Weekly Vulnerabilities Reports > August 18 to 24, 2008
Overview
67 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 33 high severity vulnerabilities. This weekly summary report vulnerabilities in 59 products from 42 vendors including Yourfreeworld, Turnkeywebtools, Microworld Technologies, Lussumo, and Hotscripts. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Path Traversal", "Code Injection", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 64 reported vulnerabilities are remotely exploitables.
- 32 reported vulnerabilities have public exploit available.
- 43 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 62 reported vulnerabilities are exploitable by an anonymous user.
- Yourfreeworld has the most reported vulnerabilities, with 10 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2008-08-18 | CVE-2008-3703 | Symantec | Improper Authentication vulnerability in Symantec Veritas Storage Foundation 5.0/5.1 The management console in the Volume Manager Scheduler Service (aka VxSchedService.exe) in Symantec Veritas Storage Foundation for Windows (SFW) 5.0, 5.0 RP1a, and 5.1 accepts NULL NTLMSSP authentication, which allows remote attackers to execute arbitrary code via requests to the service socket that create "snapshots schedules" registry values specifying future command execution. | 10.0 |
| 2008-08-18 | CVE-2008-3533 | Gnome | USE of Externally-Controlled Format String vulnerability in Gnome and Yelp Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within (1) man or (2) ghelp URI handlers in Firefox, Evolution, and unspecified other programs. | 10.0 |
| 2008-08-20 | CVE-2008-3734 | Ipswitch | USE of Externally-Controlled Format String vulnerability in Ipswitch WS FTP Home and WS FTP PRO Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response). | 9.3 |
| 2008-08-20 | CVE-2008-3733 | EO Video | Buffer Errors vulnerability in Eo-Video 1.36 Stack-based buffer overflow in EO Video (eo-video) 1.36 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a .eop (aka playlist) file with a ProjectElement element that contains a long Name element. | 9.3 |
| 2008-08-20 | CVE-2008-3732 | Videolan | Numeric Errors vulnerability in Videolan VLC Media Player 0.8.6I Integer overflow in the Open function in modules/demux/tta.c in VLC Media Player 0.8.6i allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TTA file, which triggers a heap-based buffer overflow. | 9.3 |
| 2008-08-18 | CVE-2008-3704 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Heap-based buffer overflow in the MaskedEdit ActiveX control in Msmask32.ocx 6.0.81.69, and possibly other versions before 6.0.84.18, in Microsoft Visual Studio 6.0, Visual Basic 6.0, Visual Studio .NET 2002 SP1 and 2003 SP1, and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 allows remote attackers to execute arbitrary code via a long Mask parameter, related to not "validating property values with boundary checks," as exploited in the wild in August 2008, aka "Masked Edit Control Memory Corruption Vulnerability." Additional advisory information from Secunia: http://secunia.com/advisories/31498/ "Visual Studio 6 was last updated June 2000, a Microsoft spokeswoman told SCMagazineUS.com. | 9.3 |
33 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2008-08-18 | CVE-2008-3324 | Party Gaming | Download of Code Without Integrity Check vulnerability in Party Gaming Party Poker Client 121120 The PartyGaming PartyPoker client program 121/120 does not properly verify the authenticity of updates, which allows remote man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. | 8.1 |
| 2008-08-22 | CVE-2008-3774 | Simasy | SQL Injection vulnerability in Simasy CMS SQL injection vulnerability in index.php in Simasy CMS allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-22 | CVE-2008-3772 | Pars4U | SQL Injection vulnerability in Pars4U Videosharing 1 SQL injection vulnerability in categories_portal.php in Pars4u Videosharing 1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. | 7.5 |
| 2008-08-22 | CVE-2008-3768 | Turnkeywebtools | SQL Injection vulnerability in Turnkeywebtools Sunshop Shopping Cart Multiple SQL injection vulnerabilities in class.ajax.php in Turnkey Web Tools SunShop Shopping Cart before 4.1.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an edit_registry action to index.php, (2) a vector involving the check_email function, and other vectors. | 7.5 |
| 2008-08-22 | CVE-2008-3767 | Smartisoft | SQL Injection vulnerability in Smartisoft PHPbazar 2.0.2 SQL injection vulnerability in classified.php in phpBazar 2.0.2 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3765 | Discountedscripts | SQL Injection vulnerability in Discountedscripts Quick Poll Script SQL injection vulnerability in code.php in Quick Poll Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3764 | Turnkeywebtools | Code Injection vulnerability in Turnkeywebtools PHP Live Helper 2.0 Eval injection vulnerability in globalsoff.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via the test parameter, and probably arbitrary parameters, to chat.php. | 7.5 |
| 2008-08-21 | CVE-2008-3762 | Turnkeywebtools | SQL Injection vulnerability in Turnkeywebtools PHP Live Helper 2.0 SQL injection vulnerability in onlinestatus_html.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the dep parameter, related to lack of input sanitization in the get function in global.php. | 7.5 |
| 2008-08-21 | CVE-2008-3759 | Lussumo | Cross-Site Request Forgery (CSRF) vulnerability in Lussumo Vanilla Cross-site request forgery (CSRF) vulnerability in ajax/UpdateCheck.php in Vanilla 1.1.4 and earlier has unknown impact and remote attack vectors. | 7.5 |
| 2008-08-21 | CVE-2008-3757 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Forced Matrix Script SQL injection vulnerability in tr1.php in YourFreeWorld Forced Matrix Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3756 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Viral Marketing Script SQL injection vulnerability in tr.php in YourFreeWorld Viral Marketing Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3755 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Classifieds SQL injection vulnerability in view.php in YourFreeWorld Classifieds Script allows remote attackers to execute arbitrary SQL commands via the category parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3754 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Stylish Text ADS Script SQL injection vulnerability in trl.php in YourFreeWorld Stylish Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3753 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Programs Rating Script SQL injection vulnerability in details.php in YourFreeWorld Programs Rating Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3752 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Ad-Exchange Script SQL injection vulnerability in tr.php in YourFreeWorld Ad-Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3751 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Short URL and URL Tracker Script SQL injection vulnerability in tr.php in YourFreeWorld Short Url & Url Tracker Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3750 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld URL Rotator Script SQL injection vulnerability in tr.php in YourFreeWorld URL Rotator Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3749 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld Banner Management Script SQL injection vulnerability in tr.php in YourFreeWorld Banner Management Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-21 | CVE-2008-3748 | Lbstone | SQL Injection vulnerability in Lbstone Active PHP Bookmarks and APB SQL injection vulnerability in view_group.php in Active PHP Bookmarks (APB) 1.1.02 and 1.2.06 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3729 | Microworld Technologies | Improper Authentication vulnerability in Microworld Technologies Mailscan 5.6.A Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to bypass authentication and obtain administrative access via a direct request with (1) an IsAdmin=true cookie value or (2) no cookie. | 7.5 |
| 2008-08-20 | CVE-2008-3725 | Yourfreeworld | SQL Injection vulnerability in Yourfreeworld AD Board Script SQL injection vulnerability in trr.php in YourFreeWorld Ad Board Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3724 | Papoo | SQL Injection vulnerability in Papoo SQL injection vulnerability in index.php in Papoo before 3.7.2 allows remote attackers to execute arbitrary SQL commands via the suchanzahl parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3722 | Fipsasp | SQL Injection vulnerability in Fipsasp Fipscms 2.1 SQL injection vulnerability in forum/neu.asp in fipsCMS 2.1 allows remote attackers to execute arbitrary SQL commands via the kat parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3721 | Deeemm | Code Injection vulnerability in Deeemm Dmcms 0.7.4 PHP remote file inclusion vulnerability in user_language.php in DeeEmm CMS (DMCMS) 0.7.4 allows remote attackers to execute arbitrary PHP code via a URL in the language_dir parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3720 | Deeemm | SQL Injection vulnerability in Deeemm Dmcms 0.7.4 SQL injection vulnerability in index.php in DeeEmm CMS (DMCMS) 0.7.4 allows remote attackers to execute arbitrary SQL commands via the page parameter. | 7.5 |
| 2008-08-20 | CVE-2008-3719 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites Affiliate Directory SQL injection vulnerability in directory.php in SFS Affiliate Directory allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action. | 7.5 |
| 2008-08-19 | CVE-2008-3713 | Phpbasket | SQL Injection vulnerability in PHPbasket SQL injection vulnerability in product.php in PHPBasket allows remote attackers to execute arbitrary SQL commands via the pro_id parameter. | 7.5 |
| 2008-08-19 | CVE-2008-3711 | Phparcadescript | SQL Injection vulnerability in PHParcadescript 4.0 SQL injection vulnerability in index.php in PHPArcadeScript (PHP Arcade Script) 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a browse action. | 7.5 |
| 2008-08-19 | CVE-2008-3707 | Hotscripts | Code Injection vulnerability in Hotscripts Cyboards PHP Lite 1.21 Multiple PHP remote file inclusion vulnerabilities in CyBoards PHP Lite 1.21 allow remote attackers to execute arbitrary PHP code via a URL in the script_path parameter to (1) flat_read.php, (2) post.php, (3) process_post.php, (4) process_search.php, (5) forum.php, (6) process_subscribe.php, (7) read.php, (8) search.php, (9) subscribe.php in path/; and (10) add_ban.php, (11) add_ban_form.php, (12) add_board.php, (13) add_vip.php, (14) add_vip_form.php, (15) copy_ban.php, (16) copy_vip.php, (17) delete_ban.php, (18) delete_board.php, (19) delete_messages.php, (20) delete_vip.php, (21) edit_ban.php, (22) edit_board.php, (23) edit_vip.php, (24) index.php, (25) lock_messages.php, (26) login.php, (27) modify_ban_list.php, (28) modify_vip_list.php, (29) move_messages.php, (30) process_add_board.php, (31) process_ban.php, (32) process_delete_ban.php, (33) process_delete_board.php, (34) process_delete_messages.php, (35) process_delete_vip.php, (36) process_edit_board.php, (37) process_lock_messages.php, (38) process_login.php, (39) process_move_messages.php, (40) process_sticky_messages.php, (41) process_vip.php, and (42) sticky_messages.php in path/adminopts. | 7.5 |
| 2008-08-19 | CVE-2008-3706 | Zeeways | SQL Injection vulnerability in Zeeways Zeejobsite 2.0 SQL injection vulnerability in bannerclick.php in ZEEJOBSITE 2.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | 7.5 |
| 2008-08-19 | CVE-2008-3705 | Echovnc | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Echovnc Stack-based buffer overflow in the CLogger::WriteFormated function in echoware/Logger.cpp in EchoVNC Linux before 1.1.2 allows remote echoServers to execute arbitrary code via a large (1) group or (2) user list, aka a "very crowded echoServer" attack. | 7.5 |
| 2008-08-18 | CVE-2008-2234 | Openwsman | Buffer Errors vulnerability in Openwsman 1.2.0/2.0.0 Multiple buffer overflows in Openwsman 1.2.0 and 2.0.0 allow remote attackers to execute arbitrary code via a crafted "Authorization: Basic" HTTP header. | 7.5 |
| 2008-08-18 | CVE-2008-2233 | Openwsman | Code Injection vulnerability in Openwsman 1.2.0/2.0.0 The client in Openwsman 1.2.0 and 2.0.0, in unknown configurations, allows remote Openwsman servers to replay SSL sessions via unspecified vectors. | 7.5 |
24 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2008-08-22 | CVE-2008-3770 | Openfreeway | Path Traversal vulnerability in Openfreeway Freeway 1.4.1.171 Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. | 6.8 |
| 2008-08-22 | CVE-2008-3769 | Openfreeway | Code Injection vulnerability in Openfreeway Freeway 1.4.1.171 PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter. | 6.8 |
| 2008-08-21 | CVE-2008-3763 | Turnkeywebtools | Improper Input Validation vulnerability in Turnkeywebtools PHP Live Helper 2.0 Variable overwrite vulnerability in libsecure.php in Turnkey PHP Live Helper 2.0.1 and earlier, when register_globals is enabled, allows remote attackers to overwrite arbitrary variables related to the db config file. | 6.8 |
| 2008-08-20 | CVE-2008-3718 | Cyberbb | SQL Injection vulnerability in Cyberbb 0.6 Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter to show_topic.php and the (2) user parameter to profile.php. | 6.5 |
| 2008-08-20 | CVE-2008-3723 | Phpizabi | Path Traversal vulnerability in PHPizabi 0.848B Directory traversal vulnerability in index.php in PHPizabi 0.848b C1 HFP3 allows remote authenticated administrators to read arbitrary files via (1) a .. | 6.3 |
| 2008-08-19 | CVE-2008-3716 | Harmoni | Cross-Site Request Forgery (CSRF) vulnerability in Harmoni Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component. | 6.0 |
| 2008-08-19 | CVE-2008-3710 | Hotscripts | Path Traversal vulnerability in Hotscripts Cyboards PHP Lite 1.21 Multiple directory traversal vulnerabilities in CyBoards PHP Lite 1.21 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) script_path parameter to (a) options.php and the (2) lang_code parameter to (b) copy_vip.php and (c) process_edit_board.php in adminopts/. | 5.1 |
| 2008-08-22 | CVE-2008-3766 | Realtime Internet Band Rehearsal | Improper Input Validation vulnerability in Realtime Internet Band Rehearsal LOW Latency Internet Connection Tool 0.9.4/0.9.9/2.0.0 Realtime Internet Band Rehearsal Low-Latency (Internet) Connection tool (llcon) before 2.1.2 allows remote attackers to cause a denial of service (application crash) via malformed protocol messages. | 5.0 |
| 2008-08-20 | CVE-2008-3728 | Microworld Technologies | Permissions, Privileges, and Access Controls vulnerability in Microworld Technologies Mailscan 5.6.A Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to determine the installation path, IP addresses, and error messages via direct requests to files under LOG/. | 5.0 |
| 2008-08-20 | CVE-2008-3727 | Microworld Technologies | Path Traversal vulnerability in Microworld Technologies Mailscan 5.6.A Directory traversal vulnerability in Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to read arbitrary files via a .. | 5.0 |
| 2008-08-19 | CVE-2008-3717 | Harmoni | Permissions, Privileges, and Access Controls vulnerability in Harmoni Harmoni before 1.6.0 does not require administrative privileges to list (1) user names or (2) asset ids, which allows remote attackers to obtain sensitive information. | 5.0 |
| 2008-08-21 | CVE-2008-3761 | Vmware | Improper Input Validation vulnerability in VMWare Workstation 6.0.0.45731 hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 uses the METHOD_NEITHER communication method for IOCTLs, which allows local users to cause a denial of service via a crafted IOCTL request. | 4.9 |
| 2008-08-22 | CVE-2008-3775 | Newsoftwares | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Newsoftwares Folder Lock Folder Lock 5.9.5 and earlier uses weak encryption (ROT-25) for the password, which allows local administrators to obtain sensitive information by reading and decrypting the QualityControl\_pack registry value. | 4.4 |
| 2008-08-22 | CVE-2008-3773 | Vbulletin | Cross-Site Scripting vulnerability in Vbulletin 3.6.10/3.7.2 Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject (aka newpm[title]). | 4.3 |
| 2008-08-22 | CVE-2008-3771 | Pars4U | Cross-Site Scripting vulnerability in Pars4U Videosharing 1 Cross-site scripting (XSS) vulnerability in members.php in Pars4u Videosharing 1 allows remote attackers to inject arbitrary web script or HTML via the PageNo parameter. | 4.3 |
| 2008-08-21 | CVE-2008-3760 | Lussumo | Cross-Site Request Forgery (CSRF) vulnerability in Lussumo Vanilla Cross-site request forgery (CSRF) vulnerability in the sign-out page in Vanilla 1.1.4 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout via a SignOutNow action to people.php. | 4.3 |
| 2008-08-21 | CVE-2008-3758 | Lussumo | Cross-Site Scripting vulnerability in Lussumo Vanilla Multiple cross-site scripting (XSS) vulnerabilities in Lussumo Vanilla 1.1.4 and earlier (1) allow remote attackers to inject arbitrary web script or HTML via the NewPassword parameter to people.php, and allow remote authenticated users to inject arbitrary web script or HTML via the (2) Account picture and (3) Icon fields in account.php. | 4.3 |
| 2008-08-20 | CVE-2008-3735 | Phpizabi | Cross-Site Scripting vulnerability in PHPizabi 0.848B Cross-site scripting (XSS) vulnerability in index.php in PHPizabi before 848 Core HotFix Pack 3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a blogs.search action. | 4.3 |
| 2008-08-20 | CVE-2008-3730 | Nordicwind | Cross-Site Scripting vulnerability in Nordicwind Noah and Nordicwind Document Management System Cross-site scripting (XSS) vulnerability in Nordicwind Document Management System (NOAH) before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2008-08-20 | CVE-2008-3726 | Microworld Technologies | Cross-Site Scripting vulnerability in Microworld Technologies Mailscan 5.6.A Cross-site scripting (XSS) vulnerability in Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to inject arbitrary web script or HTML via the URI. | 4.3 |
| 2008-08-19 | CVE-2008-3714 | Awstats | Cross-Site Scripting vulnerability in Awstats 6.8 Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945. | 4.3 |
| 2008-08-19 | CVE-2008-3709 | Hotscripts | Cross-Site Scripting vulnerability in Hotscripts Cyboards PHP Lite 1.21 Multiple cross-site scripting (XSS) vulnerabilities in CyBoards PHP Lite 1.21 allow remote attackers to inject arbitrary web script or HTML via the (1) lOptionsOptions, (2) lNavAdminOptions, or (3) lNavReturn parameter to options.php; or the (4) lNavReturn parameter to subscribe.php. | 4.3 |
| 2008-08-19 | CVE-2008-3708 | Dotcms | Path Traversal vulnerability in Dotcms 1.6.0.9 Multiple directory traversal vulnerabilities in dotCMS 1.6.0.9 allow remote attackers to read arbitrary files via a .. | 4.3 |
| 2008-08-20 | CVE-2008-3731 | Solarwinds | Remote Denial of Service vulnerability in RhinoSoft Serv-U SFTP Unspecified vulnerability in Serv-U File Server 7.0.0.1, and other versions before 7.2.0.1, allows remote authenticated users to cause a denial of service (daemon crash) via an SSH session with SFTP commands for directory creation and logging. | 4.0 |
4 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2008-08-19 | CVE-2008-3715 | Flexcms | Cross-Site Scripting vulnerability in Flexcms 2.0/2.5 Cross-site scripting (XSS) vulnerability in inc-core-admin-editor-previouscolorsjs.php in the FlexCMS 2.5 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the PreviousColorsString parameter. | 2.6 |
| 2008-08-19 | CVE-2008-3712 | Mambo | Cross-Site Scripting vulnerability in Mambo 4.6.2/4.6.5 Multiple cross-site scripting (XSS) vulnerabilities in Mambo 4.6.2 and 4.6.5, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) query string to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php and the (2) mosConfig_sitename parameter to administrator/popups/index3pop.php. | 2.6 |
| 2008-08-18 | CVE-2008-3270 | Redhat | Cryptographic Issues vulnerability in Redhat Enterprise Linux 5.0 yum-rhn-plugin in Red Hat Enterprise Linux (RHEL) 5 does not verify the SSL certificate for a file download from a Red Hat Network (RHN) server, which makes it easier for remote man-in-the-middle attackers to cause a denial of service (loss of updates) or force the download and installation of official Red Hat packages that were not requested. | 2.6 |
| 2008-08-18 | CVE-2008-2937 | Postfix | Information Exposure vulnerability in Postfix Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name. | 1.9 |