CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
13451 CVE-2008-0714 89 Exec Code Sql 2008-02-11 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lost_password_go action.
13452 CVE-2008-0713 DoS 2008-05-13 2017-09-28
6.8
None Remote Low Single system None None Complete
Unspecified vulnerability in the FTP server for HP-UX B.11.11, B.11.23, and B.11.31 allows remote authenticated users to cause a denial of service (FTP server outage) via unknown attack vectors.
13453 CVE-2008-0712 Exec Code +Info 2008-04-25 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the HP HPeDiag (aka eSupportDiagnostics) ActiveX control in hpediag.dll in HP Software Update 4.000.009.002 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information via unspecified vectors. NOTE: this might overlap CVE-2007-6513.
13454 CVE-2008-0681 89 Exec Code Sql 2008-02-11 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remote attackers to execute arbitrary SQL commands via the product_id parameter, as demonstrated by a shop/flypage action.
13455 CVE-2008-0678 89 Exec Code Sql 2008-02-11 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action.
13456 CVE-2008-0664 264 2008-02-07 2008-09-10
6.4
None Remote Low Not required Partial Partial None
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
13457 CVE-2008-0661 119 Exec Code Overflow 2008-02-07 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in dBpowerAMP Audio Player Release 2 allows remote attackers to execute arbitrary code via a .M3U file with a long URI. NOTE: this might be the same issue as CVE-2004-1569.
13458 CVE-2008-0648 94 Exec Code File Inclusion 2008-02-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in OpenSiteAdmin 0.9.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) indexFooter.php; and (2) DatabaseManager.php, (3) FieldManager.php, (4) Filter.php, (5) Form.php, (6) FormManager.php, (7) LoginManager.php, and (8) Filters/SingleFilter.php in scripts/classes/.
13459 CVE-2008-0633 119 DoS Overflow 2008-02-06 2018-10-15
6.0
None Remote Medium Single system Partial Partial Partial
Buffer overflow in Anon Proxy Server 0.102 and earlier, when user authentication is enabled, allows remote attackers to cause a denial of service (exception) via a user name with a large number of quotes, which triggers the overflow during escaping.
13460 CVE-2008-0630 119 Exec Code Overflow 2008-02-06 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code.
13461 CVE-2008-0616 89 Exec Code Sql 2008-02-06 2018-10-15
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.
13462 CVE-2008-0604 255 Bypass 2008-02-06 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
The LDAP authentication feature in XLight FTP Server before 2.83, when used with some unspecified LDAP servers, does not check for blank passwords, which allows remote attackers to bypass intended access restrictions.
13463 CVE-2008-0602 22 Dir. Trav. 2008-02-06 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in All Club CMS (ACCMS) 0.0.1f and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the class_name parameter.
13464 CVE-2008-0585 264 2008-02-04 2017-08-07
6.6
None Local Low Not required Complete Complete None
sysmgt.websm.webaccess in IBM AIX 5.2 and 5.3 has world writable permissions for unspecified WebSM Remote Client files, which allows local users to "alter the behavior of" this client by overwriting these files.
13465 CVE-2008-0577 264 2008-02-04 2008-09-05
6.4
None Remote Low Not required Partial Partial None
The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.
13466 CVE-2008-0572 94 Exec Code File Inclusion 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Mindmeld 1.2.0.10 allow remote attackers to execute arbitrary PHP code via a URL in the MM_GLOBALS[home] parameter to (1) acweb/admin_index.php; and (2) ask.inc.php, (3) learn.inc.php, (4) manage.inc.php, (5) mind.inc.php, and (6) sensory.inc.php in include/.
13467 CVE-2008-0569 264 Exec Code Bypass 2008-02-04 2009-09-16
6.4
None Remote Low Not required Partial Partial None
The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 module for Drupal does not properly use functions in the upload module, which allows remote attackers to bypass upload validation, and upload arbitrary files and possibly execute arbitrary code, via unspecified vectors.
13468 CVE-2008-0566 94 Exec Code File Inclusion 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/smarty.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path_to_public_program parameter.
13469 CVE-2008-0565 89 Exec Code Sql 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in vote.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
13470 CVE-2008-0560 94 Exec Code File Inclusion 2008-02-04 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
** DISPUTED ** PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and the code exits with a fatal error due to a call to an undefined function.
13471 CVE-2008-0554 119 DoS Exec Code Overflow 2008-02-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the readImageData function in giftopnm.c in netpbm before 10.27 in netpbm before 10.27 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.
13472 CVE-2008-0553 119 Exec Code Overflow 2008-02-07 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1 allows remote attackers to execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.
13473 CVE-2008-0538 89 Exec Code Sql 2008-02-01 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) password parameter to login.php, the (2) id parameter to display.php, and unspecified other vectors. NOTE: some of these details are obtained from third party information.
13474 CVE-2008-0508 352 XSS CSRF 2008-01-31 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting.
13475 CVE-2008-0506 20 Exec Code 2008-01-31 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php.
13476 CVE-2008-0504 89 Exec Code Sql 2008-01-31 2018-10-16
6.5
User Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) albumid, (2) startpic, and (3) numpics parameters to util.php; and (4) cid_array parameter to reviewcom.php.
13477 CVE-2008-0503 94 Exec Code 2008-01-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Publisher 1.0.1 allows remote attackers to execute arbitrary PHP code via the filedata parameter.
13478 CVE-2008-0492 119 Exec Code Overflow 2008-01-30 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information.
13479 CVE-2008-0478 22 Dir. Trav. 2008-01-29 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in SetCMS 3.6.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the set parameter, as demonstrated by sending a certain CLIENT_IP HTTP header in an enter action to index.php, and injecting PHP sequences into files/enter.set, which is then included by index.php.
13480 CVE-2008-0476 287 +Info 2008-01-29 2017-08-07
6.4
None Remote Low Not required Partial Partial None
ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
13481 CVE-2008-0473 20 2008-01-29 2018-10-15
6.4
None Remote Low Not required Partial Partial None
RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to upload (1) .html and (2) .htm files via unspecified vectors.
13482 CVE-2008-0461 89 Exec Code Sql 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information.
13483 CVE-2008-0459 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter.
13484 CVE-2008-0458 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in function/sources.php in SLAED CMS 2.5 Lite allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the newlang parameter to index.php.
13485 CVE-2008-0453 89 Exec Code Sql 2008-01-24 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in list.php in Easysitenetwork Recipe allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
13486 CVE-2008-0423 94 Exec Code File Inclusion 2008-01-23 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Lama Software allow remote attackers to execute arbitrary PHP code via a URL in the MY_CONF[classRoot] parameter to (1) inc.steps.access_error.php, (2) inc.steps.check_login.php, or (3) inc.steps.init_system.php in admin/functions/.
13487 CVE-2008-0411 119 Exec Code Overflow 2008-02-28 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
13488 CVE-2008-0408 287 2008-01-28 2018-10-15
6.4
None Remote Low Not required Partial Partial None
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication.
13489 CVE-2008-0402 264 Bypass 2008-01-23 2017-08-07
6.0
User Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in IBM WebSphere Business Modeler Basic and Advanced 6.0.2.1 before Interim Fix 11 allows remote authenticated users to bypass intended access restrictions and delete unspecified repository resources via unknown vectors, even when they are not administrators or members of the repository's owning group.
13490 CVE-2008-0399 119 Exec Code Overflow 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.
13491 CVE-2008-0397 89 Exec Code Sql 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aflog 1.01, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to comments.php and (2) an unspecified parameter to view.php.
13492 CVE-2008-0388 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.
13493 CVE-2008-0386 20 Exec Code 2008-02-04 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.
13494 CVE-2008-0378 119 DoS Exec Code Overflow 2008-01-22 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when "Resolve all names remotely" is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hostname.
13495 CVE-2008-0376 94 Exec Code File Inclusion 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the cfile parameter.
13496 CVE-2008-0371 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information.
13497 CVE-2008-0369 2008-01-18 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Multiple unspecified programs in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allow local users to create arbitrary files by specifying the target file in the SQLIDEBUG environment variable, whose ownership is changed to the user invoking the programs.
13498 CVE-2008-0358 89 Exec Code Sql 2008-01-18 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Pixelpost 1.7 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter.
13499 CVE-2008-0313 Exec Code 2008-04-08 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
The ActiveDataInfo.LaunchProcess method in the SymAData.ActiveDataInfo.1 ActiveX control 2.7.0.1 in SYMADATA.DLL in multiple Symantec Norton products including Norton 360 1.0, AntiVirus 2006 through 2008, Internet Security 2006 through 2008, and System Works 2006 through 2008, does not properly determine the location of the AutoFix Tool, which allows remote attackers to execute arbitrary code via a remote (1) WebDAV or (2) SMB share.
13500 CVE-2008-0310 22 Dir. Trav. 2008-04-07 2017-09-28
6.9
Admin Local Medium Not required Complete Complete Complete
Directory traversal vulnerability in pkgadd in SCO UnixWare 7.1.4 before p534589 allows local users to create or append to arbitrary files via ".." sequences in an unspecified environment variable, probably PKGINST.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.