CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14001 CVE-2008-0585 264 2008-02-04 2017-08-07
6.6
None Local Low Not required Complete Complete None
sysmgt.websm.webaccess in IBM AIX 5.2 and 5.3 has world writable permissions for unspecified WebSM Remote Client files, which allows local users to "alter the behavior of" this client by overwriting these files.
14002 CVE-2008-0577 264 2008-02-04 2008-09-05
6.4
None Remote Low Not required Partial Partial None
The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.
14003 CVE-2008-0572 94 Exec Code File Inclusion 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Mindmeld 1.2.0.10 allow remote attackers to execute arbitrary PHP code via a URL in the MM_GLOBALS[home] parameter to (1) acweb/admin_index.php; and (2) ask.inc.php, (3) learn.inc.php, (4) manage.inc.php, (5) mind.inc.php, and (6) sensory.inc.php in include/.
14004 CVE-2008-0569 264 Exec Code Bypass 2008-02-04 2009-09-16
6.4
None Remote Low Not required Partial Partial None
The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 module for Drupal does not properly use functions in the upload module, which allows remote attackers to bypass upload validation, and upload arbitrary files and possibly execute arbitrary code, via unspecified vectors.
14005 CVE-2008-0566 94 Exec Code File Inclusion 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/smarty.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path_to_public_program parameter.
14006 CVE-2008-0565 89 Exec Code Sql 2008-02-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in vote.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
14007 CVE-2008-0560 94 Exec Code File Inclusion 2008-02-04 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
** DISPUTED ** PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and the code exits with a fatal error due to a call to an undefined function.
14008 CVE-2008-0554 119 DoS Exec Code Overflow 2008-02-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the readImageData function in giftopnm.c in netpbm before 10.27 in netpbm before 10.27 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.
14009 CVE-2008-0553 119 Exec Code Overflow 2008-02-07 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1 allows remote attackers to execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484.
14010 CVE-2008-0538 89 Exec Code Sql 2008-02-01 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) password parameter to login.php, the (2) id parameter to display.php, and unspecified other vectors. NOTE: some of these details are obtained from third party information.
14011 CVE-2008-0508 352 XSS CSRF 2008-01-31 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting.
14012 CVE-2008-0506 20 Exec Code 2008-01-31 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php.
14013 CVE-2008-0504 89 Exec Code Sql 2008-01-31 2018-10-16
6.5
User Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) albumid, (2) startpic, and (3) numpics parameters to util.php; and (4) cid_array parameter to reviewcom.php.
14014 CVE-2008-0503 94 Exec Code 2008-01-31 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Publisher 1.0.1 allows remote attackers to execute arbitrary PHP code via the filedata parameter.
14015 CVE-2008-0492 119 Exec Code Overflow 2008-01-30 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information.
14016 CVE-2008-0478 22 Dir. Trav. 2008-01-29 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in SetCMS 3.6.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the set parameter, as demonstrated by sending a certain CLIENT_IP HTTP header in an enter action to index.php, and injecting PHP sequences into files/enter.set, which is then included by index.php.
14017 CVE-2008-0476 287 +Info 2008-01-29 2017-08-07
6.4
None Remote Low Not required Partial Partial None
ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
14018 CVE-2008-0473 20 2008-01-29 2018-10-15
6.4
None Remote Low Not required Partial Partial None
RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to upload (1) .html and (2) .htm files via unspecified vectors.
14019 CVE-2008-0461 89 Exec Code Sql 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information.
14020 CVE-2008-0459 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter.
14021 CVE-2008-0458 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in function/sources.php in SLAED CMS 2.5 Lite allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the newlang parameter to index.php.
14022 CVE-2008-0453 89 Exec Code Sql 2008-01-24 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in list.php in Easysitenetwork Recipe allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
14023 CVE-2008-0423 94 Exec Code File Inclusion 2008-01-23 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Lama Software allow remote attackers to execute arbitrary PHP code via a URL in the MY_CONF[classRoot] parameter to (1) inc.steps.access_error.php, (2) inc.steps.check_login.php, or (3) inc.steps.init_system.php in admin/functions/.
14024 CVE-2008-0411 119 Exec Code Overflow 2008-02-28 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
14025 CVE-2008-0408 287 2008-01-28 2018-10-15
6.4
None Remote Low Not required Partial Partial None
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication.
14026 CVE-2008-0402 264 Bypass 2008-01-23 2017-08-07
6.0
User Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in IBM WebSphere Business Modeler Basic and Advanced 6.0.2.1 before Interim Fix 11 allows remote authenticated users to bypass intended access restrictions and delete unspecified repository resources via unknown vectors, even when they are not administrators or members of the repository's owning group.
14027 CVE-2008-0399 119 Exec Code Overflow 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.
14028 CVE-2008-0397 89 Exec Code Sql 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aflog 1.01, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to comments.php and (2) an unspecified parameter to view.php.
14029 CVE-2008-0388 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.
14030 CVE-2008-0386 20 Exec Code 2008-02-04 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.
14031 CVE-2008-0378 119 DoS Exec Code Overflow 2008-01-22 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when "Resolve all names remotely" is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hostname.
14032 CVE-2008-0376 94 Exec Code File Inclusion 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the cfile parameter.
14033 CVE-2008-0371 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information.
14034 CVE-2008-0369 2008-01-18 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Multiple unspecified programs in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allow local users to create arbitrary files by specifying the target file in the SQLIDEBUG environment variable, whose ownership is changed to the user invoking the programs.
14035 CVE-2008-0358 89 Exec Code Sql 2008-01-18 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Pixelpost 1.7 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter.
14036 CVE-2008-0313 Exec Code 2008-04-08 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
The ActiveDataInfo.LaunchProcess method in the SymAData.ActiveDataInfo.1 ActiveX control 2.7.0.1 in SYMADATA.DLL in multiple Symantec Norton products including Norton 360 1.0, AntiVirus 2006 through 2008, Internet Security 2006 through 2008, and System Works 2006 through 2008, does not properly determine the location of the AutoFix Tool, which allows remote attackers to execute arbitrary code via a remote (1) WebDAV or (2) SMB share.
14037 CVE-2008-0310 22 Dir. Trav. 2008-04-07 2017-09-28
6.9
Admin Local Medium Not required Complete Complete Complete
Directory traversal vulnerability in pkgadd in SCO UnixWare 7.1.4 before p534589 allows local users to create or append to arbitrary files via ".." sequences in an unspecified environment variable, probably PKGINST.
14038 CVE-2008-0309 119 DoS Exec Code Overflow 2008-02-28 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine 5.1.2 and other versions before 5.1.6.31, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port (1344/tcp).
14039 CVE-2008-0306 Exec Code 2008-03-11 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings.
14040 CVE-2008-0303 2008-02-28 2009-03-13
6.4
None Remote Low Not required None Partial Partial
The FTP print feature in multiple Canon printers, including imageRUNNER and imagePRESS, allow remote attackers to use the server as an inadvertent proxy via a modified PORT command, aka FTP bounce.
14041 CVE-2008-0300 94 Exec Code 2008-03-11 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to execute arbitrary PHP code via PHP code sequences in the factor parameter, which are not properly handled when accessing a filename that contains those sequences.
14042 CVE-2008-0293 264 +Priv Bypass 2008-01-16 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in cron.php in FreeSeat before 1.1.5d, when format.php has certain modifications, allows remote attackers to bypass authentication and gain privileges via unspecified vectors related to the show_foot function.
14043 CVE-2008-0289 94 Exec Code File Inclusion 2008-01-15 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in view_func.php in Member Area System (MAS) 1.7 and possibly others allows remote attackers to execute arbitrary PHP code via a URL in the i parameter. NOTE: a second vector might exist via the l parameter. NOTE: as of 20080118, the vendor has disputed the set of affected versions, stating that the issue "is already fixed, for almost a year."
14044 CVE-2008-0287 94 Exec Code File Inclusion 2008-01-15 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in VisionBurst vcart 3.3.2 allows remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) index.php and (2) checkout.php.
14045 CVE-2008-0283 94 Exec Code File Inclusion 2008-01-15 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in /aides/index.php in DomPHP 0.81 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
14046 CVE-2008-0278 89 Exec Code Sql 2008-01-15 2017-09-28
6.0
User Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in index.php in X7 Chat 2.0.5 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a sm_window action.
14047 CVE-2008-0270 89 Exec Code Sql 2008-01-15 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in index.php in TaskFreak! 0.6.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the sContext parameter.
14048 CVE-2008-0264 20 Exec Code 2008-01-15 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node.
14049 CVE-2008-0259 22 Dir. Trav. 2008-01-15 2017-09-28
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in _mg/php/mg_thumbs.php in minimal Gallery 0.8 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) thumbcat and (2) thumb parameters.
14050 CVE-2008-0254 89 Exec Code Sql 2008-01-15 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in activate.php in TutorialCMS (aka Photoshop Tutorials) 1.02, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the userName parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.