CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
3901 CVE-2009-4664 59 +Priv 2010-03-03 2017-08-16
3.3
None Local Medium Not required None Partial Partial
Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, allows local users to gain privileges via a symlink attack on an unspecified temporary file that is created by the iptables script.
3902 CVE-2009-4567 79 2 XSS 2010-01-05 2017-08-16
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in editprofile.php in Viscacha 0.8 Gold allow remote authenticated users to inject arbitrary web script or HTML via the (1) skype, (2) yahoo, (3) aol, (4) msn, or (5) jabber parameter in a profile2 action. NOTE: some of these details are obtained from third party information.
3903 CVE-2009-4559 79 XSS 2010-01-04 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Submitted By module 6.x before 6.x-1.3 for Drupal allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via an input string for "submitted by" text.
3904 CVE-2009-4532 79 XSS 2009-12-31 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
3905 CVE-2009-4514 79 XSS 2009-12-31 2010-01-11
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the OpenSocial Shindig-Integrator module 5.x and 6.x before 6.x-2.1, a module for Drupal, allows remote authenticated users, with "create application" privileges, to inject arbitrary web script or HTML via unspecified vectors.
3906 CVE-2009-4513 79 XSS 2009-12-31 2017-08-16
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Workflow module 5.x before 5.x-2.4 and 6.x before 6.x-1.2, a module for Drupal, allow remote authenticated users, with "administer workflow" privileges, to inject arbitrary web script or HTML via the name of a (1) workflow or (2) workflow state.
3907 CVE-2009-4454 59 2009-12-29 2018-10-10
3.3
None Local Medium Not required None Partial Partial
vccleaner in VideoCache 1.9.2 allows local users with Squid proxy user privileges to overwrite arbitrary files via a symlink attack on /var/log/videocache/vccleaner.log.
3908 CVE-2009-4429 79 XSS 2009-12-28 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).
3909 CVE-2009-4411 264 2009-12-24 2017-08-16
3.7
None Local High Not required Partial Partial Partial
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.
3910 CVE-2009-4371 79 XSS 2009-12-21 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.
3911 CVE-2009-4370 79 XSS 2009-12-21 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
3912 CVE-2009-4369 79 XSS 2009-12-21 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
3913 CVE-2009-4237 79 XSS 2009-12-10 2009-12-19
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8.5 allow remote attackers to inject arbitrary web script or HTML via (1) the req parameter to login.php, and allow remote authenticated users to inject arbitrary web script or HTML via (2) the key parameter to lib/general/staticPage.php, (3) the tableName parameter to lib/attachments/attachmentupload.php, or the (4) startDate, (5) endDate, or (6) logLevel parameter to lib/events/eventviewer.php; (7) the search_notes_string parameter to lib/results/resultsMoreBuilds_buildReport.php; or the (8) expected_results, (9) name, (10) steps, or (11) summary parameter in a find action to lib/testcases/searchData.php, related to lib/functions/database.class.php.
3914 CVE-2009-4193 59 2009-12-03 2017-08-16
3.3
None Local Medium Not required None Partial Partial
Merkaartor 0.14 allows local users to append data to arbitrary files via a symlink attack on the /tmp/merkaartor.log temporary file.
3915 CVE-2009-4159 79 XSS 2009-12-02 2009-12-08
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
3916 CVE-2009-4116 22 Exec Code Dir. Trav. 2009-11-30 2018-10-10
3.5
None Remote Medium Single system Partial None None
Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in the Options module. NOTE: vector 3 can be leveraged for code execution by using a .. to include and execute arbitrary local files.
3917 CVE-2009-4105 20 DoS 2009-11-29 2018-10-10
3.5
None Remote Medium Single system None None Partial
TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (crash) by sending an APPE (append) command immediately followed by a DELE (delete) command without sending file data in between these two commands.
3918 CVE-2009-3891 79 XSS 2009-11-17 2017-11-22
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
3919 CVE-2009-3782 200 +Info 2009-10-26 2017-08-16
3.5
None Remote Medium Single system Partial None None
Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with "View own userpoints" permissions to read the userpoint data of arbitrary users via unknown attack vectors.
3920 CVE-2009-3653 79 XSS 2009-10-09 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the additional links interface in XML Sitemap 5.x-1.6, a module for Drupal, allows remote authenticated users, with "administer site configuration" permission, to inject arbitrary web script or HTML via unspecified vectors, related to link path output.
3921 CVE-2009-3652 79 XSS 2009-10-09 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Organic Groups (OG) 5.x-7.x before 5.x-7.4, 5.x-8.x before 5.x-8.1, and 6.x-1.x before 6.x-1.4, a module for Drupal, allows remote authenticated users, with create or edit group nodes permissions, to inject arbitrary web script or HTML via the User-Agent HTTP header, a different issue than CVE-2008-3095.
3922 CVE-2009-3648 79 XSS 2009-10-09 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with 'administer content types' permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names.
3923 CVE-2009-3629 79 XSS 2009-11-02 2017-08-16
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
3924 CVE-2009-3581 79 XSS 2009-12-23 2018-10-10
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via (1) the DCN Description field in the Accounts Receivables menu item for Add Transaction, (2) the Description field in the Accounts Payable menu item for Add Transaction, or the name field in (3) the Customers menu item for Add Customer or (4) the Vendor menu item for Add Vendor.
3925 CVE-2009-3487 79 XSS 2009-09-30 2009-10-02
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via (1) the JEXEC_OUTID parameter in a JEXEC_MODE_RELAY_OUTPUT action to the jexec program; the (2) act, (3) refresh-time, or (4) ifid parameter to scripter.php; (5) the revision parameter in a rollback action to the configuration program; the m[] parameter to the (6) monitor, (7) manage, (8) events, (9) configuration, or (10) alarms program; (11) the m[] parameter to the default URI; (12) the m[] parameter in a browse action to the default URI; (13) the wizard-next parameter in an https action to the configuration program; or the (14) Contact Information, (15) System Description, (16) Local Engine ID, (17) System Location, or (18) System Name Override SNMP parameter, related to the configuration program.
3926 CVE-2009-3486 79 XSS 2009-09-30 2009-10-05
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program.
3927 CVE-2009-3413 2010-01-12 2016-11-23
3.2
None Remote High Multiple systems Partial Partial None
Unspecified vulnerability in the Oracle Spatial component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2008-3976 and CVE-2009-3414.
3928 CVE-2009-3410 2010-01-12 2012-10-22
3.6
None Remote High Single system Partial Partial None
Unspecified vulnerability in the RDBMS component in Oracle Database 11.1.0.7, 10.2.0.3, 10.2.0.4, 10.1.0.5, 9.2.0.8, and 9.2.0.8DV allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
3929 CVE-2009-3409 2009-10-22 2012-10-22
3.6
None Remote High Single system Partial Partial None
Unspecified vulnerability in the PeopleSoft Enterprise HCM (TAM) component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 9.0 Bundle 10 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
3930 CVE-2009-3304 59 2009-12-04 2009-12-07
3.3
None Local Medium Not required None Partial Partial
GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to overwrite arbitrary files via a symlink attack on authorized_keys files in users' home directories, related to deb-specific/ssh_dump_update.pl and cronjobs/cvs-cron/ssh_create.php.
3931 CVE-2009-3262 79 XSS 2009-09-18 2009-09-21
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Self Service UI (SSUI) in IBM Tivoli Identity Manager (ITIM) 5.0.0.5 allows remote authenticated users to inject arbitrary web script or HTML via the last name field in a profile.
3932 CVE-2009-3257 264 Bypass 2009-09-18 2017-12-07
3.6
None Remote High Single system None Partial Partial
vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.
3933 CVE-2009-3210 79 XSS 2009-09-16 2017-08-16
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.8 and 6.x before 6.x-1.8, a module for Drupal, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
3934 CVE-2009-3206 79 XSS 2009-09-16 2017-08-16
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, allow remote authenticated users, with "administer imagecache" permissions, to inject arbitrary web script or HTML via unspecified vectors.
3935 CVE-2009-3157 79 XSS 2009-09-10 2009-09-11
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type.
3936 CVE-2009-3029 79 XSS 2009-10-15 2013-02-06
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via "external client input" that triggers crafted error messages.
3937 CVE-2009-2977 310 +Info 2009-08-27 2018-10-10
3.3
None Local Network Low Not required Partial None None
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files.
3938 CVE-2009-2919 79 XSS 2009-08-21 2017-08-16
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Boonex Orca 2.0 and 2.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the topic title field.
3939 CVE-2009-2898 79 XSS 2009-10-13 2018-10-10
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Alerts list feature in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allows remote authenticated users to inject arbitrary web script or HTML via the Description field. NOTE: some of these details are obtained from third party information.
3940 CVE-2009-2856 200 +Info 2009-08-18 2009-08-21
3.5
None Remote Medium Single system Partial None None
Sun Virtual Desktop Infrastructure (VDI) 3.0, when anonymous binding is enabled, does not properly handle a client's attempt to establish an authenticated and encrypted connection, which might allow remote attackers to read cleartext VDI configuration-data requests by sniffing LDAP sessions on the network.
3941 CVE-2009-2610 79 XSS 2009-07-27 2009-07-27
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.
3942 CVE-2009-2327 79 1 XSS 2009-07-05 2017-09-18
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in add_voting.php in KerviNet Forum 1.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the v_variant1 parameter.
3943 CVE-2009-2208 264 2009-06-24 2017-08-16
3.6
None Local Low Not required None Partial Partial
FreeBSD 6.3, 6.4, 7.1, and 7.2 does not enforce permissions on the SIOCSIFINFO_IN6 IOCTL, which allows local users to modify or disable IPv6 network interfaces, as demonstrated by modifying the MTU.
3944 CVE-2009-2173 399 DoS 2009-06-23 2017-09-28
3.5
None Remote Medium Single system None None Partial
The LAN game feature in Carom3D 5.06 allows remote authenticated users to cause a denial of service (application hang) via a crafted HTTP request to TCP port 28012.
3945 CVE-2009-2156 79 XSS 2009-06-22 2018-10-10
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in TorrentTrader Classic 1.09 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Title field to requests.php, related to viewrequests.php; and (2) the Torrent Name field to torrents-upload.php, related to the logging of torrent uploads; and allow remote attackers to inject arbitrary web script or HTML via (3) the ttversion parameter to themes/default/footer.php, the (4) SITENAME and (5) CURUSER[username] parameters to themes/default/header.php, (6) the todayactive parameter to visitorstoday.php, (7) the activepeople parameter to visitorsnow.php, (8) the faq_categ[999][title] parameter to faq.php, and (9) the keepget parameter to torrents-details.php.
3946 CVE-2009-2131 79 XSS 2009-06-19 2017-09-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in 4images 1.7.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML by providing a crafted user_homepage parameter to member.php, and then posting a comment associated with a picture.
3947 CVE-2009-2083 79 XSS 2009-06-16 2009-06-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the term data detail page in Taxonomy manager 5.x before 5.x-1.2, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via "Parent and related terms."
3948 CVE-2009-2079 79 XSS 2009-06-16 2009-06-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names.
3949 CVE-2009-2076 79 XSS 2009-06-16 2009-06-29
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view name parameter in the define custom views feature. NOTE: vector 2 is only exploitable by users with administer views permissions.
3950 CVE-2009-2074 79 XSS 2009-06-16 2009-06-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via vocabulary names.
Total number of vulnerabilities : 4305   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 (This Page)80 81 82 83 84 85 86 87
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.