| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
14651 |
CVE-2009-2533 |
20 |
1
|
DoS |
2009-07-20 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
rmserver in RealNetworks Helix Server and Helix Mobile Server before 13.0.0 allows remote attackers to cause a denial of service (daemon exit) via multiple RTSP SET_PARAMETER requests with empty DataConvertBuffer headers. |
|
14652 |
CVE-2009-2481 |
287 |
|
Bypass +Info |
2009-07-16 |
2017-08-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
mt-wizard.cgi in Six Apart Movable Type before 4.261, when global templates are not initialized, allows remote attackers to bypass access restrictions and (1) send e-mail to arbitrary addresses or (2) obtain sensitive information via unspecified vectors. |
|
14653 |
CVE-2009-2478 |
189 |
|
DoS |
2009-07-16 |
2009-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors, related to a "flash bug." |
|
14654 |
CVE-2009-2470 |
20 |
|
DoS |
2009-08-04 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply. |
|
14655 |
CVE-2009-2458 |
|
|
DoS |
2009-07-14 |
2017-08-16 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in Sun Fire V215 Server, when using XVR-100 graphic cards on system boards with part number 375-3463 and a hardware dash level -04 or later, allows remote attackers to cause a denial of service (panic) via unknown vectors. |
|
14656 |
CVE-2009-2457 |
94 |
|
DoS |
2009-07-14 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remote attackers to cause a denial of service (crash) via a malformed bind LDAP packet. |
|
14657 |
CVE-2009-2456 |
|
|
DoS |
2009-07-14 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remote attackers to cause a denial of service (ndsd core dump) via an LDAP request containing multiple . (dot) wildcard characters in the Relative Distinguished Name (RDN). |
|
14658 |
CVE-2009-2445 |
200 |
|
+Info |
2009-07-13 |
2011-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) 6.1 before SP12, and 7.0 through Update 6, when running on Windows, allows remote attackers to read arbitrary JSP files via an alternate data stream syntax, as demonstrated by a .jsp::$DATA URI. |
|
14659 |
CVE-2009-2443 |
264 |
|
+Info |
2009-07-13 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Siteframe 3.2.3, and other 3.2.x versions, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. |
|
14660 |
CVE-2009-2435 |
255 |
|
|
2009-07-13 |
2009-07-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Sametime server in IBM Lotus Instant Messaging and Web Conferencing 6.5.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. |
|
14661 |
CVE-2009-2432 |
264 |
|
+Info |
2009-07-10 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. |
|
14662 |
CVE-2009-2431 |
20 |
|
+Info |
2009-07-10 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source. |
|
14663 |
CVE-2009-2426 |
|
|
|
2009-07-10 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The connection_edge_process_relay_cell_not_open function in src/or/relay.c in Tor 0.2.x before 0.2.0.35 and 0.1.x before 0.1.2.8-beta allows exit relays to have an unspecified impact by causing controllers to accept DNS responses that redirect to an internal IP address via unknown vectors. NOTE: some of these details are obtained from third party information. |
|
14664 |
CVE-2009-2425 |
20 |
|
DoS |
2009-07-10 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Tor before 0.2.0.35 allows remote attackers to cause a denial of service (application crash) via a malformed router descriptor. |
|
14665 |
CVE-2009-2421 |
20 |
|
DoS Exec Code |
2009-07-09 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in Apple Safari 3.2.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a "high-bit character" in a URL fragment for an unspecified protocol. |
|
14666 |
CVE-2009-2420 |
20 |
|
DoS |
2009-07-09 |
2018-10-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Apple Safari 3.2.3 does not properly implement the file: protocol handler, which allows remote attackers to read arbitrary files or cause a denial of service (launch of multiple Windows Explorer instances) via vectors involving an unspecified HTML tag, possibly a related issue to CVE-2009-1703. |
|
14667 |
CVE-2009-2409 |
310 |
|
|
2009-07-30 |
2018-10-10 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. |
|
14668 |
CVE-2009-2398 |
22 |
1
|
Dir. Trav. |
2009-07-09 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in test/index.php in PHP-Sugar 0.80 allows remote attackers to read arbitrary files via a ..// (dot dot slash slash) in the t parameter. |
|
14669 |
CVE-2009-2397 |
22 |
1
|
Dir. Trav. |
2009-07-09 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in download.php in Audio Article Directory allows remote attackers to read arbitrary files via directory traversal sequences in the file parameter. |
|
14670 |
CVE-2009-2381 |
255 |
|
|
2009-07-08 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Gizmo 3.1.0.79 on Linux does not verify a server's SSL certificate, which allows remote servers to obtain the credentials of arbitrary users via a spoofed certificate. |
|
14671 |
CVE-2009-2374 |
255 |
|
|
2009-07-08 |
2009-07-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. |
|
14672 |
CVE-2009-2336 |
16 |
1
|
|
2009-07-10 |
2018-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." |
|
14673 |
CVE-2009-2335 |
16 |
1
|
|
2009-07-10 |
2018-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." |
|
14674 |
CVE-2009-2332 |
200 |
1
|
+Info |
2009-07-05 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitive information via (1) a crafted id parameter to index.php or (2) a nonexistent folder name in the id parameter to admin/admin_delete.php, which reveals the installation path in an error message. |
|
14675 |
CVE-2009-2329 |
200 |
1
|
+Info |
2009-07-05 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
KerviNet Forum 1.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) admin/head.php, or (2) voting_diagram.php, (3) voting.php, (4) topics_search.php, (5) topics_list.php, (6) top_part.php, (7) quick_search.php, (8) quick_reply.php, (9) moder_menu.php, (10) messages_list.php, (11) menu.php, (12) head.php, (13) forums_list.php, (14) forum_statistics.php, (15) forum_info.php, or (16) birthday.php in include_files/, which reveals the installation path in an error message. |
|
14676 |
CVE-2009-2325 |
22 |
1
|
Dir. Trav. |
2009-07-05 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in index.php in Clicknet CMS 2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the side parameter. |
|
14677 |
CVE-2009-2323 |
352 |
|
CSRF |
2009-07-05 |
2018-10-10 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The web interface on the Axesstel MV 410R redirects users back to the referring page after execution of some CGI scripts, which makes it easier for remote attackers to avoid detection of cross-site request forgery (CSRF) attacks, as demonstrated by a redirect from the cgi-bin/wireless.cgi script. |
|
14678 |
CVE-2009-2319 |
310 |
|
+Info |
2009-07-05 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of the Wi-Fi component on the Axesstel MV 410R does not use encryption, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. |
|
14679 |
CVE-2009-2304 |
20 |
|
+Info |
2009-07-02 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
index.php in Aardvark Topsites PHP 5.2.0 and earlier allows remote attackers to obtain sensitive information via a nonexistent account name in the u parameter in a rate action, which reveals the installation path in an error message. |
|
14680 |
CVE-2009-2303 |
20 |
|
+Info |
2009-07-02 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
index.php in Aardvark Topsites PHP 5.2.1 and earlier allows remote attackers to obtain sensitive information via a negative integer value for the start parameter in a search action, which reveals the installation path in an error message. |
|
14681 |
CVE-2009-2299 |
20 |
|
DoS |
2009-07-02 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Artofdefence Hyperguard Web Application Firewall (WAF) module before 2.5.5-11635, 3.0 before 3.0.3-11636, and 3.1 before 3.1.1-11637, a module for the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via an HTTP request with a large Content-Length value but no POST data. |
|
14682 |
CVE-2009-2275 |
22 |
1
|
Dir. Trav. |
2009-07-01 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter. |
|
14683 |
CVE-2009-2273 |
310 |
|
+Info |
2009-07-01 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of the Wi-Fi component on the Huawei D100 does not use encryption, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. |
|
14684 |
CVE-2009-2272 |
310 |
|
+Info |
2009-07-01 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Huawei D100 stores the administrator's account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors. |
|
14685 |
CVE-2009-2266 |
200 |
|
+Info |
2009-09-09 |
2009-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
OXID eShop 4.x before 4.1.4-21266, 3.x, and 2.x allows remote attackers to obtain sensitive information (session details and order history of other users) via a crafted cookie. |
|
14686 |
CVE-2009-2260 |
200 |
|
+Info |
2009-06-30 |
2010-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
stardict 3.0.1, when Enable Net Dict is configured, sends the contents of the clipboard to a dictionary server, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
14687 |
CVE-2009-2229 |
22 |
1
|
Dir. Trav. |
2009-06-26 |
2017-09-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in engine.php in Kasseler CMS 1.3.5 lite allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter during a download action, a different vector than CVE-2008-3087. NOTE: some of these details are obtained from third party information. |
|
14688 |
CVE-2009-2222 |
22 |
|
Dir. Trav. |
2009-06-26 |
2009-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in PHP-I-BOARD 1.2 and earlier allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors, probably related to mail. |
|
14689 |
CVE-2009-2220 |
22 |
1
|
Dir. Trav. |
2009-06-26 |
2017-09-18 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Multiple directory traversal vulnerabilities in Tribiq CMS 5.0.12c, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and possibly execute arbitrary files via directory traversal sequences in the template_path parameter to (1) masthead.inc.php, (2) toppanel.inc.php, and (3) contact.inc.php in templates/mytribiqsite/tribiq-CL-9000/includes; and the use_template_family parameter to (4) templates/mytribiqsite/tribiq-CL-9000/includes/nlarlist_content.inc.php. NOTE: the tribal-GPL-1066/includes/header.inc.php vector is already covered by CVE-2008-4894. |
|
14690 |
CVE-2009-2214 |
399 |
|
DoS |
2009-06-25 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Secure Gateway service in Citrix Secure Gateway 3.1 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an unspecified request. |
|
14691 |
CVE-2009-2212 |
|
|
|
2009-06-25 |
2009-07-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows attackers to discover a (1) username or (2) password via unspecified vectors. |
|
14692 |
CVE-2009-2199 |
|
|
|
2009-08-12 |
2012-03-30 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Incomplete blacklist vulnerability in WebKit in Apple Safari before 4.0.3, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to spoof domain names in URLs, and possibly conduct phishing attacks, via unspecified homoglyphs. |
|
14693 |
CVE-2009-2196 |
|
|
|
2009-08-12 |
2009-08-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote web servers to place an arbitrary web site in the Top Sites view, and possibly conduct phishing attacks, via unknown vectors. |
|
14694 |
CVE-2009-2185 |
20 |
|
DoS |
2009-06-24 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string. |
|
14695 |
CVE-2009-2184 |
22 |
|
Dir. Trav. |
2009-06-23 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in forcedownload.php in Gravy Media Photo Host 1.0.8 allows remote attackers to read arbitrary files via an encoded "/" (slash) in the file parameter. |
|
14696 |
CVE-2009-2180 |
22 |
|
Dir. Trav. |
2009-06-23 |
2017-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple directory traversal vulnerabilities in upfiles/index.php in Pc4 Uploader 10.0 and earlier allow remote attackers to read arbitrary files via (1) a .. (dot dot) or (2) absolute path in the file parameter. |
|
14697 |
CVE-2009-2174 |
|
|
DoS |
2009-06-23 |
2009-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
GUPnP 0.12.7 allows remote attackers to cause a denial of service (crash) via an empty (1) subscription or (2) control message. |
|
14698 |
CVE-2009-2166 |
22 |
|
Dir. Trav. |
2009-06-22 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in cvs.php in OCS Inventory NG before 1.02.1 on Unix allows remote attackers to read arbitrary files via a full pathname in the log parameter. |
|
14699 |
CVE-2009-2161 |
22 |
|
Dir. Trav. |
2009-06-22 |
2018-10-10 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in backend/admin-functions.php in TorrentTrader Classic 1.09, when used on a case-insensitive web site, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ss_uri parameter, in conjunction with a modified component name. |
|
14700 |
CVE-2009-2160 |
264 |
|
+Info |
2009-06-22 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TorrentTrader Classic 1.09 allows remote attackers to (1) obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function; and allows remote attackers to (2) obtain other potentially sensitive information via a direct request to check.php. |
