Weekly Vulnerabilities Reports > June 30 to July 6, 2008
Overview
86 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 31 high severity vulnerabilities. This weekly summary report vulnerabilities in 66 products from 53 vendors including Apple, Linux, Microsoft, Drupal, and Preprojects. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Path Traversal", "Improper Input Validation", and "Code Injection".
- 80 reported vulnerabilities are remotely exploitables.
- 49 reported vulnerabilities have public exploit available.
- 54 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 84 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 6 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
4 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-03 | CVE-2008-3001 | Drupal | Code Injection vulnerability in Drupal Aggregation Module The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possibly execute arbitrary code, via a crafted feed that allows upload of files with arbitrary extensions. | 9.3 |
2008-07-02 | CVE-2008-2959 | Microsoft | Buffer Errors vulnerability in Microsoft Visual Basic Enterprise Edition 6.0 Buffer overflow in a certain ActiveX control (vb6skit.dll) in Microsoft Visual Basic Enterprise Edition 6.0 SP6 might allow remote attackers to execute arbitrary code via a long lpstrLinkPath argument to the fCreateShellLink function. | 9.3 |
2008-06-30 | CVE-2008-2910 | Muvee | Buffer Errors vulnerability in Muvee Autoproducer 6.0/6.1 Buffer overflow in the DXTTextOutEffect ActiveX control (aka the Text-Effect DXT Filter), as distributed in TextOut.dll 6.0.18.1 and mvtextout.dll, in muvee autoProducer 6.0 and 6.1 allows remote attackers to execute arbitrary code via a long FontSetting property value. | 9.3 |
2008-06-30 | CVE-2008-2908 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint Client Multiple stack-based buffer overflows in a certain ActiveX control in ienipp.ocx in Novell iPrint Client for Windows before 4.36 allow remote attackers to execute arbitrary code via a long value of the (1) operation, (2) printer-url, or (3) target-frame parameter. | 9.3 |
31 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-01 | CVE-2008-2954 | Linux | Improper Input Validation vulnerability in Linux Direct Connect client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via an empty private message, which triggers an out-of-bounds read. | 7.8 |
2008-06-30 | CVE-2008-2946 | SUN | Resource Management Errors vulnerability in SUN Solaris and Sunos The SNMP-DMI mapper subagent daemon (aka snmpXdmid) in Solstice Enterprise Agents in Sun Solaris 8 through 10 allows remote attackers to cause a denial of service (daemon crash) via malformed packets. | 7.8 |
2008-07-01 | CVE-2008-2311 | Apple | Race Condition vulnerability in Apple mac OS X and mac OS X Server Launch Services in Apple Mac OS X before 10.5, when Open Safe Files is enabled, allows remote attackers to execute arbitrary code via a symlink attack, probably related to a race condition and automatic execution of a downloaded file. | 7.6 |
2008-07-03 | CVE-2008-2999 | Drupal | SQL Injection vulnerability in Drupal Aggregation Module and Drupal Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2008-07-03 | CVE-2008-2995 | Phpeasydata | SQL Injection vulnerability in PHPeasydata 1.5.4 Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to execute arbitrary SQL commands via (1) the annuaire parameter to annuaire.php or (2) the username field in admin/login.php. | 7.5 |
2008-07-03 | CVE-2008-2993 | FOG | Path Traversal vulnerability in FOG Forum 0.8.1 Multiple directory traversal vulnerabilities in index.php in FOG Forum 0.8.1 allow remote attackers to include and execute arbitrary local files via a .. | 7.5 |
2008-07-02 | CVE-2008-2990 | Joomla Mambo | Code Injection vulnerability in multiple products PHP remote file inclusion vulnerability in facileforms.frame.php in the FacileForms (com_facileforms) component 1.4.4 for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the ff_compath parameter. | 7.5 |
2008-07-02 | CVE-2008-2989 | Homap | SQL Injection vulnerability in Homap 0.1 SQL injection vulnerability in index.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary SQL commands via the go parameter. | 7.5 |
2008-07-02 | CVE-2008-2988 | Benjacms | Improper Input Validation vulnerability in Benjacms Benja CMS 0.1 Unrestricted file upload vulnerability in admin/upload.php in Benja CMS 0.1 allows remote attackers to upload and execute arbitrary PHP files via unspecified vectors, followed by a direct request to the file in billeder/. | 7.5 |
2008-07-02 | CVE-2008-2986 | Phpdmca | Code Injection vulnerability in PHPdmca 1.0.0 Multiple PHP remote file inclusion vulnerabilities in phpDMCA 1.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the ourlinux_root_path parameter to (1) adodb-errorpear.inc.php and (2) adodb-pear.inc.php in adodb/. | 7.5 |
2008-07-02 | CVE-2008-2983 | CWH Underground | SQL Injection vulnerability in CWH Underground Demo4 CMS 01 SQL injection vulnerability in index.php in Demo4 CMS 01 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-07-02 | CVE-2008-2977 | Ourvideo CMS | Code Injection vulnerability in Ourvideo CMS Ourvideo CMS 9.5 Multiple PHP remote file inclusion vulnerabilities in Ourvideo CMS 9.5 allow remote attackers to execute arbitrary PHP code via a URL in the include_connection parameter to (1) edit_top_feature.php and (2) edit_topics_feature.php in phpi/. | 7.5 |
2008-07-02 | CVE-2008-2972 | Kblance | SQL Injection vulnerability in Kblance NIL SQL injection vulnerability in index.php in KbLance allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a comment action. | 7.5 |
2008-07-02 | CVE-2008-2971 | Cistyle | SQL Injection vulnerability in Cistyle Ciblog 3.1 SQL injection vulnerability in links-extern.php in CiBlog 3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-07-02 | CVE-2008-2970 | Yektaweb | Improper Input Validation vulnerability in Yektaweb Academic web Tools Multiple session fixation vulnerabilities in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allow remote attackers to hijack web sessions by setting the PHPSESSID parameter to (1) index.php and (2) login.php in homepg/. | 7.5 |
2008-07-02 | CVE-2008-2968 | Yektaweb | SQL Injection vulnerability in Yektaweb Academic web Tools SQL injection vulnerability in rating.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to execute arbitrary SQL commands via the book_id parameter. | 7.5 |
2008-07-02 | CVE-2008-2966 | Jaxultrabb | Path Traversal vulnerability in Jaxultrabb Directory traversal vulnerability in viewprofile.php in JaxUltraBB 2.0 and earlier allows remote attackers to read arbitrary local files via a .. | 7.5 |
2008-07-02 | CVE-2008-2964 | Researchguide | SQL Injection vulnerability in Researchguide 0.5 SQL injection vulnerability in guide.php in ResearchGuide 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-06-30 | CVE-2008-2945 | SUN | Improper Input Validation vulnerability in SUN products Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289. | 7.5 |
2008-06-30 | CVE-2008-2925 | Valarsoft | SQL Injection vulnerability in Valarsoft Webmatic SQL injection vulnerability in Webmatic before 2.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2008-06-30 | CVE-2008-2922 | T0Pp8Uzz | Buffer Errors vulnerability in T0Pp8Uzz Dana IRC Client 1.1/1.2 Stack-based buffer overflow in artegic Dana IRC client 1.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long IRC message. | 7.5 |
2008-06-30 | CVE-2008-2921 | Eztechhelp Company | SQL Injection vulnerability in Eztechhelp Company Ezcms 1.0/1.1 SQL injection vulnerability in index.php in EZTechhelp EZCMS 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. | 7.5 |
2008-06-30 | CVE-2008-2920 | Ezcms | Improper Authentication vulnerability in Ezcms Eztechhelp Ezcms admin/filemanager/ (aka the File Manager) in EZTechhelp EZCMS 1.2 and earlier does not require authentication, which allows remote attackers to create, modify, read, and delete files. | 7.5 |
2008-06-30 | CVE-2008-2918 | Application Dynamics | SQL Injection vulnerability in Application Dynamics Cartweaver 3.0 SQL injection vulnerability in details.php in Application Dynamics Cartweaver 3.0 allows remote attackers to execute arbitrary SQL commands via the prodId parameter, possibly a related issue to CVE-2006-2046.3. | 7.5 |
2008-06-30 | CVE-2008-2917 | Preprojects | SQL Injection vulnerability in Preprojects E-Smart Cart SQL injection vulnerability in productsofcat.asp in E-SMART CART allows remote attackers to execute arbitrary SQL commands via the category_id parameter. | 7.5 |
2008-06-30 | CVE-2008-2915 | Preprojects | SQL Injection vulnerability in Preprojects PRE JOB Board Multiple SQL injection vulnerabilities in jobseekers/JobSearch.php (aka the search module) in Pre Job Board allow remote attackers to execute arbitrary SQL commands via the (1) position or (2) kw parameter. | 7.5 |
2008-06-30 | CVE-2008-2914 | Preprojects | SQL Injection vulnerability in Preprojects PHP Jobwebsite PRO SQL injection vulnerability in jobseekers/JobSearch3.php (aka the search module) in PHP JOBWEBSITE PRO allows remote attackers to execute arbitrary SQL commands via the (1) kw or (2) position parameter. | 7.5 |
2008-06-30 | CVE-2008-2912 | Contenido | Code Injection vulnerability in Contenido CMS 4.8.4 Multiple PHP remote file inclusion vulnerabilities in Contenido CMS 4.8.4 allow remote attackers to execute arbitrary PHP code via a URL in the (1) contenido_path parameter to (a) contenido/backend_search.php; the (2) cfg[path][contenido] parameter to (b) move_articles.php, (c) move_old_stats.php, (d) optimize_database.php, (e) run_newsletter_job.php, (f) send_reminder.php, (g) session_cleanup.php, and (h) setfrontenduserstate.php in contenido/cronjobs/, and (i) includes/include.newsletter_jobs_subnav.php and (j) plugins/content_allocation/includes/include.right_top.php in contenido/; the (3) cfg[path][templates] parameter to (k) includes/include.newsletter_jobs_subnav.php and (l) plugins/content_allocation/includes/include.right_top.php in contenido/; and the (4) cfg[templates][right_top_blank] parameter to (m) plugins/content_allocation/includes/include.right_top.php and (n) contenido/includes/include.newsletter_jobs_subnav.php in contenido/, different vectors than CVE-2006-5380. | 7.5 |
2008-06-30 | CVE-2008-2909 | Clever Copy | SQL Injection vulnerability in Clever Copy Clever Copy 3.0 SQL injection vulnerability in results.php in Clever Copy 3.0 allows remote attackers to execute arbitrary SQL commands via the searchtype parameter. | 7.5 |
2008-06-30 | CVE-2008-2904 | Phpmycart | SQL Injection vulnerability in PHPmycart SQL injection vulnerability in shop.php in Conkurent PHPMyCart allows remote attackers to execute arbitrary SQL commands via the cat parameter. | 7.5 |
2008-06-30 | CVE-2008-2902 | Alstrasoft | SQL Injection vulnerability in Alstrasoft Askme PRO SQL injection vulnerability in profile.php in AlstraSoft AskMe Pro 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
50 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-03 | CVE-2008-3000 | Drupal | Permissions, Privileges, and Access Controls vulnerability in Drupal Aggregation Module The Aggregation module 5.x before 5.x-4.4 for Drupal, when node access modules are used, does not properly implement access control, which allows remote attackers to bypass intended restrictions. | 6.8 |
2008-07-03 | CVE-2008-2996 | Gravityboardx | SQL Injection vulnerability in Gravityboardx Gravity Board X 2.0 Multiple SQL injection vulnerabilities in index.php in Gravity Board X (GBX) 2.0 Beta, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) searchquery parameter in a getsearch action, and the (2) board_id parameter in a viewboard action. | 6.8 |
2008-07-02 | CVE-2008-2985 | Cmreams | Path Traversal vulnerability in Cmreams CMS 1.3.1.1 Directory traversal vulnerability in load_language.php in CMReams CMS 1.3.1.1 Beta 2, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page_language parameter. | 6.8 |
2008-07-02 | CVE-2008-2982 | Homeph Design | Path Traversal vulnerability in Homeph Design Homeph Design 2.10 Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/. | 6.8 |
2008-07-02 | CVE-2008-2981 | Homeph Design | Code Injection vulnerability in Homeph Design Homeph Design 2.10 PHP remote file inclusion vulnerability in admin/templates/template_thumbnail.php in HomePH Design 2.10 RC2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the thumb_template parameter. | 6.8 |
2008-07-02 | CVE-2008-2978 | Ourvideocms | Path Traversal vulnerability in Ourvideocms Ourvideo CMS 9.5 Directory traversal vulnerability in phpi/rss.php in Ourvideo CMS 9.5, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the prefix parameter. | 6.8 |
2008-07-02 | CVE-2008-2976 | Tinx CMS | Path Traversal vulnerability in Tinx CMS Tinx CMS 1.1 Multiple directory traversal vulnerabilities in TinX/cms 1.1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) language parameter to (a) include_me.php, (b) admin/ajax.php, and (c) admin/objects/catalog.ajaxhandler.php; and the (2) prefix parameter to (d) admin/inc/config.php. | 6.8 |
2008-07-02 | CVE-2008-2974 | MM Chat | Path Traversal vulnerability in MM Chat MM Chat 1.5 Directory traversal vulnerability in chatconfig.php in MM Chat 1.5, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the currentlang parameter. | 6.8 |
2008-07-02 | CVE-2008-2963 | Myblog | SQL Injection vulnerability in Myblog Multiple SQL injection vulnerabilities in MyBlog allow remote attackers to execute arbitrary SQL commands via the (1) view parameter to (a) index.php, and the (2) id parameter to (b) member.php and (c) post.php. | 6.8 |
2008-07-01 | CVE-2008-2310 | Apple | USE of Externally-Controlled Format String vulnerability in Apple mac OS X and mac OS X Server Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 10.5.4 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string in (1) C++ or (2) Java source code. | 6.8 |
2008-07-01 | CVE-2008-2309 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.4 allows user-assisted remote attackers to execute arbitrary code via a (1) .xht or (2) .xhtm file, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5. | 6.8 |
2008-06-30 | CVE-2008-2949 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 6/7 Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to change the location property of a frame via the String data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. | 6.8 |
2008-06-30 | CVE-2008-2948 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 7/8 Cross-domain vulnerability in Microsoft Internet Explorer 7 and 8 allows remote attackers to change the location property of a frame via the Object data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. | 6.8 |
2008-06-30 | CVE-2008-2947 | Microsoft | Improper Access Control vulnerability in Microsoft Internet Explorer 5.01/6/7 Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 7 allows remote attackers to access restricted information from other domains via JavaScript that uses the Object data type for the value of a (1) location or (2) location.href property, related to incorrect determination of the origin of web script, aka "Window Location Property Cross-Domain Vulnerability." NOTE: according to Microsoft, CVE-2008-2948 and CVE-2008-2949 are duplicates of this issue, probably different attack vectors. | 6.8 |
2008-06-30 | CVE-2008-2942 | Mercurial | Path Traversal vulnerability in Mercurial 1.0.1 Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file. | 6.8 |
2008-06-30 | CVE-2008-2919 | Gryphonllc | SQL Injection vulnerability in Gryphonllc Gryphon Gllcts2 4.2.4 SQL injection vulnerability in listing.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the sort parameter. | 6.8 |
2008-06-30 | CVE-2008-2916 | Preprojects | SQL Injection vulnerability in Preprojects PRE ADS Portal Multiple SQL injection vulnerabilities in Pre ADS Portal 2.0 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter to showcategory.php and the (2) id parameter to software-description.php. | 6.8 |
2008-06-30 | CVE-2008-2913 | Devalcms | Path Traversal vulnerability in Devalcms 1.4A Directory traversal vulnerability in func.php in Devalcms 1.4a, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-06-30 | CVE-2008-2907 | Webchamado | SQL Injection vulnerability in Webchamado 1.1 SQL injection vulnerability in admin/index.php in WebChamado 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the eml parameter. | 6.8 |
2008-06-30 | CVE-2008-2906 | Webchamado | SQL Injection vulnerability in Webchamado 1.1 SQL injection vulnerability in lista_anexos.php in WebChamado 1.1 allows remote attackers to execute arbitrary SQL commands via the tsk_id parameter. | 6.8 |
2008-06-30 | CVE-2008-2905 | Mambo | Code Injection vulnerability in Mambo PHP remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | 6.8 |
2008-06-30 | CVE-2008-2903 | Awbs | SQL Injection vulnerability in Awbs Advanced Webhost Billing System SQL injection vulnerability in news.php in Advanced Webhost Billing System (AWBS) 2.3.3 through 2.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the viewnews parameter. | 6.8 |
2008-06-30 | CVE-2008-2901 | Haudenschilt | SQL Injection vulnerability in Haudenschilt Family Connections CMS 1.4 Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.4 allow remote authenticated users to execute arbitrary SQL commands via the (1) address parameter to addressbook.php, the (2) getnews parameter to familynews.php, and the (3) poll_id parameter to home.php in a results action. | 6.5 |
2008-07-01 | CVE-2008-2957 | Pidgin | Improper Input Validation vulnerability in Pidgin 2.0.0 The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL. | 6.4 |
2008-06-30 | CVE-2008-2943 | IBM | Resource Management Errors vulnerability in IBM Tivoli Directory Server Double free vulnerability in IBM Tivoli Directory Server (TDS) 6.1.0.0 through 6.1.0.15 allows remote authenticated administrators to cause a denial of service (ABEND) and possibly execute arbitrary code by using ldapadd to attempt to create a duplicate ibm-globalAdminGroup LDAP database entry. | 6.0 |
2008-07-02 | CVE-2008-2969 | Yektaweb | Path Traversal vulnerability in Yektaweb Academic web Tools 1.4.3.1 Directory traversal vulnerability in download.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to read arbitrary files via a .. | 5.0 |
2008-07-02 | CVE-2008-2961 | Cmsmini | Path Traversal vulnerability in Cmsmini CMS Mini 0.2.2 Multiple directory traversal vulnerabilities in view/index.php in CMS Mini 0.2.2 allow remote attackers to read arbitrary local files via a .. | 5.0 |
2008-07-01 | CVE-2008-2953 | Linux | Improper Input Validation vulnerability in Linux Direct Connect Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via "partial file list requests" that trigger a NULL pointer dereference. | 5.0 |
2008-06-30 | CVE-2008-0598 | Linux | Information Exposure vulnerability in Linux Kernel 2.6.18/2.6.9 Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary. | 4.9 |
2008-06-30 | CVE-2008-2944 | Fedoraproject Linux Redhat | Double Free vulnerability in multiple products Double free vulnerability in the utrace support in the Linux kernel, probably 2.6.18, in Red Hat Enterprise Linux (RHEL) 5 and Fedora Core 6 (FC6) allows local users to cause a denial of service (oops), as demonstrated by a crash when running the GNU GDB testsuite, a different vulnerability than CVE-2008-2365. | 4.9 |
2008-07-01 | CVE-2008-2313 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server Apple Mac OS X before 10.5 uses weak permissions for the User Template directory, which allows local users to gain privileges by inserting a Trojan horse file into this directory. | 4.6 |
2008-07-01 | CVE-2008-2308 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server Unspecified vulnerability in Alias Manager in Apple Mac OS X 10.5.1 and earlier on Intel platforms allows local users to gain privileges or cause a denial of service (memory corruption and application crash) by resolving an alias that contains crafted AFP volume mount information. | 4.6 |
2008-07-01 | CVE-2008-2958 | Checkinstall | Race Condition vulnerability in Checkinstall 1.6.1 Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows local users to overwrite arbitrary files and have other impacts via symlink and possibly other attacks on temporary working directories. | 4.4 |
2008-07-01 | CVE-2008-2314 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server Dock in Apple Mac OS X 10.5 before 10.5.4, when Exposé hot corners is enabled, allows physically proximate attackers to gain access to a locked session in (1) sleep mode or (2) screen saver mode via unspecified vectors. | 4.4 |
2008-07-03 | CVE-2008-2998 | Drupal | Cross-Site Scripting vulnerability in Drupal Aggregation Module Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2008-07-03 | CVE-2008-2997 | Gravityboardx | Cross-Site Scripting vulnerability in Gravityboardx Gravity Board X 2.0 Cross-site scripting (XSS) vulnerability in index.php in Gravity Board X (GBX) 2.0 Beta allows remote attackers to inject arbitrary web script or HTML via the subject parameter in a postnewsubmit (aka create new thread) action. | 4.3 |
2008-07-03 | CVE-2008-2994 | Phpeasydata | Cross-Site Scripting vulnerability in PHPeasydata 1.5.4 Multiple cross-site scripting (XSS) vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to inject arbitrary web script or HTML via the (1) annuaire parameter to (a) last_records.php and (b) annuaire.php and the (2) by and (3) cat_id parameters to annuaire.php. | 4.3 |
2008-07-02 | CVE-2008-2987 | Benjacms | Cross-Site Scripting vulnerability in Benjacms Benja CMS 0.1 Multiple cross-site scripting (XSS) vulnerabilities in Benja CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin_edit_submenu.php, (2) admin_new_submenu.php, and (3) admin_edit_topmenu.php in admin/. | 4.3 |
2008-07-02 | CVE-2008-2984 | Cmreams | Cross-Site Scripting vulnerability in Cmreams CMS 1.3.1.1 Cross-site scripting (XSS) vulnerability in backend/umleitung.php in CMReams CMS 1.3.1.1 Beta 2 allows remote attackers to inject arbitrary web script or HTML via the lang[be_red_text] parameter. | 4.3 |
2008-07-02 | CVE-2008-2980 | Homeph Design | Cross-Site Scripting vulnerability in Homeph Design Homeph Design 2.10 Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php. | 4.3 |
2008-07-02 | CVE-2008-2979 | Ourvideo CMS | Cross-Site Scripting vulnerability in Ourvideo CMS Ourvideo CMS 9.5 Multiple cross-site scripting (XSS) vulnerabilities in phpi/login.php in Ourvideo CMS 9.5 allow remote attackers to inject arbitrary web script or HTML via the (1) top_page and (2) end_page parameters. | 4.3 |
2008-07-02 | CVE-2008-2975 | Tinx CMS | Cross-Site Scripting vulnerability in Tinx CMS Tinx CMS 1.1 Cross-site scripting (XSS) vulnerability in admin/objects/obj_image.php in TinX/cms 1.1 allows remote attackers to inject arbitrary web script or HTML via the language parameter. | 4.3 |
2008-07-02 | CVE-2008-2973 | MM Chat | Cross-Site Scripting vulnerability in MM Chat MM Chat 1.5 Multiple cross-site scripting (XSS) vulnerabilities in chathead.php in MM Chat 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) sitename and (2) wmessage parameters. | 4.3 |
2008-07-02 | CVE-2008-2967 | Yektaweb | Cross-Site Scripting vulnerability in Yektaweb Academic web Tools Multiple cross-site scripting (XSS) vulnerabilities in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) query string to login.php and the (2) glb_sid parameter to hta/htmlarea.js.php, and allow remote authenticated users to inject arbitrary web script or HTML via an unspecified field in room.php. | 4.3 |
2008-07-02 | CVE-2008-2965 | Jaxbot | Cross-Site Scripting vulnerability in Jaxbot Jaxultrabb Cross-site scripting (XSS) vulnerability in viewforum.php in JaxUltraBB (JUBB) 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the forum parameter. | 4.3 |
2008-07-02 | CVE-2008-2962 | Myblog | Cross-Site Scripting vulnerability in Myblog Multiple cross-site scripting (XSS) vulnerabilities in MyBlog allow remote attackers to inject arbitrary web script or HTML via the (1) s and (2) sort parameters to index.php, and the (3) id parameter to post.php. | 4.3 |
2008-07-01 | CVE-2008-2955 | Pidgin | Improper Input Validation vulnerability in Pidgin 2.4.1 Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. | 4.3 |
2008-06-30 | CVE-2008-2924 | Valarsoft | Cross-Site Scripting vulnerability in Valarsoft Webmatic Cross-site scripting (XSS) vulnerability in Webmatic before 2.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2008-06-30 | CVE-2008-2923 | Lyris | Cross-Site Scripting vulnerability in Lyris List Manager 8.8/8.95/9.3D Cross-site scripting (XSS) vulnerability in read/search/results in Lyris ListManager 8.8, 8.95, and 9.3d allows remote attackers to inject arbitrary web script or HTML via the words parameter. | 4.3 |
2008-06-30 | CVE-2008-2911 | Contenido | Cross-Site Scripting vulnerability in Contenido Contendio 4.8.4 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Contenido 4.8.4 allow remote attackers to inject arbitrary web script or HTML via the (1) contenido, (2) Belang, and (3) username parameters. | 4.3 |
1 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-02 | CVE-2008-2960 | Phpmyadmin | Cross-Site Scripting vulnerability in PHPmyadmin Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. | 2.6 |