CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14001 CVE-2008-3368 94 Exec Code File Inclusion 2008-07-30 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter.
14002 CVE-2008-3365 22 Dir. Trav. 2008-07-30 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on Windows, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language_full parameter.
14003 CVE-2008-3345 89 Exec Code Sql 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in staticpages/easyecards/index.php in MyioSoft EasyE-Cards 3.5 trial edition (tr) and 3.10a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a pickup action.
14004 CVE-2008-3339 200 +Info 2008-07-28 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
search_result.cfm in Jobbex JobSite allows remote attackers to obtain sensitive information via unspecified vectors that reveal the installation path in an error message.
14005 CVE-2008-3337 20 2008-08-08 2017-08-07
6.4
None Remote Low Not required None Partial Partial
PowerDNS Authoritative Server before 2.9.21.1 drops malformed queries, which might make it easier for remote attackers to poison DNS caches of other products running on other servers, a different issue than CVE-2008-1447 and CVE-2008-3217.
14006 CVE-2008-3332 94 Exec Code 2008-07-27 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2 allows remote authenticated administrators to execute arbitrary code via the value parameter.
14007 CVE-2008-3325 352 +Priv CSRF 2008-07-25 2018-11-01
6.0
User Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.
14008 CVE-2008-3312 22 Dir. Trav. 2008-07-25 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in lemon_includes/FCKeditor/editor/filemanager/browser/browser.php in Lemon CMS 1.10 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might be an issue in FCKeditor.
14009 CVE-2008-3308 94 Exec Code File Inclusion 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in cuenta/cuerpo.php in C. Desseno YouTube Blog (ytb) 0.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_archivo parameter.
14010 CVE-2008-3303 264 Bypass 2008-07-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
admin/login.php in BilboBlog 0.2.1, when register_globals is enabled, allows remote attackers to bypass authentication and obtain administrative access via a direct request that sets the login, admin_login, password, and admin_passwd parameters.
14011 CVE-2008-3302 89 Exec Code Sql 2008-07-25 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in admin/delete.php in BilboBlog 0.2.1, when magic_quotes_gpc is disabled, allows remote authenticated administrators to execute arbitrary SQL commands via the num parameter.
14012 CVE-2008-3298 94 Exec Code 2008-07-25 2018-10-11
6.0
None Remote Medium Single system Partial Partial Partial
SocialEngine (SE) before 2.83 grants certain write privileges for templates, which allows remote authenticated administrators to execute arbitrary PHP code.
14013 CVE-2008-3292 287 +Priv Bypass 2008-07-24 2017-09-28
6.4
None Remote Low Not required Partial Partial None
constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php.
14014 CVE-2008-3279 264 +Priv 2010-04-05 2017-09-28
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in libbrlttybba.so in brltty 3.7.2 allows local users to gain privileges via a crafted library, related to an incorrect RPATH setting.
14015 CVE-2008-3272 189 +Info 2008-08-08 2018-10-30
6.6
None Local Low Not required Complete None Complete
The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.
14016 CVE-2008-3268 264 +Priv Bypass 2008-07-24 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in phpScheduleIt 1.2.0 through 1.2.9, when useLogonName is enabled, allows remote attackers with administrator email address knowledge to bypass restrictions and gain privileges via unspecified vectors related to login names. NOTE: some of these details are obtained from third party information.
14017 CVE-2008-3265 89 Exec Code Sql 2008-07-24 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the DT Register (com_dtregister) 2.2.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the eventId parameter in a pay_options action to index.php.
14018 CVE-2008-3254 89 Exec Code Sql 2008-07-22 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in preCMS 1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a UserProfil action.
14019 CVE-2008-3234 264 2008-07-18 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
14020 CVE-2008-3229 119 Overflow +Priv 2008-07-18 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in op before Changeset 563, when xauth support is enabled, allows local users to gain privileges via a long XAUTHORITY environment variable.
14021 CVE-2008-3222 287 2008-07-18 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
14022 CVE-2008-3220 352 CSRF 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
14023 CVE-2008-3217 189 2008-07-18 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source port selection, which makes it easier for remote attack vectors to conduct DNS cache poisoning. NOTE: this is related to incomplete integration of security improvements associated with addressing CVE-2008-1637.
14024 CVE-2008-3195 22 Dir. Trav. 2008-09-18 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable, and execute arbitrary files via unspecified vectors.
14025 CVE-2008-3194 22 Dir. Trav. 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in data/inc/themes/predefined_variables.php in pluck 4.5.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) langpref, (2) file, (3) blogpost, or (4) cat parameter.
14026 CVE-2008-3192 22 Dir. Trav. 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in jSite 1.0 OE allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
14027 CVE-2008-3191 89 Exec Code Sql 2008-07-16 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in usercp.php in mForum 0.1a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) City, (2) Interest, (3) Email, (4) Icq, (5) msn, or (6) Yahoo Messenger field in an edit_profile action.
14028 CVE-2008-3190 22 Exec Code Dir. Trav. 2008-07-16 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in list.php in 1Scripts CodeDB 1.1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
14029 CVE-2008-3188 310 2008-07-22 2017-08-07
6.2
None Local High Not required Complete Complete Complete
libxcrypt in SUSE openSUSE 11.0 uses the DES algorithm when the configuration specifies the MD5 algorithm, which makes it easier for attackers to conduct brute-force attacks against hashed passwords.
14030 CVE-2008-3185 89 Exec Code Sql 2008-07-15 2018-10-11
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Relative Real Estate Systems 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the listing_id parameter in a listings action.
14031 CVE-2008-3181 20 Exec Code 2008-07-15 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in ContentNow CMS 1.4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.
14032 CVE-2008-3173 264 2008-07-14 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Microsoft Internet Explorer allows web sites to set cookies for domains that have a public suffix with more than one dot character, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking." NOTE: this issue may exist because of an insufficient fix for CVE-2004-0866.
14033 CVE-2008-3172 264 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Opera allows web sites to set cookies for country-specific top-level domains that have DNS A records, such as co.tv, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking."
14034 CVE-2008-3170 264 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking," a related issue to CVE-2004-0746, CVE-2004-0866, and CVE-2004-0867.
14035 CVE-2008-3165 22 Dir. Trav. 2008-07-14 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in rss.php in fuzzylime (cms) 3.01a and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter, as demonstrated using content.php, a different vector than CVE-2007-4805.
14036 CVE-2008-3163 22 Dir. Trav. 2008-07-14 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in dodosmail.php in DodosMail 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dodosmail_header_file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
14037 CVE-2008-3158 264 2008-07-11 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in NWFS.SYS in Novell Client for Windows 4.91 SP4 has unknown impact and attack vectors, possibly related to IOCTL requests that overwrite arbitrary memory.
14038 CVE-2008-3148 119 Exec Code Overflow 2008-07-11 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in (1) OllyDBG 1.10 and (2) ImpREC 1.7f allows user-assisted attackers to execute arbitrary code via a crafted DLL file that contains a long string.
14039 CVE-2008-3133 89 Exec Code Sql 2008-07-10 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the password parameter.
14040 CVE-2008-3131 89 Exec Code Sql 2008-07-10 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in chatbox.php in pSys 0.7.0 Alpha, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showid parameter.
14041 CVE-2008-3127 20 Exec Code File Inclusion 2008-07-10 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in hioxBannerRotate.php in HIOX Banner Rotator (HBR) 1.3, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the hm parameter.
14042 CVE-2008-3126 119 Exec Code Overflow 2008-07-10 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Multiple stack-based buffer overflows in the ServerView web interface (SnmpGetMibValues.exe) in Fujitsu Siemens Computers ServerView 04.60.07 and earlier allow remote authenticated users to execute arbitrary code via a crafted URL.
14043 CVE-2008-3122 89 Exec Code Sql 2008-07-10 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to execute arbitrary SQL commands via the unspecified vectors.
14044 CVE-2008-3117 20 Exec Code 2008-07-10 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in update_profile.php in PHPmotion 2.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a .php file with a content type of (1) image/gif, (2) image/jpeg, or (3) image/pjpeg, then accessing it via a direct request to the file under pictures/.
14045 CVE-2008-3104 264 2008-07-09 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet.
14046 CVE-2008-3096 264 +Priv 2008-07-09 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges.
14047 CVE-2008-3093 94 Exec Code 2008-07-09 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in ImperialBB 2.3.5 and earlier allows remote authenticated users to upload and execute arbitrary PHP code by placing a .php filename in the Upload_Avatar parameter and sending the image/gif content type.
14048 CVE-2008-3092 89 Exec Code Sql 2008-07-09 2017-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.
14049 CVE-2008-3081 20 Exec Code 2008-07-08 2017-08-07
6.5
User Remote Low Single system Partial Partial Partial
Multiple unspecified "input validation" vulnerabilities in the Web management interface (aka Messaging Administration interface) in Avaya Message Storage Server (MSS) 3.x and 4.0, and possibly Communication Manager 3.1.x, allow remote authenticated administrators to execute arbitrary commands as user vexvm via vectors related to (1) SFTP Remote Store configuration; (2) remote FTP storage settings; (3) name server lookup; (4) pinging another host; (5) TCP/IP Networking parameter configuration; (6) the external hosts configuration main page; (7) adding and changing external hosts; (8) Windows domain parameter configuration; (9) date, time, and NTP server configuration; (10) alarm settings; (11) the command line history form; (12) the maintenance form; and (13) the server events form.
14050 CVE-2008-3035 89 Exec Code Sql 2008-07-07 2017-09-28
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in newThread.php in XchangeBoard 1.70 Final and earlier allows remote authenticated users to execute arbitrary SQL commands via the boardID parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.