CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2009-1277 89 Exec Code Sql 2009-04-09 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to execute arbitrary SQL commands via the member_id parameter in a viewprofile action. NOTE: the board_id issue is already covered by CVE-2008-2996.2.
152 CVE-2009-1276 200 +Info 2009-04-09 2009-08-11
2.1
None Local Low Not required Partial None None
XScreenSaver in Sun Solaris 10 and OpenSolaris before snv_109, and Solaris 8 and 9 with GNOME 2.0 or 2.0.2, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, as demonstrated by Thunderbird new-mail notifications.
153 CVE-2009-1275 XSS +Info 2009-04-09 2009-04-29
6.8
None Remote Medium Not required Partial Partial Partial
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
154 CVE-2009-1274 119 Exec Code Overflow 2009-04-08 2018-10-10
5.0
None Remote Low Not required None None Partial
Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow.
155 CVE-2009-1273 255 2009-04-08 2009-05-13
5.0
None Remote Low Not required Partial None None
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.
156 CVE-2009-1272 20 DoS 2009-04-08 2009-09-16
5.0
None Remote Low Not required None None Partial
The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x before 5.2.9 allows context-dependent attackers to cause a denial of service (crash) via a ZIP file that contains filenames with relative paths, which is not properly handled during extraction.
157 CVE-2009-1271 DoS 2009-04-08 2018-10-03
5.0
None Remote Low Not required None None Partial
The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function.
158 CVE-2009-1270 94 DoS 2009-04-08 2017-08-16
7.8
None Remote Low Not required None None Complete
libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted TAR file that causes (1) clamd and (2) clamscan to hang.
159 CVE-2009-1269 DoS 2009-04-13 2018-10-10
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.
160 CVE-2009-1268 20 DoS 2009-04-13 2018-10-10
4.3
None Remote Medium Not required None None Partial
The Check Point High-Availability Protocol (CPHAP) dissector in Wireshark 0.9.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted FWHA_MY_STATE packet.
161 CVE-2009-1267 DoS 2009-04-13 2018-10-10
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 through 1.0.6, when running on Windows, allows remote attackers to cause a denial of service (crash) via unknown attack vectors.
162 CVE-2009-1266 2009-04-21 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Wireshark before 1.0.7 has unknown impact and attack vectors.
163 CVE-2009-1265 189 Overflow +Info 2009-04-07 2012-03-23
5.0
None Remote Low Not required Partial None None
Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes "garbage" memory to be sent.
164 CVE-2009-1264 264 +Info 2009-04-07 2009-04-08
4.0
None Remote Low Single system Partial None None
Frontend User Registration (sr_feuser_register) extension 2.5.20 and earlier for TYPO3 does not properly verify access rights, which allows remote authenticated users to obtain sensitive information such as passwords via unknown attack vectors.
165 CVE-2009-1263 89 Exec Code Sql 2009-04-07 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sub_commententry.php in the BookJoomlas (com_bookjoomlas) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a comment action to index.php.
166 CVE-2009-1262 134 Exec Code 2009-04-07 2018-10-10
7.2
Admin Local Low Not required Complete Complete Complete
Format string vulnerability in Fortinet FortiClient 3.0.614, and possibly earlier, allows local users to execute arbitrary code via format string specifiers in the VPN connection name.
167 CVE-2009-1261 79 XSS 2009-04-07 2017-08-16
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
168 CVE-2009-1260 119 DoS Exec Code Overflow 2009-04-07 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted (1) CCD or (2) IMG file.
169 CVE-2009-1259 89 Exec Code Sql 2009-04-07 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in inc/bb/topic.php in Insane Visions AdaptBB 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a topic action to index.php.
170 CVE-2009-1258 89 Exec Code Sql 2009-04-07 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the RD-Autos (com_rdautos) component 1.5.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the makeid parameter in index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
171 CVE-2009-1257 119 DoS Exec Code Overflow 2009-04-07 2017-09-28
9.0
None Remote Low Not required Partial Partial Complete
Heap-based buffer overflow in Magic ISO Maker 5.5 build 0274 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted CCD file.
172 CVE-2009-1256 89 Exec Code Sql 2009-04-07 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in FlexCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the ItemId parameter. NOTE: some of these details are obtained from third party information.
173 CVE-2009-1255 200 +Info 2009-04-30 2018-10-10
5.0
None Remote Low Not required Partial None None
The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain sensitive information such as the locations of memory regions, and defeat ASLR protection, by sending a command to the daemon's TCP port.
174 CVE-2009-1254 20 Exec Code 2009-04-08 2009-04-16
6.8
None Remote Medium Not required Partial Partial Partial
James Stone Tunapie 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a stream URL.
175 CVE-2009-1253 59 2009-04-08 2009-04-16
4.4
None Local Medium Not required Partial Partial Partial
James Stone Tunapie 2.1 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file.
176 CVE-2009-1251 119 DoS Exec Code Overflow 2009-04-08 2011-01-26
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via an RX response containing more data than specified in a request, related to use of XDR arrays.
177 CVE-2009-1250 189 DoS 2009-04-08 2011-01-26
7.8
None Remote Low Not required None None Complete
The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58, and IBM AFS 3.6 before Patch 19, on Linux allows remote attackers to cause a denial of service (system crash) via an RX response with a large error-code value that is interpreted as a pointer and dereferenced, related to use of the ERR_PTR macro.
178 CVE-2009-1249 79 XSS 2009-04-06 2009-04-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.
179 CVE-2009-1248 94 Exec Code File Inclusion 2009-04-06 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Acute Control Panel 1.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the theme_directory parameter to (1) container.php and (2) header.php in themes/.
180 CVE-2009-1247 89 Exec Code Sql 2009-04-06 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in Acute Control Panel 1.0.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
181 CVE-2009-1246 22 Dir. Trav. 2009-04-06 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Blogplus 1.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) row_mysql_blocks_center_down[file] parameter to includes/block_center_down.php; (2) row_mysql_blocks_center_top[file] includes/parameter to block_center_top.php; (3) row_mysql_blocks_left[file] parameter to includes/block_left.php; (4) row_mysql_blocks_right[file] parameter to includes/block_right.php; and row_mysql_bloginfo[theme] parameter to (5) includes/window_down.php and (6) includes/window_top.php.
182 CVE-2009-1245 89 Exec Code Sql 2009-04-06 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the insert_to_pastebin function in php/cccp-admin/inc/functions.php in CCCP Community Clan Portal Pastebin before 2.80 allow remote attackers to execute arbitrary SQL commands via the (1) subject, (2) language, and (3) nickname parameters to php/cccp-pages/submit.php. NOTE: some of these details are obtained from third party information.
183 CVE-2009-1244 Exec Code 2009-04-13 2018-10-30
6.8
Admin Local Low Single system Complete Complete Complete
Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.
184 CVE-2009-1243 16 DoS 2009-04-06 2017-08-16
4.9
None Local Low Not required None None Complete
net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocking step in certain incorrect circumstances, which allows local users to cause a denial of service (panic) by reading zero bytes from the /proc/net/udp file and unspecified other files, related to the "udp seq_file infrastructure."
185 CVE-2009-1242 264 DoS 2009-04-06 2018-10-10
4.9
None Local Low Not required None None Complete
The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel before 2.6.29.1 on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka "Long mode enable") bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.
186 CVE-2009-1241 20 Bypass 2009-04-03 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive.
187 CVE-2009-1240 Bypass 2009-04-03 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the IBM Proventia engine 4.9.0.0.44 20081231, as used in IBM Proventia Network Mail Security System, Network Mail Security System Virtual Appliance, Desktop Endpoint Security, Network Multi-Function Security (MFS), and possibly other products, allows remote attackers to bypass detection of malware via a modified RAR archive.
188 CVE-2009-1239 200 +Info 2009-04-03 2017-08-16
5.0
None Remote Low Not required Partial None None
IBM DB2 9.1 before FP7 returns incorrect query results in certain situations related to the order of application of an INNER JOIN predicate and an OUTER JOIN predicate, which might allow attackers to obtain sensitive information via a crafted query.
189 CVE-2009-1238 362 DoS Mem. Corr. 2009-04-02 2017-09-28
7.2
None Local Low Not required Complete Complete Complete
Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and earlier on Apple Mac OS X 10.5.6 and earlier allows local users to cause a denial of service (kernel memory corruption) by simultaneously executing the same HFS_SET_PKG_EXTENSIONS code path in multiple threads, which is problematic because of lack of mutex locking for an unspecified global variable.
190 CVE-2009-1237 399 DoS 2009-04-02 2017-09-28
4.9
None Local Low Not required None None Complete
Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call.
191 CVE-2009-1236 119 DoS Overflow 2009-04-02 2017-09-28
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the AppleTalk networking stack in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allows remote attackers to cause a denial of service (system crash) via a ZIP NOTIFY (aka ZIPOP_NOTIFY) packet that overwrites a certain ifPort structure member.
192 CVE-2009-1235 264 +Priv 2009-04-02 2017-09-28
7.2
None Local Low Not required Complete Complete Complete
XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does not properly restrict interaction between user space and the HFS IOCTL handler, which allows local users to overwrite kernel memory and gain privileges by attaching an HFS+ disk image and performing certain steps involving HFS_GET_BOOT_INFO fcntl calls.
193 CVE-2009-1234 20 DoS 2009-04-02 2017-09-28
4.3
None Remote Medium Not required None None Partial
Opera 9.64 allows remote attackers to cause a denial of service (application crash) via an XML document containing a long series of start-tags with no corresponding end-tags. NOTE: it was later reported that 9.52 is also affected.
194 CVE-2009-1233 20 DoS 2009-04-02 2017-09-28
4.3
None Remote Medium Not required None None Partial
Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to cause a denial of service (application crash) via an XML document containing many nested A elements.
195 CVE-2009-1232 20 DoS Mem. Corr. 2009-04-02 2017-09-28
4.3
None Remote Medium Not required None None Partial
Mozilla Firefox 3.0.8 and earlier 3.0.x versions allows remote attackers to cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags. NOTE: it was later reported that 3.0.10 and earlier are also affected.
196 CVE-2009-1231 2009-04-02 2009-04-16
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8.4.1 before 8.4.1.1 has unknown impact and attack vectors.
197 CVE-2009-1230 94 2009-04-02 2017-09-28
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in index.php in Podcast Generator 1.1 and earlier allows remote authenticated administrators to inject arbitrary PHP code into config.php via the recent parameter in a config change action.
198 CVE-2009-1229 89 Exec Code Sql 2009-04-02 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Arcadwy Arcade Script allows remote attackers to execute arbitrary SQL commands via the user cookie parameter.
199 CVE-2009-1228 79 XSS 2009-04-02 2017-09-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in register.php in Arcadwy Arcade Script CMS allows remote attackers to inject arbitrary web script or HTML via the username field (user_name parameter).
200 CVE-2009-1227 119 DoS Exec Code Overflow 2009-04-02 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** NOTE: this issue has been disputed by the vendor. Buffer overflow in the PKI Web Service in Check Point Firewall-1 PKI Web Service allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) Authorization or (2) Referer HTTP header to TCP port 18624. NOTE: the vendor has disputed this issue, stating "Check Point Security Alert Team has analyzed this report. We've tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs. The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack. We consider this attack to pose no risk to Check Point customers." In addition, the original researcher, whose reliability is unknown as of 20090407, also states that the issue "was discovered during a pen-test where the client would not allow further analysis."
Total number of vulnerabilities : 566   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.