| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2009-0748 |
20 |
|
DoS |
2009-02-27 |
2018-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem. |
|
2 |
CVE-2009-0747 |
399 |
|
DoS |
2009-02-27 |
2018-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem. |
|
3 |
CVE-2009-0746 |
20 |
|
DoS |
2009-02-27 |
2018-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem. |
|
4 |
CVE-2009-0745 |
20 |
|
DoS |
2009-02-27 |
2018-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory. |
|
5 |
CVE-2009-0744 |
20 |
|
DoS |
2009-02-27 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character. |
|
6 |
CVE-2009-0743 |
79 |
|
XSS |
2009-02-27 |
2017-08-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the edit account page in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote authenticated users to inject arbitrary web script or HTML via the E-mail Address field. |
|
7 |
CVE-2009-0742 |
310 |
|
+Info |
2009-02-26 |
2009-02-27 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The username command in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers and Cisco ACE 4710 Application Control Engine Appliance stores a cleartext password by default, which allows context-dependent attackers to obtain sensitive information. |
|
8 |
CVE-2009-0741 |
89 |
|
Exec Code Sql |
2009-02-25 |
2018-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Login.asp in Craft Silicon [email protected] 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter. |
|
9 |
CVE-2009-0740 |
89 |
|
Exec Code Sql |
2009-02-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. |
|
10 |
CVE-2009-0739 |
89 |
|
Exec Code Sql |
2009-02-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. |
|
11 |
CVE-2009-0738 |
89 |
|
Exec Code Sql |
2009-02-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. |
|
12 |
CVE-2009-0737 |
79 |
|
XSS |
2009-02-25 |
2009-10-14 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
13 |
CVE-2009-0736 |
79 |
|
XSS |
2009-02-25 |
2012-11-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Pebble before 2.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
14 |
CVE-2009-0735 |
22 |
|
Dir. Trav. |
2009-02-25 |
2017-09-29 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the pfadhier parameter. NOTE: some of these details are obtained from third party information. |
|
15 |
CVE-2009-0734 |
119 |
|
Exec Code Overflow |
2009-02-25 |
2018-10-10 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia PC Suite 6.86.9.3 allows remote attackers to execute arbitrary code via a long string in a .m3u playlist file. |
|
16 |
CVE-2009-0732 |
264 |
|
+Info |
2009-02-24 |
2017-08-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Downloadcenter 2.1 stores common.h under the web root with insufficient access control, which allows remote attackers to obtain user credentials and other sensitive information via a direct request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
17 |
CVE-2009-0731 |
22 |
|
Dir. Trav. |
2009-02-24 |
2017-09-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in pages/play.php in Free Arcade Script 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter. |
|
18 |
CVE-2009-0730 |
89 |
|
Exec Code Sql |
2009-02-24 |
2018-10-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726. |
|
19 |
CVE-2009-0729 |
22 |
|
Dir. Trav. |
2009-02-24 |
2017-08-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple directory traversal vulnerabilities in Page Engine CMS 2.0 Basic and Pro allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the fPrefix parameter to (1) modules/recent_poll_include.php, (2) modules/login_include.php, and (3) modules/statistics_include.php and (4) configuration.inc.php in includes/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
20 |
CVE-2009-0728 |
89 |
|
Exec Code Sql |
2009-02-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the My_eGallery module for MAXdev MDPro (MD-Pro) and Postnuke allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showpic action to index.php. |
|
21 |
CVE-2009-0727 |
89 |
|
Exec Code Sql |
2009-02-24 |
2018-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter. |
|
22 |
CVE-2009-0726 |
89 |
|
Exec Code Sql |
2009-02-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the gigcal_gigs_id parameter in a details action to index.php. |
|
23 |
CVE-2009-0722 |
22 |
|
Dir. Trav. |
2009-02-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in admin.php in Potato News 1.0.0 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the user cookie parameter. |
|
24 |
CVE-2009-0711 |
200 |
|
Sql +Info |
2009-02-23 |
2017-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
filter.php in PHPFootball 1.6 and earlier allows remote attackers to retrieve password hashes via a request with an Accounts value for the dbtable parameter, in conjunction with a Password value for the dbfield parameter. NOTE: this has been reported as a SQL injection vulnerability by some sources, but the provenance of that information is unknown. |
|
25 |
CVE-2009-0710 |
79 |
|
XSS |
2009-02-23 |
2017-08-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
26 |
CVE-2009-0709 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-08-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in login.php in PHPFootball 1.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
27 |
CVE-2009-0708 |
352 |
|
CSRF |
2009-02-23 |
2012-01-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in SemanticScuttle before 0.91 allow remote attackers to (1) hijack the authentication of administrators via unknown vectors or (2) hijack the authentication of arbitrary users via vectors involving the profile page. |
|
28 |
CVE-2009-0707 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in admin/index.php in PowerClan 1.14a allows remote attackers to execute arbitrary SQL commands via the loginemail parameter (aka login field). NOTE: some of these details are obtained from third party information. |
|
29 |
CVE-2009-0706 |
89 |
1
|
Exec Code Sql |
2009-02-23 |
2017-08-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Simple Review (com_simple_review) component 1.3.5 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the category parameter to index.php. |
|
30 |
CVE-2009-0705 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in news.php in PowerScripts PowerNews 2.5.4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the newsid parameter. |
|
31 |
CVE-2009-0704 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in search.php in WSN Guest 1.23 allows remote attackers to execute arbitrary SQL commands via the search parameter in an advanced action. |
|
32 |
CVE-2009-0703 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in bview.asp in ASPThai.Net Webboard 6.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
33 |
CVE-2009-0702 |
89 |
|
Exec Code Sql |
2009-02-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Phoca Documentation (com_phocadocumentation) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action to index.php. |
|
34 |
CVE-2009-0701 |
94 |
|
Exec Code File Inclusion |
2009-02-23 |
2017-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters. |
|
35 |
CVE-2009-0700 |
264 |
|
Bypass |
2009-02-23 |
2017-08-17 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Plunet BusinessManager 4.1 and earlier allows remote authenticated users to bypass access restrictions and (1) read sensitive Customer or Order data via a modified Pfad parameter to pagesUTF8/Sys_DirAnzeige.jsp, or (2) list sensitive Jobs via a direct request to pagesUTF8/auftrag_job.jsp. |
|
36 |
CVE-2009-0699 |
79 |
|
XSS |
2009-02-23 |
2017-08-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters. |
|
37 |
CVE-2009-0698 |
189 |
|
DoS Exec Code Overflow |
2009-02-23 |
2018-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385. |
|
38 |
CVE-2009-0680 |
22 |
|
DoS Dir. Trav. |
2009-02-22 |
2017-09-29 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows remote attackers to cause a denial of service (device crash) via a crafted query string, as demonstrated using directory traversal sequences. |
|
39 |
CVE-2009-0679 |
79 |
|
XSS |
2009-02-22 |
2017-08-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Your Account module in RavenNuke 2.30 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
40 |
CVE-2009-0678 |
200 |
|
+Info |
2009-02-22 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
images/captcha.php in RavenNuke 2.30 allows remote attackers to obtain sensitive information via an aFonts array parameter value that does not correspond to a valid font file, which reveals the installation path in an error message. |
|
41 |
CVE-2009-0677 |
94 |
|
Exec Code |
2009-02-22 |
2018-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
avatarlist.php in the Your Account module, reached through modules.php, in Raven Web Services RavenNuke 2.30 allows remote authenticated users to execute arbitrary code via PHP sequences in an element of the replacements array, which is processed by the preg_replace function with the eval switch, as specified in an element of the patterns array. |
|
42 |
CVE-2009-0676 |
264 |
|
+Info |
2009-02-22 |
2018-10-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request. |
|
43 |
CVE-2009-0675 |
264 |
|
|
2009-02-22 |
2018-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue. |
|
44 |
CVE-2009-0674 |
94 |
|
|
2009-02-22 |
2018-10-10 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, and then observing the error messages, which differ between existing and nonexistent pathnames. |
|
45 |
CVE-2009-0673 |
94 |
|
Exec Code |
2009-02-22 |
2018-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Eval injection vulnerability in the Custom Fields feature in the Your Account module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary PHP code via the ID Field Name box in a yaCustomFields action to admin.php. |
|
46 |
CVE-2009-0672 |
89 |
|
Exec Code Sql |
2009-02-22 |
2018-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Resend_Email module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary SQL commands via the user_prefix parameter to modules.php. |
|
47 |
CVE-2009-0671 |
|
|
Exec Code |
2009-02-22 |
2009-02-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
** REJECT ** Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). NOTE: Red Hat has disputed the vulnerability, stating "The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional." CVE agrees that the exploit contains syntax errors and uses Unix-only include files while invoking Windows functions. |
|
48 |
CVE-2009-0659 |
119 |
|
Overflow |
2009-02-20 |
2017-08-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the GetStatsFromLine function in TPTEST 3.1.7 allows remote attackers to have an unknown impact via a STATS line with a long email field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
49 |
CVE-2009-0658 |
119 |
|
Exec Code Overflow |
2009-02-20 |
2019-09-27 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. |
|
50 |
CVE-2009-0657 |
255 |
|
|
2009-02-20 |
2017-08-17 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Toshiba Face Recognition 2.0.2.32 allows physically proximate attackers to obtain notebook access by presenting a large number of images for which the viewpoint and lighting have been modified to match a stored image of the authorized notebook user. |
