CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2008-3486 22 Dir. Trav. 2008-08-06 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the charset is utf-8, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang part of serialized data in an _data cookie.
252 CVE-2008-3485 264 +Priv 2008-08-06 2018-10-11
7.2
None Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in Citrix MetaFrame Presentation Server allows local users to gain privileges via a malicious icabar.exe placed in the search path.
253 CVE-2008-3484 89 Exec Code Sql 2008-08-05 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in eStoreAff 0.1 allows remote attackers to execute arbitrary SQL commands via the cid parameter in a showcat action to index.php.
254 CVE-2008-3483 79 XSS 2008-08-05 2017-08-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ScrewTurn Wiki 2.0.29 and 2.0.30 allows remote attackers to inject arbitrary web script or HTML via error messages in the "/admin.aspx - System Log" page.
255 CVE-2008-3482 79 XSS 2008-08-05 2017-08-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the error page feature in Panasonic Network Camera BL-C111, BL-C131, BB-HCM511, BB-HCM531, BB-HCM580, BB-HCM581, BB-HCM527, and BB-HCM515 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
256 CVE-2008-3481 94 +Info 2008-08-05 2017-09-28
7.5
None Remote Low Not required Partial Partial Partial
themes/sample/theme.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
257 CVE-2008-3480 119 Exec Code Overflow 2008-08-29 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the Anzio Web Print Object (WePO) ActiveX control 3.2.19 and 3.2.24, as used in Anzio Print Wizard, allows remote attackers to execute arbitrary code via a long mainurl parameter.
258 CVE-2008-3460 399 Exec Code 2008-08-12 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
WPGIMP32.FLT in Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 does not properly parse the length of a WordPerfect Graphics (WPG) file, which allows remote attackers to execute arbitrary code via a crafted WPG file, aka the "WPG Image File Heap Corruption Vulnerability."
259 CVE-2008-3459 16 Exec Code 2008-08-04 2017-08-07
7.6
None Remote High Not required Complete Complete Complete
Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when running on non-Windows systems, allows remote servers to execute arbitrary commands via crafted (1) lladdr and (2) iproute configuration directives, probably related to shell metacharacters.
260 CVE-2008-3458 200 +Info 2008-08-04 2017-11-22
5.0
None Remote Low Not required Partial None None
Vtiger CRM before 5.0.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read mail merge templates via a direct request to the wordtemplatedownload directory.
261 CVE-2008-3457 79 XSS 2008-08-04 2017-08-07
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php.
262 CVE-2008-3456 59 2008-08-04 2017-08-07
6.4
None Remote Low Not required None Partial Partial
phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack.
263 CVE-2008-3455 94 Exec Code File Inclusion 2008-08-04 2017-09-28
10.0
None Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in include/admin.php in JnSHosts PHP Hosting Directory 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the rd parameter.
264 CVE-2008-3454 264 Bypass 2008-08-04 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
JnSHosts PHP Hosting Directory 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the "adm" cookie value to 1.
265 CVE-2008-3453 2008-08-04 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in ImpressCMS 1.0 have unknown impact and attack vectors, related to modules/admin.php and "a few files."
266 CVE-2008-3452 89 Exec Code Sql 2008-08-04 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the Calendar module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the loc_id parameter in a list_events action to mod.php.
267 CVE-2008-3451 200 +Info 2008-08-04 2017-08-07
4.0
None Remote Low Single system Partial None None
PhpWebGallery 1.7.0 and 1.7.1 allows remote authenticated users with advisor privileges to obtain the real e-mail addresses of other users by editing the user's profile.
268 CVE-2008-3450 264 DoS +Priv 2008-08-04 2018-10-30
7.2
Admin Local Low Not required Complete Complete Complete
Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors.
269 CVE-2008-3449 399 DoS 2008-08-04 2017-08-07
5.0
None Remote Low Not required None None Partial
MailEnable Professional 3.5.2 and Enterprise 3.52 allow remote attackers to cause a denial of service (crash) via multiple IMAP connection requests to the same folder.
270 CVE-2008-3448 79 XSS 2008-08-04 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in common solutions csphonebook 1.02 allows remote attackers to inject arbitrary web script or HTML via the letter parameter.
271 CVE-2008-3447 399 DoS 2008-08-04 2017-09-28
5.0
None Remote Low Not required None None Partial
The scanning engine in F-Prot Antivirus 6.2.1 4252 allows remote attackers to cause a denial of service (infinite loop) via a malformed ZIP archive, probably related to invalid offsets.
272 CVE-2008-3446 22 Dir. Trav. 2008-08-04 2017-09-28
6.8
User Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in inc/wysiwyg.php in LetterIt 2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
273 CVE-2008-3445 89 Exec Code Sql 2008-08-04 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in phpMyRealty (PMR) 2.0.0 allows remote attackers to execute arbitrary SQL commands via the location parameter.
274 CVE-2008-3444 20 DoS 2008-08-04 2017-08-07
4.3
None Remote Medium Not required None None Partial
The content layout component in Mozilla Firefox 3.0 and 3.0.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted but well-formed web page that contains "a simple set of legitimate HTML tags."
275 CVE-2008-3443 399 DoS 2008-08-14 2018-10-03
5.0
None Remote Low Not required None None Partial
The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.
276 CVE-2008-3442 94 Exec Code 2008-08-01 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
WinZip before 11.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
277 CVE-2008-3441 94 Exec Code 2008-08-01 2018-11-01
7.5
User Remote Low Not required Partial Partial Partial
Nullsoft Winamp before 5.24 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
278 CVE-2008-3440 94 Exec Code 2008-08-01 2008-09-10
7.5
None Remote Low Not required Partial Partial Partial
Sun Java 1.6.0_03 and earlier versions, and possibly later versions, does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
279 CVE-2008-3439 94 Exec Code 2008-08-01 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SpeedBit Video Acceleration before 2.2.1.8 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
280 CVE-2008-3438 94 Exec Code 2008-08-01 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
281 CVE-2008-3437 94 Exec Code 2008-08-01 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
282 CVE-2008-3436 94 Exec Code 2008-08-01 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
The GUP generic update process in Notepad++ before 4.8.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
283 CVE-2008-3435 94 Exec Code 2008-08-01 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
LinkedIn Browser Toolbar 3.0.3.1100 and earlier does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
284 CVE-2008-3434 94 Exec Code 2008-08-01 2017-09-28
7.5
User Remote Low Not required Partial Partial Partial
Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
285 CVE-2008-3433 94 Exec Code 2008-08-01 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
SpeedBit Download Accelerator Plus (DAP) before 8.6.3.9 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.
286 CVE-2008-3431 264 +Priv 2008-08-05 2018-10-11
7.2
Admin Local Low Not required Complete Complete Complete
The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.
287 CVE-2008-3423 264 Bypass 2008-08-03 2017-08-07
7.5
User Remote Low Not required Partial Partial Partial
IBM WebSphere Portal 5.1 through 6.1.0.0 allows remote attackers to bypass authentication and obtain administrative access via unspecified vectors.
288 CVE-2008-3389 119 Overflow +Priv 2008-08-05 2018-10-11
4.6
None Local Low Not required Partial Partial Partial
Stack-based buffer overflow in the libbecompat library in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and HP-UX allows local users to gain privileges by setting a long value of an environment variable before running (1) verifydb, (2) iimerge, or (3) csreport.
289 CVE-2008-3357 264 +Priv 2008-08-05 2018-10-11
7.2
Admin Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in ingvalidpw in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and HP-UX allows local users to gain privileges via a crafted shared library, related to a "pointer overwrite vulnerability."
290 CVE-2008-3356 264 2008-08-05 2018-10-11
4.6
User Local Low Not required Partial Partial Partial
verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.
291 CVE-2008-3338 119 Exec Code Overflow 2008-08-13 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in TIBCO Hawk (1) AMI C library (libtibhawkami) and (2) Hawk HMA (tibhawkhma), as used in TIBCO Hawk before 4.8.1; Runtime Agent (TRA) before 5.6.0; iProcess Engine 10.3.0 through 10.6.2 and 11.0.0; and Mainframe Service Tracker before 1.1.0 might allow remote attackers to execute arbitrary code via a crafted message.
292 CVE-2008-3337 20 2008-08-08 2017-08-07
6.4
None Remote Low Not required None Partial Partial
PowerDNS Authoritative Server before 2.9.21.1 drops malformed queries, which might make it easier for remote attackers to poison DNS caches of other products running on other servers, a different issue than CVE-2008-1447 and CVE-2008-3217.
293 CVE-2008-3324 94 Exec Code 2008-08-18 2018-10-11
7.6
None Remote High Not required Complete Complete Complete
The PartyGaming PartyPoker client program 121/120 does not properly verify the authenticity of updates, which allows remote man-in-the-middle attackers to execute arbitrary code via a Trojan horse update.
294 CVE-2008-3283 399 DoS 2008-08-29 2017-09-28
7.8
None Remote Low Not required None None Complete
Multiple memory leaks in Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 and earlier allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) the authentication / bind phase and (2) anonymous LDAP search requests.
295 CVE-2008-3282 189 DoS Exec Code Overflow 2008-08-29 2017-09-28
9.3
None Remote Medium Not required Complete Complete Complete
Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a "numeric truncation error," a different vulnerability than CVE-2008-2152.
296 CVE-2008-3281 399 DoS 2008-08-27 2018-10-11
4.3
None Remote Medium Not required None None Partial
libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
297 CVE-2008-3276 189 DoS Overflow 2008-08-18 2018-10-30
7.1
None Remote Medium Not required None None Complete
Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.
298 CVE-2008-3275 399 DoS Overflow 2008-08-12 2018-10-30
4.9
None Local Low Not required None None Complete
The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.
299 CVE-2008-3273 264 +Info 2008-08-10 2017-08-07
5.0
None Remote Low Not required Partial None None
JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2.0.CP03, and 4.3.0 before 4.3.0.CP01, allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string.
300 CVE-2008-3272 189 +Info 2008-08-08 2018-10-30
6.6
None Local Low Not required Complete None Complete
The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.
Total number of vulnerabilities : 367   Page : 1 2 3 4 5 6 (This Page)7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.