Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2009-10-09 CVE-2009-3658 Use After Free vulnerability in AOL Superbuddy Activex Control 9.5.0.1
Use-after-free vulnerability in the Sb.SuperBuddy.1 ActiveX control (sb.dll) in America Online (AOL) 9.5.0.1 allows remote attackers to trigger memory corruption or possibly execute arbitrary code via a malformed argument to the SetSuperBuddy method.
network
low complexity
aol CWE-416
8.8
2009-10-01 CVE-2009-3520 Cross-Site Request Forgery (CSRF) vulnerability in Cmsphp Project Cmsphp 0.21
Cross-site request forgery (CSRF) vulnerability in the Your_account module in CMSphp 0.21 allows remote attackers to hijack the authentication of administrators for requests that change an administrator password via the pseudo, pwd, and uid parameters in an admin_info_user_verif action.
network
low complexity
cmsphp-project CWE-352
8.8
2009-09-30 CVE-2009-3489 Incorrect Permission Assignment for Critical Resource vulnerability in Adobe Photoshop Elements 8.0
Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 service with an insecure security descriptor, which allows local users to (1) stop the service via the stop command, (2) execute arbitrary commands as SYSTEM by using the config command to modify the binPath variable, or (3) restart the service via the start command.
local
low complexity
adobe CWE-732
7.8
2009-09-30 CVE-2009-3482 Incorrect Permission Assignment for Critical Resource vulnerability in Trustport Antivirus and PC Security
TrustPort Antivirus before 2.8.0.2266 and PC Security before 2.0.0.1291 use weak permissions (Everyone: Full Control) for files under %PROGRAMFILES%, which allows local users to gain privileges by replacing executables with Trojan horse programs.
local
low complexity
trustport CWE-732
7.8
2009-09-25 CVE-2009-3421 Improper Authentication vulnerability in Zenas Pao-Bacheca Guestbook 2.1
login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.
network
low complexity
zenas CWE-287
critical
9.8
2009-09-22 CVE-2009-3289 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.
local
low complexity
gnome opensuse suse CWE-732
7.8
2009-09-21 CVE-2009-3278 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Qnap Ts-239 PRO Firmware and Ts-639 PRO Firmware
The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 use the rand library function to generate a certain recovery key, which makes it easier for local users to determine this key via a brute-force attack.
local
low complexity
qnap CWE-338
5.5
2009-09-18 CVE-2009-3238 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in multiple products
The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."
local
low complexity
linux canonical opensuse suse CWE-338
5.5
2009-09-02 CVE-2009-3046 Improper Certificate Validation vulnerability in Opera Browser
Opera before 10.00 does not check all intermediate X.509 certificates for revocation, which makes it easier for remote SSL servers to bypass validation of the certificate chain via a revoked certificate.
network
low complexity
opera CWE-295
7.5
2009-08-31 CVE-2009-3022 Cross-Site Request Forgery (CSRF) vulnerability in Itd-Inc Bingo!Cms 1.0/1.1/1.2
Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors.
network
low complexity
itd-inc CWE-352
6.5