CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14401 CVE-2008-0476 287 +Info 2008-01-29 2017-08-07
6.4
None Remote Low Not required Partial Partial None
ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
14402 CVE-2008-0473 20 2008-01-29 2018-10-15
6.4
None Remote Low Not required Partial Partial None
RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to upload (1) .html and (2) .htm files via unspecified vectors.
14403 CVE-2008-0461 89 Exec Code Sql 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information.
14404 CVE-2008-0459 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter.
14405 CVE-2008-0458 22 Dir. Trav. 2008-01-25 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in function/sources.php in SLAED CMS 2.5 Lite allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the newlang parameter to index.php.
14406 CVE-2008-0453 89 Exec Code Sql 2008-01-24 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in list.php in Easysitenetwork Recipe allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
14407 CVE-2008-0423 94 Exec Code File Inclusion 2008-01-23 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Lama Software allow remote attackers to execute arbitrary PHP code via a URL in the MY_CONF[classRoot] parameter to (1) inc.steps.access_error.php, (2) inc.steps.check_login.php, or (3) inc.steps.init_system.php in admin/functions/.
14408 CVE-2008-0411 119 Exec Code Overflow 2008-02-28 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
14409 CVE-2008-0408 287 2008-01-28 2018-10-15
6.4
None Remote Low Not required Partial Partial None
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication.
14410 CVE-2008-0402 264 Bypass 2008-01-23 2017-08-07
6.0
User Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in IBM WebSphere Business Modeler Basic and Advanced 6.0.2.1 before Interim Fix 11 allows remote authenticated users to bypass intended access restrictions and delete unspecified repository resources via unknown vectors, even when they are not administrators or members of the repository's owning group.
14411 CVE-2008-0399 119 Exec Code Overflow 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods.
14412 CVE-2008-0397 89 Exec Code Sql 2008-01-23 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aflog 1.01, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to comments.php and (2) an unspecified parameter to view.php.
14413 CVE-2008-0388 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.
14414 CVE-2008-0386 20 Exec Code 2008-02-04 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.
14415 CVE-2008-0378 119 DoS Exec Code Overflow 2008-01-22 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when "Resolve all names remotely" is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hostname.
14416 CVE-2008-0376 94 Exec Code File Inclusion 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the cfile parameter.
14417 CVE-2008-0371 89 Exec Code Sql 2008-01-22 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information.
14418 CVE-2008-0369 2008-01-18 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
Multiple unspecified programs in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allow local users to create arbitrary files by specifying the target file in the SQLIDEBUG environment variable, whose ownership is changed to the user invoking the programs.
14419 CVE-2008-0358 89 Exec Code Sql 2008-01-18 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in Pixelpost 1.7 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter.
14420 CVE-2008-0313 Exec Code 2008-04-08 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
The ActiveDataInfo.LaunchProcess method in the SymAData.ActiveDataInfo.1 ActiveX control 2.7.0.1 in SYMADATA.DLL in multiple Symantec Norton products including Norton 360 1.0, AntiVirus 2006 through 2008, Internet Security 2006 through 2008, and System Works 2006 through 2008, does not properly determine the location of the AutoFix Tool, which allows remote attackers to execute arbitrary code via a remote (1) WebDAV or (2) SMB share.
14421 CVE-2008-0310 22 Dir. Trav. 2008-04-07 2017-09-28
6.9
Admin Local Medium Not required Complete Complete Complete
Directory traversal vulnerability in pkgadd in SCO UnixWare 7.1.4 before p534589 allows local users to create or append to arbitrary files via ".." sequences in an unspecified environment variable, probably PKGINST.
14422 CVE-2008-0309 119 DoS Exec Code Overflow 2008-02-28 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine 5.1.2 and other versions before 5.1.6.31, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port (1344/tcp).
14423 CVE-2008-0306 Exec Code 2008-03-11 2017-08-07
6.9
Admin Local Medium Not required Complete Complete Complete
sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings.
14424 CVE-2008-0303 2008-02-28 2009-03-13
6.4
None Remote Low Not required None Partial Partial
The FTP print feature in multiple Canon printers, including imageRUNNER and imagePRESS, allow remote attackers to use the server as an inadvertent proxy via a modified PORT command, aka FTP bounce.
14425 CVE-2008-0300 94 Exec Code 2008-03-11 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to execute arbitrary PHP code via PHP code sequences in the factor parameter, which are not properly handled when accessing a filename that contains those sequences.
14426 CVE-2008-0293 264 +Priv Bypass 2008-01-16 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in cron.php in FreeSeat before 1.1.5d, when format.php has certain modifications, allows remote attackers to bypass authentication and gain privileges via unspecified vectors related to the show_foot function.
14427 CVE-2008-0289 94 Exec Code File Inclusion 2008-01-15 2018-10-15
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in view_func.php in Member Area System (MAS) 1.7 and possibly others allows remote attackers to execute arbitrary PHP code via a URL in the i parameter. NOTE: a second vector might exist via the l parameter. NOTE: as of 20080118, the vendor has disputed the set of affected versions, stating that the issue "is already fixed, for almost a year."
14428 CVE-2008-0287 94 Exec Code File Inclusion 2008-01-15 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in VisionBurst vcart 3.3.2 allows remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) index.php and (2) checkout.php.
14429 CVE-2008-0283 94 Exec Code File Inclusion 2008-01-15 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in /aides/index.php in DomPHP 0.81 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
14430 CVE-2008-0278 89 Exec Code Sql 2008-01-15 2017-09-28
6.0
User Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in index.php in X7 Chat 2.0.5 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a sm_window action.
14431 CVE-2008-0270 89 Exec Code Sql 2008-01-15 2017-09-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in index.php in TaskFreak! 0.6.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the sContext parameter.
14432 CVE-2008-0264 20 Exec Code 2008-01-15 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node.
14433 CVE-2008-0259 22 Dir. Trav. 2008-01-15 2017-09-28
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in _mg/php/mg_thumbs.php in minimal Gallery 0.8 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) thumbcat and (2) thumb parameters.
14434 CVE-2008-0254 89 Exec Code Sql 2008-01-15 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in activate.php in TutorialCMS (aka Photoshop Tutorials) 1.02, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the userName parameter.
14435 CVE-2008-0237 20 Exec Code 2008-01-10 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
The Microsoft Rich Textbox ActiveX Control (RICHTX32.OCX) 6.1.97.82 allows remote attackers to execute arbitrary commands by invoking the insecure SaveFile method.
14436 CVE-2008-0225 119 Exec Code Overflow 2008-01-10 2011-10-17
6.4
None Remote Low Not required Partial Partial None
Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute in an RTSP session, related to the rmff_dump_header function and related to disregarding the max field. NOTE: some of these details are obtained from third party information.
14437 CVE-2008-0217 264 2008-01-15 2017-08-07
6.9
None Local Medium Not required Complete Complete Complete
The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes openpty, which creates a pseudo-terminal with world-readable and world-writable permissions when it is not run as root, which allows local users to read data from the terminal of the user running script.
14438 CVE-2008-0210 287 Dir. Trav. Bypass 2008-01-09 2017-09-28
6.4
None Remote Low Not required Partial Partial None
Uebimiau Webmail 2.7.10 and 2.7.2 does not protect authentication state variables from being set through HTTP requests, which allows remote attackers to bypass authentication via a sess[auth]=1 parameter settting. NOTE: this can be leveraged to conduct directory traversal attacks without authentication by using CVE-2008-0140.
14439 CVE-2008-0184 22 Dir. Trav. 2008-01-09 2018-10-15
6.4
None Remote Low Not required Partial Partial None
Absolute path traversal vulnerability in index.php in Sys-Hotel on Line System allows remote attackers to read arbitrary files via an encoded "/" ("%2F") in the file parameter.
14440 CVE-2008-0169 264 Bypass 2008-06-03 2017-08-07
6.8
User Remote Medium Not required Partial Partial Partial
Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence.
14441 CVE-2008-0159 89 Exec Code Sql 2008-01-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in eggBlog 3.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the eggblogpassword parameter in a cookie.
14442 CVE-2008-0150 287 Bypass 2008-01-08 2018-10-15
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the LDAP authentication feature in Aruba Mobility Controller 2.3.6.15, 2.5.2.11, 2.5.4.25, 2.5.5.7, 3.1.1.3, and 2.4.8.11-FIPS or earlier allows remote attackers to bypass authentication mechanisms and obtain management or VPN interface access.
14443 CVE-2008-0147 89 Exec Code Sql 2008-01-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in index.php in SmallNuke 2.0.4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via (1) the user_email parameter and possibly (2) username parameter in a Members action.
14444 CVE-2008-0142 89 Exec Code Sql 2008-01-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in WebPortal CMS 0.6-beta allow remote attackers to execute arbitrary SQL commands via the user_name parameter to actions.php, and unspecified other vectors.
14445 CVE-2008-0140 22 Dir. Trav. 2008-01-08 2017-09-28
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in error.php in Uebimiau Webmail 2.7.10 and 2.7.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the selected_theme parameter, a different vector than CVE-2007-3172.
14446 CVE-2008-0139 89 Exec Code Sql 2008-01-08 2017-10-18
6.8
None Remote Medium Not required Partial Partial Partial
Eval injection vulnerability in loudblog/inc/parse_old.php in Loudblog 0.8.0 and earlier allows remote attackers to execute arbitrary PHP code via the template parameter.
14447 CVE-2008-0138 89 Exec Code Sql File Inclusion 2008-01-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter.
14448 CVE-2008-0129 89 Exec Code Sql 2008-01-08 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in starnet/addons/slideshow_full.php in [email protected] 2.3.10 and earlier allows remote attackers to execute arbitrary SQL commands via the album_name parameter.
14449 CVE-2008-0099 89 Exec Code Sql 2008-01-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the searchtext parameter to search.php, and unspecified other vectors.
14450 CVE-2008-0094 22 Dir. Trav. 2008-01-07 2018-10-15
6.4
None Remote Low Not required Partial Partial None
Multiple directory traversal vulnerabilities in MODx Content Management System 0.9.6.1 allow remote attackers to (1) include and execute arbitrary local files via a .. (dot dot) in the as_language parameter to assets/snippets/AjaxSearch/AjaxSearch.php, reached through index-ajax.php; and (2) read arbitrary local files via a .. (dot dot) in the file parameter to assets/js/htcmime.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.