CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
13551 CVE-2008-3852 264 Exec Code 2008-08-28 2018-10-11
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the CLR stored procedure deployment from IBM Database Add-Ins for Visual Studio in the Visual Studio Net component in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 2 allows remote authenticated users to execute arbitrary code via unknown vectors.
13552 CVE-2008-3820 2009-01-22 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event Viewer (IEV) is used, exposes TCP ports used by the MySQL daemon and IEV server, which allows remote attackers to obtain "root access" to IEV via unspecified use of TCP sessions to these ports.
13553 CVE-2008-3794 189 Exec Code Overflow Bypass 2008-08-26 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Integer signedness error in the mms_ReceiveCommand function in modules/access/mms/mmstu.c in VLC Media Player 0.8.6i allows remote attackers to execute arbitrary code via a crafted mmst link with a negative size value, which bypasses a size check and triggers an integer overflow followed by a heap-based buffer overflow.
13554 CVE-2008-3788 89 1 Exec Code Sql 2008-08-26 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) qtitle, (2) qid, and (3) qyear parameters to (a) search.php, and the (4) email and (5) password parameters to (b) _login.php.
13555 CVE-2008-3783 89 Exec Code Sql 2008-08-26 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in Matterdaddy Market 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters.
13556 CVE-2008-3770 22 Dir. Trav. 2008-08-22 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to (1) includes/events_application_top.php; (2) english/account.php, (3) french/account.php, and (4) french/account_newsletters.php in includes/languages/; (5) includes/modules/faqdesk/faqdesk_article_require.php; (6) includes/modules/newsdesk/newsdesk_article_require.php; (7) card1.php, (8) loginbox.php, and (9) whos_online.php in templates/Freeway/boxes/; and (10) templates/Freeway/mainpage_modules/mainpage.php. NOTE: vector 1 may be the same as CVE-2008-3677.
13557 CVE-2008-3769 94 Exec Code File Inclusion 2008-08-22 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter.
13558 CVE-2008-3763 20 2008-08-21 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Variable overwrite vulnerability in libsecure.php in Turnkey PHP Live Helper 2.0.1 and earlier, when register_globals is enabled, allows remote attackers to overwrite arbitrary variables related to the db config file. NOTE: this can be leveraged for code injection by overwriting the language file.
13559 CVE-2008-3742 264 Exec Code 2008-08-27 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
13560 CVE-2008-3738 287 2008-08-27 2008-09-05
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
13561 CVE-2008-3736 352 CSRF 2008-08-27 2017-08-07
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (a) change passwords or (b) change configurations.
13562 CVE-2008-3723 22 1 Dir. Trav. 2008-08-20 2017-08-07
6.3
None Remote Medium Single system Complete None None
Directory traversal vulnerability in index.php in PHPizabi 0.848b C1 HFP3 allows remote authenticated administrators to read arbitrary files via (1) a .. (dot dot), (2) a URL, or possibly (3) a full pathname in the id parameter in an admin.templates.edittemplate action. NOTE: some of these details are obtained from third party information.
13563 CVE-2008-3718 89 Exec Code Sql 2008-08-20 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter to show_topic.php and the (2) user parameter to profile.php.
13564 CVE-2008-3716 352 CSRF 2008-08-19 2017-09-28
6.0
User Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component.
13565 CVE-2008-3701 89 Exec Code Sql 2008-08-15 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action.
13566 CVE-2008-3687 119 Exec Code Overflow 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the flask_security_label function in Xen 3.3, when compiled with the XSM:FLASK module, allows unprivileged domain users (domU) to execute arbitrary code via the flask_op hypercall.
13567 CVE-2008-3682 89 Exec Code Sql 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in dpage.php in YPN PHP Realty allows remote attackers to execute arbitrary SQL commands via the docID parameter.
13568 CVE-2008-3677 22 Dir. Trav. 2008-08-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in includes/events_application_top.php in Freeway before 1.4.2.197 allows remote attackers to include and execute arbitrary local files via unspecified vectors.
13569 CVE-2008-3670 89 Exec Code Sql 2008-08-13 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in authordetail.php in Article Friendly Pro allows remote attackers to execute arbitrary SQL commands via the autid parameter.
13570 CVE-2008-3667 119 Exec Code Overflow 2008-08-13 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Maxthon Browser 2.0 and earlier allows remote attackers to execute arbitrary code via a long Content-type HTTP header.
13571 CVE-2008-3659 119 DoS Exec Code Overflow 2008-08-14 2018-10-11
6.4
None Remote Low Not required None Partial Partial
Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function. NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.
13572 CVE-2008-3649 89 Exec Code Sql 2008-08-12 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in categorydetail.php in Article Friendly Standard allows remote attackers to execute arbitrary SQL commands via the Cat parameter.
13573 CVE-2008-3646 362 2008-10-10 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
The Postfix configuration file in Mac OS X 10.5.5 causes Postfix to be network-accessible when mail is sent from a local command-line tool, which allows remote attackers to send mail to local Mac OS X users.
13574 CVE-2008-3640 189 Exec Code Overflow 2008-10-14 2018-10-03
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.
13575 CVE-2008-3630 2008-09-10 2018-10-30
6.4
None Remote Low Not required None Partial Partial
mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an application uses the Bonjour API for unicast DNS, does not choose random values for transaction IDs or source ports in DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.
13576 CVE-2008-3626 119 DoS Exec Code Overflow Mem. Corr. 2008-09-10 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
The CallComponentFunctionWithStorage function in Apple QuickTime before 7.5.5 does not properly handle a large entry in the sample_size_table in STSZ atoms, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.
13577 CVE-2008-3624 119 DoS Exec Code Overflow 2008-09-10 2018-10-30
6.8
User Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted panorama atoms.
13578 CVE-2008-3614 189 DoS Exec Code Overflow 2008-09-10 2018-10-30
6.8
User Remote Medium Not required Partial Partial Partial
Integer overflow in Apple QuickTime before 7.5.5 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image, which triggers heap corruption.
13579 CVE-2008-3613 399 DoS 2008-09-16 2017-08-07
6.1
None Local Network Low Not required None None Complete
Finder in Apple Mac OS X 10.5.2 through 10.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors involving a search for a remote disk on the local network.
13580 CVE-2008-3611 287 Bypass 2008-09-16 2017-08-07
6.3
None Local Medium Not required None Complete Complete
Login Window in Apple Mac OS X 10.4.11 does not clear the current password when a user makes a password-change attempt that is denied by policy, which allows opportunistic, physically proximate attackers to bypass authentication and change this user's password by later entering an acceptable new password on the same login screen.
13581 CVE-2008-3606 119 DoS Exec Code Overflow 2008-08-12 2018-10-11
6.5
None Remote Low Single system Partial Partial Partial
Heap-based buffer overflow in the IMAP service in Qbik WinGate 6.2.2.1137 and earlier allows remote authenticated users to cause a denial of service (resource exhaustion) or possibly execute arbitrary code via a long argument to the LIST command. NOTE: some of these details are obtained from third party information.
13582 CVE-2008-3605 264 2008-08-12 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in McAfee Encrypted USB Manager 3.1.0.0, when the Re-use Threshold for passwords is nonzero, allows remote attackers to conduct offline brute force attacks via unknown vectors.
13583 CVE-2008-3600 22 Dir. Trav. 2008-08-12 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1.5.7 and 1.6-alpha3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter within a modload action.
13584 CVE-2008-3582 89 Exec Code Sql 2008-08-10 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in login.php in Keld PHP-MySQL News Script 0.7.1 allows remote attackers to execute arbitrary SQL commands via the username parameter.
13585 CVE-2008-3561 89 Exec Code Sql 2008-08-10 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in s03.php in Powergap Shopsystem, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the ag parameter.
13586 CVE-2008-3555 22 Dir. Trav. 2008-08-08 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in (1) WSN Forum 4.1.43 and earlier, (2) Gallery 4.1.30 and earlier, (3) Knowledge Base (WSNKB) 4.1.36 and earlier, (4) Links 4.1.44 and earlier, and possibly (5) Classifieds before 4.1.30 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the TID parameter, as demonstrated by uploading a .jpg file containing PHP sequences.
13587 CVE-2008-3532 310 2008-08-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
13588 CVE-2008-3531 119 Overflow +Priv 2008-09-05 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."
13589 CVE-2008-3497 89 Exec Code Sql 2008-08-06 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in pages.php in MyPHP CMS 0.3.1 allows remote attackers to execute arbitrary SQL commands via the pid parameter.
13590 CVE-2008-3490 89 Exec Code Sql 2008-08-06 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in members/mail.php in E-topbiz Online Dating 3 1.0 allows remote authenticated users to execute arbitrary SQL commands via the mail_id parameter in a veiw action.
13591 CVE-2008-3456 59 2008-08-04 2017-08-07
6.4
None Remote Low Not required None Partial Partial
phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack.
13592 CVE-2008-3452 89 Exec Code Sql 2008-08-04 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the Calendar module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the loc_id parameter in a list_events action to mod.php.
13593 CVE-2008-3446 22 Dir. Trav. 2008-08-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in inc/wysiwyg.php in LetterIt 2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
13594 CVE-2008-3432 119 Exec Code Overflow 2008-10-10 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.
13595 CVE-2008-3429 119 DoS Exec Code Overflow 2008-07-31 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in URI processing in HTTrack and WinHTTrack before 3.42-3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long URL.
13596 CVE-2008-3428 287 2008-07-31 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
Session fixation vulnerability in phpFreeChat 1.1 allows remote authenticated users to hijack web sessions by setting the session_id parameter to match the victim's nickid parameter.
13597 CVE-2008-3425 287 2008-07-31 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Sun Java System Web Server 7.0 plugin in Sun N1 Service Provisioning System (SPS) 5.2 and 6.0 allows remote authenticated SPS users to gain administrative access to the web server via unknown attack vectors.
13598 CVE-2008-3408 119 1 Exec Code Overflow 2008-07-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in CoolPlayer 2.18, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a crafted m3u file.
13599 CVE-2008-3405 22 Dir. Trav. 2008-07-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in Ricardo Amaral nzFotolog 0.4.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action_file parameter.
13600 CVE-2008-3399 94 Exec Code File Inclusion 2008-07-31 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in activities/workflow-activities.php in XRMS CRM 1.99.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the include_directory parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.