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder.
13375 CVE-2008-2693 119 Exec Code Overflow 2008-06-13 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the BITIFF.BITiffCtrl.1 ActiveX control in BITiff.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to execute arbitrary code via a long first argument to the SetByteOrder method.
13376 CVE-2008-2690 94 Exec Code File Inclusion 2008-06-13 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in BrowserCRM 5.002.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the bcrm_pub_root parameter to (1) kb.php, (2) login.php, (3) index.php, (4) contact_view.php, and (5) contact.php in pub/, different vectors than CVE-2008-2689. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
13377 CVE-2008-2689 94 Exec Code File Inclusion 2008-06-13 2017-09-28
10.0
None Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in pub/clients.php in BrowserCRM 5.002.00 allows remote attackers to execute arbitrary PHP code via a URL in the bcrm_pub_root parameter.
13378 CVE-2008-2684 94 Exec Code Mem. Corr. 2008-06-12 2017-09-28
9.3
Admin Remote Medium Not required Complete Complete Complete
The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to execute arbitrary code via long strings in the two arguments to the DownloadImageFileURL method, which trigger memory corruption. NOTE: some of these details are obtained from third party information.
13379 CVE-2008-2683 20 1 2008-06-12 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of arbitrary files by specifying the origin URL in the first argument to the DownloadImageFileURL method, and the local filename in the second argument. NOTE: some of these details are obtained from third party information.
13380 CVE-2008-2663 190 DoS Exec Code Overflow 2008-06-24 2018-11-01
10.0
None Remote Low Not required Complete Complete Complete
Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
13381 CVE-2008-2662 189 DoS Exec Code Overflow Mem. Corr. 2008-06-24 2018-11-01
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.
13382 CVE-2008-2654 189 Exec Code Overflow 2008-06-13 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Off-by-one error in the read_client function in webhttpd.c in Motion 3.2.10 and earlier might allow remote attackers to execute arbitrary code via a long request to a Motion HTTP Control interface, which triggers a stack-based buffer overflow with some combinations of processor architecture and compiler.
13383 CVE-2008-2641 DoS Exec Code 2008-06-25 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlier, and 8.0 through 8.1.2, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to an "input validation issue in a JavaScript method."
13384 CVE-2008-2638 94 2008-06-09 2017-09-28
10.0
None Remote Low Not required Complete Complete Complete
Static code injection vulnerability in guestbook.php in 1Book 1.0.1 and earlier allows remote attackers to upload arbitrary PHP code via the message parameter in an HTML webform, which is written to data.php.
13385 CVE-2008-2635 22 Exec Code Dir. Trav. 2008-06-09 2017-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple directory traversal vulnerabilities in BitKinex 2.9.3 allow remote FTP and WebDAV servers to create or overwrite arbitrary files via a .. (dot dot) in (1) a response to a LIST command from the BitKinex FTP client and (2) a response to a PROPFIND command from the BitKinex WebDAV client. NOTE: this can be leveraged for code execution by writing to a Startup folder.
13386 CVE-2008-2573 119 Exec Code Overflow 2008-06-06 2018-10-11
8.5
Admin Remote Medium Single system Complete Complete Complete
Stack-based buffer overflow in SFTP in freeSSHd 1.2.1 allows remote authenticated users to execute arbitrary code via a long directory name in an SSH_FXP_OPENDIR (aka opendir) command.
13387 CVE-2008-2570 2008-06-06 2017-08-07
9.3
Admin Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors.
13388 CVE-2008-2551 264 2008-06-04 2018-10-11
9.3
Admin Remote Medium Not required Complete Complete Complete
The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."
13389 CVE-2008-2548 119 Exec Code Overflow Mem. Corr. 2008-06-04 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the JPEG thumbprint component in the EXIF parser on Motorola cell phones with RAZR firmware allows user-assisted remote attackers to execute arbitrary code via an MMS transmission of a malformed JPEG image, which triggers memory corruption.
13390 CVE-2008-2547 119 Exec Code Overflow 2008-06-04 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in msiexec.exe 3.1.4000.1823 and 4.5.6001.22159 in Microsoft Windows Installer allows context-dependent attackers to execute arbitrary code via a long GUID value for the /x (aka /uninstall) option. NOTE: this issue might cross privilege boundaries if msiexec.exe is reachable via components such as ActiveX controls, and might additionally require a separate vulnerability in the control.
13391 CVE-2008-2545 20 Exec Code Bypass 2008-06-06 2017-08-07
9.3
Admin Remote Medium Not required Complete Complete Complete
Skype 3.6.0.248, and other versions before 3.8.0.139, uses a case-sensitive comparison when checking for dangerous extensions, which allows user-assisted remote attackers to bypass warning dialogs and possibly execute arbitrary code via a file: URI with a dangerous extension that uses a different case.
13392 CVE-2008-2541 119 DoS Exec Code Overflow 2008-06-04 2018-10-11
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in the HTTP Gateway Service (icihttp.exe) in CA eTrust Secure Content Manager 8.0 allow remote attackers to execute arbitrary code or cause a denial of service via long FTP responses, related to (1) the file month field in a LIST command; (2) the PASV command; and (3) directories, files, and links in a LIST command.
13393 CVE-2008-2540 264 Exec Code 2008-06-03 2018-10-12
9.3
Admin Remote Medium Not required Complete Complete Complete
Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
13394 CVE-2008-2528 287 Bypass 2008-06-03 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Citrix Access Gateway Standard Edition 4.5.7 and earlier and Advanced Edition 4.5 HF2 and earlier allows attackers to bypass authentication and gain "access to network resources" via unspecified vectors.
13395 CVE-2008-2511 22 Exec Code Dir. Trav. 2008-06-02 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the UmxEventCli.CachedAuditDataList.1 (aka UmxEventCliLib) ActiveX control in UmxEventCli.dll in CA Internet Security Suite 2008 allows remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the argument to the SaveToFile method. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: some of these details are obtained from third party information.
13396 CVE-2008-2503 119 Overflow 2008-05-29 2017-08-07
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in Uploadlist in eMule X-Ray before 1.4 has unknown impact and remote attack vectors.
13397 CVE-2008-2486 2008-05-28 2017-08-07
10.0
Admin Remote Low Not required Complete Complete Complete
Unspecified vulnerability in eMule Plus before 1.2d has unknown impact and attack vectors related to "staticservers.dat processing."
13398 CVE-2008-2481 94 Exec Code File Inclusion 2008-05-28 2017-09-28
10.0
Admin Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in authentication/phpbb3/phpbb3.functions.php in phpRaider 1.0.7 and 1.0.7a, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pConfig_auth[phpbb_path] parameter.
13399 CVE-2008-2480 94 Exec Code File Inclusion 2008-05-28 2017-09-28
10.0
Admin Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in plus.php in plusPHP Short URL Multi-User Script 1.6 allows remote attackers to execute arbitrary PHP code via a URL in the _pages_dir parameter.
13400 CVE-2008-2478 94 Exec Code 2008-05-28 2018-10-11
8.5
Admin Remote Medium Single system Complete Complete Complete
** DISPUTED ** scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel."
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.