Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-09-24 | CVE-2008-4190 | Link Following vulnerability in multiple products The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. | 4.4 |
| 2008-09-24 | CVE-2008-3102 | Cryptographic Issues vulnerability in Mantisbt Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | 5.0 |
| 2008-09-24 | CVE-2008-4153 | Permissions, Privileges, and Access Controls vulnerability in Drupal Talk The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information. | 5.0 |
| 2008-09-24 | CVE-2008-4151 | Path Traversal vulnerability in Cyask 3 Directory traversal vulnerability in collect.php in CYASK 3.x allows remote attackers to read arbitrary files via a .. | 5.0 |
| 2008-09-24 | CVE-2008-4149 | Cross-Site Scripting vulnerability in Drupal Link TO US 5.X1.Xdev Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field. | 4.3 |
| 2008-09-24 | CVE-2008-4147 | Cross-Site Scripting vulnerability in Drupal Mailsave Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type. | 4.3 |
| 2008-09-24 | CVE-2008-4146 | Improper Authentication vulnerability in Addalink Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field. | 5.0 |
| 2008-09-24 | CVE-2008-4145 | SQL Injection vulnerability in Addalink SQL injection vulnerability in user_read_links.php in Addalink 1.0 beta 4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category_id parameter. | 6.8 |
| 2008-09-24 | CVE-2008-4140 | Cross-Site Scripting vulnerability in Opensolution Quick.Cart 3.1 Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string. | 4.3 |
| 2008-09-24 | CVE-2008-4136 | Improper Input Validation vulnerability in Michael Roth Software Pftp 6.0F Michael Roth Software Personal FTP Server (PFT) 6.0f allows remote attackers to cause a denial of service (service crash) via multiple RETR commands, possibly involving long filenames. | 5.0 |