Weekly Vulnerabilities Reports > February 23 to March 1, 2009
Overview
170 new vulnerabilities reported during this period, including 15 critical vulnerabilities and 85 high severity vulnerabilities. This weekly summary report vulnerabilities in 156 products from 104 vendors including Cisco, Joomla, Typo3, Scripts FOR Sites, and Adobe. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Path Traversal", "Permissions, Privileges, and Access Controls", and "Code Injection".
- 166 reported vulnerabilities are remotely exploitables.
- 95 reported vulnerabilities have public exploit available.
- 122 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 154 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 14 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
15 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-02-26 | CVE-2009-0208 | HP | Code Injection vulnerability in HP Virtual Rooms 6.0 Unspecified vulnerability in HP Virtual Rooms Client before 7.0.1, when running on Windows, allows remote attackers to execute arbitrary code via unknown vectors. | 10.0 |
2009-02-26 | CVE-2009-0621 | Cisco | Configuration vulnerability in Cisco ACE 4710 Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses default (1) usernames and (2) passwords for (a) the administrator, (b) web management, and (c) device management, which makes it easier for remote attackers to perform configuration changes to the Device Manager and other components, or obtain operating-system access. | 10.0 |
2009-02-26 | CVE-2009-0620 | Cisco | Credentials Management vulnerability in Cisco Application Control Engine Module Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access. | 10.0 |
2009-02-26 | CVE-2009-0617 | Cisco | Credentials Management vulnerability in Cisco Application Networking Manager 1.1 Cisco Application Networking Manager (ANM) before 2.0 uses a default MySQL root password, which makes it easier for remote attackers to execute arbitrary operating-system commands or change system files. | 10.0 |
2009-02-26 | CVE-2009-0616 | Cisco | Credentials Management vulnerability in Cisco Application Networking Manager 1.1 Cisco Application Networking Manager (ANM) before 2.0 uses default usernames and passwords, which makes it easier for remote attackers to access the application, or cause a denial of service via configuration changes, related to "default user credentials during installation." | 10.0 |
2009-02-26 | CVE-2009-0520 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe products Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file, related to a "buffer overflow issue." | 9.3 |
2009-02-26 | CVE-2009-0519 | Adobe | Improper Input Validation vulnerability in Adobe products Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a crafted Shockwave Flash (aka .swf) file. | 9.3 |
2009-02-26 | CVE-2009-0187 | Orbitdownloader | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Orbitdownloader Orbit Downloader 2.8.2/2.8.3/2.8.4 Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code via a crafted HTTP URL with a long host name, which is not properly handled when constructing a "Connecting" log message. | 9.3 |
2009-02-25 | CVE-2009-0734 | Nokia | Buffer Errors vulnerability in Nokia PC Suite 6.86.9.3 Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia PC Suite 6.86.9.3 allows remote attackers to execute arbitrary code via a long string in a .m3u playlist file. | 9.3 |
2009-02-25 | CVE-2009-0238 | Microsoft | Code Injection vulnerability in Microsoft products Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC. | 9.3 |
2009-02-24 | CVE-2009-0731 | Freearcadescript | Path Traversal vulnerability in Freearcadescript Free Arcade Script 1.0 Directory traversal vulnerability in pages/play.php in Free Arcade Script 1.0 allows remote attackers to include and execute arbitrary local files via a .. | 9.3 |
2009-02-26 | CVE-2009-0622 | Cisco | Remote vulnerability in Multiple Cisco ACE Products Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8a) allows remote authenticated users to execute arbitrary operating-system commands through a command line interface (CLI). | 9.0 |
2009-02-26 | CVE-2009-0615 | Cisco | Path Traversal vulnerability in Cisco products Directory traversal vulnerability in Cisco Application Networking Manager (ANM) before 2.0 and Application Control Engine (ACE) Device Manager before A3(2.1) allows remote authenticated users to read or modify arbitrary files via unspecified vectors, related to "invalid directory permissions." | 9.0 |
2009-02-26 | CVE-2009-0614 | Cisco | Improper Authentication vulnerability in Cisco Unified Meetingplace web Conferencing 7.0(1) Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL. | 9.0 |
2009-02-25 | CVE-2009-0505 | IBM | Security vulnerability in IBM Txseries 6.2 The CICS listener in IBM TXSeries for Multiplatforms 6.2 GA waits for a forcepurge acknowledgement from the CICS Application Server (CICSAS) after an eci response timeout, which might allow remote authenticated users to cause a denial of service (forcepurge handling delay), or have unspecified other impact, via vectors involving slow or nonexistent acknowledgement. | 9.0 |
85 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-02-26 | CVE-2009-0618 | Cisco | Multiple vulnerability in Cisco Application Networking Manager 1.1/1.2 Unspecified vulnerability in the Java agent in Cisco Application Networking Manager (ANM) before 2.0 Update A allows remote attackers to gain privileges, and cause a denial of service (service outage) by stopping processes, or obtain sensitive information by reading configuration files. | 8.5 |
2009-02-27 | CVE-2008-6335 | Emetrix | Path Traversal vulnerability in Emetrix Online Keyword Research Tool Directory traversal vulnerability in download.php in eMetrix Online Keyword Research Tool allows remote attackers to read arbitrary files via a .. | 7.8 |
2009-02-27 | CVE-2008-6334 | Emetrix | Path Traversal vulnerability in Emetrix Extract Website Directory traversal vulnerability in download.php in eMetrix Extract Website allows remote attackers to read arbitrary files via a .. | 7.8 |
2009-02-26 | CVE-2009-0742 | Cisco | Cryptographic Issues vulnerability in Cisco ACE 4710 and Application Control Engine Module The username command in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers and Cisco ACE 4710 Application Control Engine Appliance stores a cleartext password by default, which allows context-dependent attackers to obtain sensitive information. | 7.8 |
2009-02-26 | CVE-2009-0625 | Cisco | Code Injection vulnerability in Cisco ACE 4710 and Application Control Engine Module Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8.0) allows remote attackers to cause a denial of service (device reload) via a crafted SNMPv3 packet. | 7.8 |
2009-02-26 | CVE-2009-0623 | Cisco | Remote vulnerability in Multiple Cisco ACE Products Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SSH packet. | 7.8 |
2009-02-25 | CVE-2008-6288 | Interface Medien | Path Traversal vulnerability in Interface-Medien Ibase 2.0 Directory traversal vulnerability in download.php in Interface Medien ibase 2.03 and earlier allows remote attackers to read arbitrary files via a .. | 7.8 |
2009-02-25 | CVE-2008-6279 | Rakhisoftware | Information Exposure vulnerability in Rakhisoftware Shopping Cart RakhiSoftware Price Comparison Script (aka Shopping Cart) allows remote attackers to obtain sensitive information via an invalid PHPSESSID cookie, which reveals the installation path in an error message. | 7.8 |
2009-02-24 | CVE-2007-5289 | HP | Permissions, Privileges, and Access Controls vulnerability in HP Mercury Quality Center and Testdirector HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only. | 7.6 |
2009-02-27 | CVE-2008-6345 | CMS Maury91 | SQL Injection vulnerability in Cms.Maury91 Solarcms 0.53.8/1.0 SQL injection vulnerability in Forum.php in SolarCMS 0.53.8 and 1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to indes.php. | 7.5 |
2009-02-27 | CVE-2008-6344 | Typo3 | SQL Injection vulnerability in Typo3 Tu-Clausthal Staff SQL injection vulnerability in the TU-Clausthal Staff (tuc_staff) 0.3.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2009-02-27 | CVE-2008-6338 | Weber Ebusiness Typo3 | SQL Injection vulnerability in Weber-Ebusiness WES Facilities 2.0 SQL injection vulnerability in the WEBERkommunal Facilities (wes_facilities) extension 2.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2009-02-27 | CVE-2008-6337 | Joomlaapps Joomla | SQL Injection vulnerability in Joomlaapps COM Volunteer 2.0 SQL injection vulnerability in the Volunteer Management System (com_volunteer) module 2.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the job_id parameter in a jobshow action to index.php. | 7.5 |
2009-02-27 | CVE-2008-6332 | Simplecustomer | SQL Injection vulnerability in Simplecustomer Simple Customer 1.2 SQL injection vulnerability in login.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. | 7.5 |
2009-02-27 | CVE-2008-6329 | Preproject | SQL Injection vulnerability in Preproject PRE ASP JOB Board SQL injection vulnerability in Employee/login.asp in Pre ASP Job Board allows remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password parameters, as reachable from Employee/emp_login.asp. | 7.5 |
2009-02-27 | CVE-2008-6328 | Butterflymedia | SQL Injection vulnerability in Butterflymedia Butterfly Organizer 2.0.0/2.0.1 SQL injection vulnerability in view.php in Butterfly Organizer 2.0.0 and 2.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-27 | CVE-2008-6327 | Manzovi | SQL Injection vulnerability in Manzovi Proquiz 1.0 SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter, a different vector than CVE-2008-6312. | 7.5 |
2009-02-27 | CVE-2008-6326 | Simplecustomer | SQL Injection vulnerability in Simplecustomer Simple Customer SQL injection vulnerability in login.php in Simple Customer as downloaded on 20081118 allows remote attackers to execute arbitrary SQL commands via the email parameter. | 7.5 |
2009-02-27 | CVE-2008-6324 | Cfmsource | SQL Injection vulnerability in Cfmsource CF Forum SQL injection vulnerability in forummessages.cfm in CF_Forum allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter. | 7.5 |
2009-02-27 | CVE-2008-6323 | Cfmsource | SQL Injection vulnerability in Cfmsource CF Auction SQL injection vulnerability in forummessages.cfm in CFMSource CF_Auction allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter. | 7.5 |
2009-02-27 | CVE-2008-6322 | Cfmsource | SQL Injection vulnerability in Cfmsource Cfmblog SQL injection vulnerability in index.cfm in CFMSource CFMBlog allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter. | 7.5 |
2009-02-27 | CVE-2008-6320 | Cfshopkart | SQL Injection vulnerability in Cfshopkart CF Shopkart 5.2.2 SQL injection vulnerability in index.cfm in CF Shopkart 5.2.2 allows remote attackers to execute arbitrary SQL commands via the Category parameter in a ViewCategory action. | 7.5 |
2009-02-27 | CVE-2008-6319 | Cfmsource | SQL Injection vulnerability in Cfmsource CF Calendar SQL injection vulnerability in calendarevent.cfm in CF_Calendar allows remote attackers to execute arbitrary SQL commands via the calid parameter. | 7.5 |
2009-02-27 | CVE-2008-6318 | Phpmygallery | Code Injection vulnerability in PHPmygallery 1.5 PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter, a different vector than CVE-2008-6317. | 7.5 |
2009-02-27 | CVE-2008-6315 | Phpmygallery | Code Injection vulnerability in PHPmygallery 1.0 PHP remote file inclusion vulnerability in _conf/core/common-tpl-vars.php in PHPmyGallery 1.0 beta2 allows remote attackers to execute arbitrary PHP code via a URL in the confdir parameter, a different issue than CVE-2008-6316. | 7.5 |
2009-02-27 | CVE-2008-6314 | Phpbb | SQL Injection vulnerability in PHPbb TAG Board SQL injection vulnerability in tag_board.php in the Tag Board module 4.0 and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action. | 7.5 |
2009-02-27 | CVE-2008-6312 | Manzovi | SQL Injection vulnerability in Manzovi Proquiz 1.0 SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the username parameter. | 7.5 |
2009-02-27 | CVE-2008-6311 | Butterflymedia | SQL Injection vulnerability in Butterflymedia Butterfly Organizer 2.0.1 SQL injection vulnerability in view.php in Butterfly Organizer 2.0.1 allows remote attackers to execute arbitrary SQL commands via the mytable parameter. | 7.5 |
2009-02-27 | CVE-2008-6310 | W3Matter | SQL Injection vulnerability in W3Matter Revsense 1.0 SQL injection vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. | 7.5 |
2009-02-27 | CVE-2008-6309 | W3Matter | SQL Injection vulnerability in W3Matter Askpert SQL injection vulnerability in index.php in W3matter AskPert allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. | 7.5 |
2009-02-26 | CVE-2008-6307 | E Topbiz | Improper Authentication vulnerability in E-Topbiz Link Back Checker 1 E-topbiz Link Back Checker 1 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "admin." | 7.5 |
2009-02-26 | CVE-2008-6303 | Toursmanager | SQL Injection vulnerability in Toursmanager Tours Manager SQL injection vulnerability in tourview.php in ToursManager allows remote attackers to execute arbitrary SQL commands via the tourid parameter. | 7.5 |
2009-02-26 | CVE-2008-6302 | Turnkeyforms | Permissions, Privileges, and Access Controls vulnerability in Turnkeyforms Local Classifieds TurnkeyForms Local Classifieds allows remote attackers to bypass authentication and gain administrative access via a direct request to Site_Admin/admin.php. | 7.5 |
2009-02-26 | CVE-2008-6301 | Prezmo Phpbb | SQL Injection vulnerability in Prezmo Small Shoutbox 1.4 SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox module 1.4 for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action. | 7.5 |
2009-02-26 | CVE-2008-6300 | GWM | Improper Authentication vulnerability in GWM Galatolo Webmanager 1.3A Galatolo WebManager 1.3a allows remote attackers to bypass authentication and gain administrative access by setting the (1) gwm_user and (2) gwm_pass cookies to admin. | 7.5 |
2009-02-26 | CVE-2008-6296 | Maran | Permissions, Privileges, and Access Controls vulnerability in Maran PHP Shop admin.php in Maran PHP Shop allows remote attackers to bypass authentication and gain administrative access by setting the user cookie to "demo." | 7.5 |
2009-02-26 | CVE-2008-6294 | Accscripts | Permissions, Privileges, and Access Controls vulnerability in Accscripts ACC Statistics 1.1 admin/Index.php in Acc Statistics 1.1 allows remote attackers to bypass authentication and gain administrative access by setting the username_cookie cookie to "admin." | 7.5 |
2009-02-26 | CVE-2008-6293 | Accscripts | Permissions, Privileges, and Access Controls vulnerability in Accscripts ACC Real Estate 4.0 admin/Index.php in Acc Real Estate 4.0 allows remote attackers to bypass authentication and gain administrative access by setting the username_cookie to "admin." | 7.5 |
2009-02-26 | CVE-2008-6292 | Accscripts | Permissions, Privileges, and Access Controls vulnerability in Accscripts ACC Autos 4.0 Acc Autos 4.0 allows remote attackers to bypass authentication and gain administrative access by setting the (1) username_cookie to "admin," (2) right_cookie to "1," and (3) id_cookie to "1." | 7.5 |
2009-02-26 | CVE-2008-6291 | Accscripts | Permissions, Privileges, and Access Controls vulnerability in Accscripts ACC PHP Email 1.1 Acc PHP eMail 1.1 allows remote attackers to bypass authentication and gain administrative access by setting the NEWSLETTERLOGIN cookie to "admin". | 7.5 |
2009-02-26 | CVE-2008-6289 | Toursmanager | SQL Injection vulnerability in Toursmanager Tours Manager 1.0 SQL injection vulnerability in cityview.php in Tours Manager 1.0 allows remote attackers to execute arbitrary SQL commands via the cityid parameter. | 7.5 |
2009-02-25 | CVE-2008-6287 | Getmiro | Code Injection vulnerability in Getmiro Broadcast Machine 0.1 Multiple PHP remote file inclusion vulnerabilities in Broadcast Machine 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter to (1) MySQLController.php, (2) SQLController.php, (3) SetupController.php, (4) VideoController.php, and (5) ViewController.php in controllers/. | 7.5 |
2009-02-25 | CVE-2008-6286 | Activewebsoftwares | SQL Injection vulnerability in Activewebsoftwares Active Newsletter 4.3 Multiple SQL injection vulnerabilities in SubscriberStart.asp in Active Newsletter 4.3 allow remote attackers to execute arbitrary SQL commands via (1) the email parameter (aka username or E-mail field), or (2) the password parameter (aka password field), to (a) Subscriber.asp or (b) start.asp. | 7.5 |
2009-02-25 | CVE-2008-6285 | Businessvein | SQL Injection vulnerability in Businessvein PHP TV Portal SQL injection vulnerability in index.php in PHP TV Portal 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the mid parameter. | 7.5 |
2009-02-25 | CVE-2008-6284 | 1Scripts | SQL Injection vulnerability in 1Scripts Z1Exchange 1.0 SQL injection vulnerability in edit.php in Z1Exchange 1.0 allows remote attackers to execute arbitrary SQL commands via the site parameter. | 7.5 |
2009-02-25 | CVE-2008-6281 | Bluocms | SQL Injection vulnerability in Bluocms Bluo CMS 1.2 SQL injection vulnerability in index.php in Bluo CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-25 | CVE-2008-6277 | Rakhisoftware | SQL Injection vulnerability in Rakhisoftware Shopping Cart SQL injection vulnerability in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allows remote attackers to execute arbitrary SQL commands via the subcategory_id parameter. | 7.5 |
2009-02-25 | CVE-2009-0741 | Craftsilicon | SQL Injection vulnerability in Craftsilicon Banking@Home SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter. | 7.5 |
2009-02-25 | CVE-2009-0740 | Frankmancuso | SQL Injection vulnerability in Frankmancuso Bluebird Prerelease SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. | 7.5 |
2009-02-25 | CVE-2009-0739 | Frankmancuso | SQL Injection vulnerability in Frankmancuso Mynews 0.10 SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. | 7.5 |
2009-02-25 | CVE-2009-0738 | Frankmancuso | SQL Injection vulnerability in Frankmancuso Auth PHP 1.0 SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters. | 7.5 |
2009-02-25 | CVE-2008-6272 | Miticdjd | SQL Injection vulnerability in Miticdjd Apoll 0.7/0.7.5 SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the pass parameter. | 7.5 |
2009-02-25 | CVE-2008-6270 | Miticdjd | SQL Injection vulnerability in Miticdjd Apoll 0.7/0.7.5 SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the user parameter. | 7.5 |
2009-02-25 | CVE-2008-6269 | Joovili | Improper Authentication vulnerability in Joovili 3.1.4 Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users. | 7.5 |
2009-02-25 | CVE-2008-6268 | Sadi Samami | SQL Injection vulnerability in Sadi Samami Multi Languages Webshop Online 1.02 SQL injection vulnerability in detail.php in WEBBDOMAIN Multi Languages WebShop Online 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-25 | CVE-2008-6266 | Appstate | SQL Injection vulnerability in Appstate PHPwebsite SQL injection vulnerability in links.php in Appalachian State University phpWebSite allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action. | 7.5 |
2009-02-24 | CVE-2009-0728 | Maxdev Postnuke | SQL Injection vulnerability in Maxdev MY Egallery SQL injection vulnerability in the My_eGallery module for MAXdev MDPro (MD-Pro) and Postnuke allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showpic action to index.php. | 7.5 |
2009-02-24 | CVE-2009-0727 | Tony IHA Kazungu | SQL Injection vulnerability in Tony IHA Kazungu Taifajobs SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter. | 7.5 |
2009-02-24 | CVE-2009-0726 | Gigcalendar Joomla Mambo | SQL Injection vulnerability in Gigcalendar COM Gigcalendar 1.0 SQL injection vulnerability in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the gigcal_gigs_id parameter in a details action to index.php. | 7.5 |
2009-02-24 | CVE-2009-0722 | Potato Scripts | Path Traversal vulnerability in Potato-Scripts Potato News 1.0.0 Directory traversal vulnerability in admin.php in Potato News 1.0.0 allows remote attackers to include and execute arbitrary files via a .. | 7.5 |
2009-02-24 | CVE-2008-6264 | E Topbiz | SQL Injection vulnerability in E-Topbiz Slide Popups 1.0 SQL injection vulnerability in admin/admin.php in E-topbiz Slide Popups 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter. | 7.5 |
2009-02-24 | CVE-2008-6263 | Infireal | SQL Injection vulnerability in Infireal Saturncms SQL injection vulnerability in lib/user/t_user.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the username parameter to the _userLoggedIn function. | 7.5 |
2009-02-24 | CVE-2008-6262 | Infireal | SQL Injection vulnerability in Infireal Saturncms SQL injection vulnerability in lib/url/meta_url.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the URL to the translate function. | 7.5 |
2009-02-24 | CVE-2008-6261 | E Topbiz | SQL Injection vulnerability in E-Topbiz Admanager 4.0 SQL injection vulnerability in view.php in E-topbiz AdManager 4 allows remote attackers to execute arbitrary SQL commands via the group parameter. | 7.5 |
2009-02-24 | CVE-2008-6260 | Ultrastats | SQL Injection vulnerability in Ultrastats 0.2.144/0.3.11 SQL injection vulnerability in index.php in Ultrastats 0.2.144 and 0.3.11 allows remote attackers to execute arbitrary SQL commands via the serverid parameter. | 7.5 |
2009-02-24 | CVE-2008-6258 | Quadcomm | SQL Injection vulnerability in Quadcomm Q-Shop 3.0 SQL injection vulnerability in users.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the (1) UserID and (2) Pwd parameters. | 7.5 |
2009-02-24 | CVE-2008-6257 | Openasp | SQL Injection vulnerability in Openasp 3.0 SQL injection vulnerability in default.asp in Openasp 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idpage parameter in the pages module. | 7.5 |
2009-02-24 | CVE-2008-6254 | Jadu | SQL Injection vulnerability in Jadu Galaxies SQL injection vulnerability in scripts/documents.php in Jadu Galaxies allows remote attackers to execute arbitrary SQL commands via the categoryID parameter. | 7.5 |
2009-02-23 | CVE-2008-6249 | GWM | SQL Injection vulnerability in GWM Galatolo Webmanager SQL injection vulnerability in plugins/users/index.php in Galatolo WebManager 1.3a and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-23 | CVE-2008-6247 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites EZ TOP Sites SQL injection vulnerability in topsite.php in Scripts For Sites (SFS) EZ Top Sites allows remote attackers to execute arbitrary SQL commands via the ts parameter. | 7.5 |
2009-02-23 | CVE-2008-6246 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites EZ Webring SQL injection vulnerability in category.php in Scripts For Sites (SFS) EZ Webring allows remote attackers to execute arbitrary SQL commands via the cat parameter. | 7.5 |
2009-02-23 | CVE-2008-6245 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites EZ BIZ PRO SQL injection vulnerability in track.php in Scripts For Sites (SFS) EZ BIZ PRO allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-23 | CVE-2008-6244 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites EZ Gaming Cheats SQL injection vulnerability in view_reviews.php in Scripts for Sites (SFS) EZ Gaming Cheats allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-23 | CVE-2008-6243 | Scripts FOR Sites | SQL Injection vulnerability in Scripts FOR Sites EZ Hotscripts-Likesite SQL injection vulnerability in showcategory.php in Scripts For Sites (SFS) Hotscripts-like Site allows remote attackers to execute arbitrary SQL commands via the cid parameter. | 7.5 |
2009-02-23 | CVE-2008-6242 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites EZ E-Store SQL injection vulnerability in SearchResults.php in Scripts For Sites (SFS) EZ e-store allows remote attackers to execute arbitrary SQL commands via the where parameter. | 7.5 |
2009-02-23 | CVE-2009-0709 | Vlad Alexa Mancini | SQL Injection vulnerability in Vlad Alexa Mancini PHPfootball 1.6 SQL injection vulnerability in login.php in PHPFootball 1.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. | 7.5 |
2009-02-23 | CVE-2009-0707 | Powerscripts | SQL Injection vulnerability in Powerscripts Powerclan 1.14A SQL injection vulnerability in admin/index.php in PowerClan 1.14a allows remote attackers to execute arbitrary SQL commands via the loginemail parameter (aka login field). | 7.5 |
2009-02-23 | CVE-2009-0706 | Simple Review Joomla Mambo | SQL Injection vulnerability in Simple-Review COM Simple Review 1.3.5 SQL injection vulnerability in the Simple Review (com_simple_review) component 1.3.5 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the category parameter to index.php. | 7.5 |
2009-02-23 | CVE-2009-0704 | Webmastersite | SQL Injection vulnerability in Webmastersite WSN Guest 1.23 SQL injection vulnerability in search.php in WSN Guest 1.23 allows remote attackers to execute arbitrary SQL commands via the search parameter in an advanced action. | 7.5 |
2009-02-23 | CVE-2009-0703 | Aspthai NET | SQL Injection vulnerability in Aspthai.Net Webboard 6.0 SQL injection vulnerability in bview.asp in ASPThai.Net Webboard 6.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-23 | CVE-2009-0702 | Joomla Phoca | SQL Injection vulnerability in Phoca COM Phocadocumentation SQL injection vulnerability in the Phoca Documentation (com_phocadocumentation) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action to index.php. | 7.5 |
2009-02-23 | CVE-2009-0698 | Xine | Numeric Errors vulnerability in Xine Xine-Lib 1.1.16.1 Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385. | 7.5 |
2009-02-23 | CVE-2008-6237 | Scripts FOR Sites | SQL Injection vulnerability in Scripts-For-Sites Hotscripts-Like Site SQL injection vulnerability in software-description.php in Scripts For Sites (SFS) Hotscripts-like Site allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-02-24 | CVE-2008-6252 | Smcfancontrol | Buffer Errors vulnerability in Smcfancontrol 2.1.2 Stack-based buffer overflow in the smc program in smcFanControl 2.1.2 allows local users to execute arbitrary code and gain privileges via a long -k option. | 7.2 |
2009-02-24 | CVE-2009-0439 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Websphere MQ Unspecified vulnerability in the queue manager in IBM WebSphere MQ (WMQ) 5.3, 6.0 before 6.0.2.6, and 7.0 before 7.0.0.2 allows local users to gain privileges via vectors related to the (1) setmqaut, (2) dmpmqaut, and (3) dspmqaut authorization commands. | 7.2 |
65 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-02-27 | CVE-2008-6333 | Matthew General | SQL Injection vulnerability in Matthew General RSS Simple News SQL injection vulnerability in news.php in RSS Simple News (RSSSN), when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the pid parameter. | 6.8 |
2009-02-27 | CVE-2008-6317 | Phpmygallery | Path Traversal vulnerability in PHPmygallery 1.5 Directory traversal vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2009-02-27 | CVE-2008-6316 | Phpmygallery | Path Traversal vulnerability in PHPmygallery 1.0 Directory traversal vulnerability in _conf/core/common-tpl-vars.php in PHPmyGallery 1.0 beta2 allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2009-02-27 | CVE-2008-6313 | Phpaddedit | Path Traversal vulnerability in PHPaddedit 1.3 Directory traversal vulnerability in addedit-render.php in phpAddEdit 1.3, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a URL in the editform parameter. | 6.8 |
2009-02-26 | CVE-2008-6305 | Freedirectoryscript | Code Injection vulnerability in Freedirectoryscript Free Directory Script 1.1.1 PHP remote file inclusion vulnerability in init.php in Free Directory Script 1.1.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the API_HOME_DIR parameter. | 6.8 |
2009-02-26 | CVE-2009-0624 | Cisco | Remote vulnerability in Multiple Cisco ACE Products Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SNMPv1 packet. | 6.8 |
2009-02-26 | CVE-2008-6290 | Niclor | Path Traversal vulnerability in Niclor Include Sito Directory traversal vulnerability in includefile.php in nicLOR Sito, when register_globals is enabled or magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary files via a .. | 6.8 |
2009-02-26 | CVE-2008-5263 | Dmitry Baryshev | Buffer Errors vulnerability in Dmitry Baryshev Ksquirrel-Libs 0.8.0 Multiple stack-based buffer overflows in the mt_codec::getHdrHead function in kernel/kls_hdr/fmt_codec_hdr.cpp in ksquirrel-libs 0.8.0 allow context-dependent attackers to execute arbitrary code via a crafted Radiance RGBE image (aka .hdr file). | 6.8 |
2009-02-25 | CVE-2008-6274 | Mjcreation | SQL Injection vulnerability in Mjcreation Familyproject 2.0 Multiple SQL injection vulnerabilities in index.php in FamilyProject 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the logmbr parameter (aka login field) or (2) the mdpmbr parameter (aka pass or "Mot de passe" field). | 6.8 |
2009-02-25 | CVE-2008-6271 | Tbmnet | Path Traversal vulnerability in Tbmnet Tbmnetcms 1.0 Directory traversal vulnerability in index.php in TBmnetCMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. | 6.8 |
2009-02-24 | CVE-2009-0730 | Gigcalendar Joomla Mambo | SQL Injection vulnerability in Gigcalendar COM Gigcalendar 1.0 Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726. | 6.8 |
2009-02-24 | CVE-2009-0729 | Lingx | Path Traversal vulnerability in Lingx Page Engine CMS 2.0 Multiple directory traversal vulnerabilities in Page Engine CMS 2.0 Basic and Pro allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the fPrefix parameter to (1) modules/recent_poll_include.php, (2) modules/login_include.php, and (3) modules/statistics_include.php and (4) configuration.inc.php in includes/. | 6.8 |
2009-02-24 | CVE-2008-6265 | Cyberfolio | Path Traversal vulnerability in Cyberfolio Directory traversal vulnerability in portfolio/css.php in Cyberfolio 7.12.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2009-02-24 | CVE-2008-6253 | Pluck CMS | Path Traversal vulnerability in Pluck-Cms Pluck 4.5.3 Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pluck 4.5.3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the g_pcltar_lib_dir parameter. | 6.8 |
2009-02-24 | CVE-2008-6251 | Scripts | Code Injection vulnerability in Scripts PHPfan 3.3.4 PHP remote file inclusion vulnerability in includes/init.php in phpFan 3.3.4 allows remote attackers to execute arbitrary PHP code via a URL in the includepath parameter. | 6.8 |
2009-02-23 | CVE-2008-6250 | Comdev | SQL Injection vulnerability in Comdev web Blogger 4.1 SQL injection vulnerability in Comdev Web Blogger 4.1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the arcmonth parameter to a blog page. | 6.8 |
2009-02-23 | CVE-2009-0708 | Semanticscuttle | Cross-Site Request Forgery (CSRF) vulnerability in Semanticscuttle Multiple cross-site request forgery (CSRF) vulnerabilities in SemanticScuttle before 0.91 allow remote attackers to (1) hijack the authentication of administrators via unknown vectors or (2) hijack the authentication of arbitrary users via vectors involving the profile page. | 6.8 |
2009-02-23 | CVE-2009-0705 | Powerscripts | SQL Injection vulnerability in Powerscripts Powernews 2.5.4 SQL injection vulnerability in news.php in PowerScripts PowerNews 2.5.4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the newsid parameter. | 6.8 |
2009-02-23 | CVE-2009-0701 | Cybershade | Code Injection vulnerability in Cybershade Cybershadecms 0.2B Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters. | 6.8 |
2009-02-23 | CVE-2008-6241 | China ON Site | SQL Injection vulnerability in China-On-Site Flexphpsite 0.0.1/0.0.7 Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPSite 0.0.1 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php. | 6.8 |
2009-02-23 | CVE-2008-6239 | Openedit | Cross-Site Request Forgery (CSRF) vulnerability in Openedit Digital Asset Management Cross-site request forgery (CSRF) vulnerability in OpenEdit Digital Asset Management (DAM) before 5.2014 allows remote attackers to perform unspecified actions as arbitrary users via unknown vectors. | 6.8 |
2009-02-27 | CVE-2008-6330 | Jaia Interactive | SQL Injection vulnerability in Jaia Interactive Mytopix 1.2.3 SQL injection vulnerability in index.php in MyTopix 1.3.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the send parameter in a notes action. | 6.5 |
2009-02-25 | CVE-2008-6282 | Ortus Nirn | SQL Injection vulnerability in Ortus.Nirn CMS Ortus 1.10.1/1.11/1.12 SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php. | 6.5 |
2009-02-25 | CVE-2008-6276 | Drupal Joomla | SQL Injection vulnerability in Drupal User Karma Module Multiple SQL injection vulnerabilities in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allow remote authenticated administrators to execute arbitrary SQL commands via (1) a content type or (2) a voting API value. | 6.5 |
2009-02-24 | CVE-2008-6256 | Vbulletin | SQL Injection vulnerability in Vbulletin 3.7.3 SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | 6.5 |
2009-02-24 | CVE-2008-6255 | Vbulletin | SQL Injection vulnerability in Vbulletin 3.7.4 Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3) iperm parameter to admincp/image.php. | 6.5 |
2009-02-25 | CVE-2009-0506 | IBM | Local vulnerability in IBM WebSphere Application z/OS CSLv2 Identity Assertion Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1 and 6.0.2 before 6.0.2.33 on z/OS, when CSIv2 Identity Assertion is enabled and Enterprise JavaBeans (EJB) interaction occurs between a WAS 6.1 instance and a WAS pre-6.1 instance, allows local users to have an unknown impact via vectors related to (1) use of the wrong subject and (2) multiple CBIND checks. | 6.2 |
2009-02-27 | CVE-2008-6331 | Streber PM | Cross-Site Request Forgery (CSRF) vulnerability in Streber-Pm Streber Multiple cross-site request forgery (CSRF) vulnerabilities in Streber before 0.08093 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.0 |
2009-02-25 | CVE-2008-6273 | Myktools | Path Traversal vulnerability in Myktools 3.0 Directory traversal vulnerability in configuration_script.php in MyKtools 3.0 allows remote authenticated administrators to include and execute arbitrary local files via a .. | 6.0 |
2009-02-26 | CVE-2009-0114 | Adobe Microsoft | Remote Security vulnerability in Flash Player Unspecified vulnerability in the Settings Manager in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87, and possibly other versions, allows remote attackers to trick a user into visiting an arbitrary URL via unknown vectors, related to "a potential Clickjacking issue variant." | 5.8 |
2009-02-27 | CVE-2008-6308 | Punbb | Path Traversal vulnerability in Punbb Private Messaging System 1.2.0/1.2.1/1.2.2 Multiple directory traversal vulnerabilities in Private Messaging System (PMS) 1.2.3 and earlier for PunBB allow remote attackers to include and execute arbitrary files via a .. | 5.1 |
2009-02-25 | CVE-2009-0735 | Papoo | Path Traversal vulnerability in Papoo 3.6 Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read and possibly execute arbitrary files via a .. | 5.1 |
2009-02-27 | CVE-2009-0744 | Apple | Improper Input Validation vulnerability in Apple Safari 4.0 Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character. | 5.0 |
2009-02-27 | CVE-2008-6342 | Lobacher Patrick Typo3 | Information Exposure vulnerability in Lobacher Patrick Simplefilebrowser 1.0.0/1.0.1 Unspecified vulnerability in the TYPO3 Simple File Browser (simplefilebrowser) extension 1.0.2 and earlier allows remote attackers to obtain sensitive information via unknown attack vectors. | 5.0 |
2009-02-27 | CVE-2008-6321 | Cfshopkart | Permissions, Privileges, and Access Controls vulnerability in Cfshopkart CF Shopkart 5.2.2 CF Shopkart 5.2.2 stores cfshopkart52.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive information, such as usernames and passwords, via a direct request. | 5.0 |
2009-02-26 | CVE-2008-6298 | Rocketeer DIP | Improper Input Validation vulnerability in Rocketeer.Dip Sisapilocation 1.0.1.3/1.0.1.4 Unspecified vulnerability in sISAPILocation before 1.0.2.2 allows remote attackers to bypass intended access restrictions for character encoding and the cookie secure flag via unknown vectors related to the "HTTP header rewrite function." | 5.0 |
2009-02-24 | CVE-2009-0732 | Lingx | Permissions, Privileges, and Access Controls vulnerability in Lingx Downloadcenter 2.1 Downloadcenter 2.1 stores common.h under the web root with insufficient access control, which allows remote attackers to obtain user credentials and other sensitive information via a direct request. | 5.0 |
2009-02-23 | CVE-2009-0711 | Vlad Alexa Mancini | Information Exposure vulnerability in Vlad Alexa Mancini PHPfootball 1.5/1.6 filter.php in PHPFootball 1.6 and earlier allows remote attackers to retrieve password hashes via a request with an Accounts value for the dbtable parameter, in conjunction with a Password value for the dbfield parameter. | 5.0 |
2009-02-27 | CVE-2008-6346 | Dennis Royer Typo3 | Cross-Site Scripting vulnerability in Dennis Royer DR Wiki Cross-site scripting (XSS) vulnerability in the DR Wiki (dr_wiki) extension 1.7.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-02-27 | CVE-2008-6343 | Typo3 | Cross-Site Scripting vulnerability in Typo3 Tu-Clausthal Odin Cross-site scripting (XSS) vulnerability in the TU-Clausthal ODIN (tuc_odin) extension 0.0.1, 0.1.0, 0.1.1, and 0.2.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-02-27 | CVE-2008-6341 | Typo3 | Cross-Site Scripting vulnerability in Typo3 SB Universal Plugin Cross-site scripting (XSS) vulnerability in the SB Universal Plugin (SBuniplug) extension 2.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-02-27 | CVE-2008-6340 | Mathieu Vidal Typo3 | Cross-Site Scripting vulnerability in Mathieu Vidal MV VOX Populi 0.1.0/0.2.0 Cross-site scripting (XSS) vulnerability in the Vox populi (mv_vox_populi) extension 0.3.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-02-27 | CVE-2008-6336 | Rightscripts | Path Traversal vulnerability in Rightscripts Text Lines Rearrange Script 1.0 Directory traversal vulnerability in download.php in Text Lines Rearrange Script 1.0, when register_globals is enabled, allows remote attackers to read arbitrary local files via directory traversal sequences in the filename parameter. | 4.3 |
2009-02-27 | CVE-2008-6325 | Softbizscripts | Cross-Site Scripting vulnerability in Softbizscripts Classifieds Script Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) radio parameter to showcategory.php, (2) msg parameter to advertisers/signinform.php, (3) radio parameter to gallery.php, (4) msg parameter to lostpassword.php, (5) radio parameter to showcategory.php, (6) msg parameter to admin/adminhome.php, and (7) msg parameter to admin/index.php. | 4.3 |
2009-02-26 | CVE-2008-6306 | Softbizscripts | Cross-Site Scripting vulnerability in Softbizscripts Classifieds Script Cross-site scripting (XSS) vulnerability in signinform.php in Softbiz Classifieds Script allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | 4.3 |
2009-02-26 | CVE-2009-0524 | Adobe | Cross-Site Scripting vulnerability in Adobe Robohelp and Robohelp Server Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, and RoboHelp Server 6 and 7, allows remote attackers to inject arbitrary web script or HTML via vectors involving files produced by RoboHelp. | 4.3 |
2009-02-26 | CVE-2009-0523 | Adobe | Cross-Site Scripting vulnerability in Adobe Robohelp and Robohelp Server Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled when displaying the Help Errors log. | 4.3 |
2009-02-26 | CVE-2009-0522 | Adobe Microsoft | Remote Security vulnerability in Flash Player Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Windows allows remote attackers to trick a user into visiting an arbitrary URL via an unspecified manipulation of the "mouse pointer display," related to a "Clickjacking attack." Per: http://www.adobe.com/support/security/bulletins/apsb09-01.html "This update resolves a Windows-only issue with mouse pointer display that could potentially contribute to a Clickjacking attack. | 4.3 |
2009-02-26 | CVE-2008-6297 | Dhcart | Cross-Site Scripting vulnerability in Dhcart 3.84 Cross-site scripting (XSS) vulnerability in order.php in DHCart allows remote attackers to inject arbitrary web script or HTML via the (1) domain and (2) d1 parameters. | 4.3 |
2009-02-26 | CVE-2008-6295 | Camera Life | Cross-Site Scripting vulnerability in Camera Life Camera Life 2.6.2B8 Multiple cross-site scripting (XSS) vulnerabilities in Camera Life 2.6.2b8 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.php and (2) rss.php; the query string after the image name in (3) photos/photo; the path parameter to (4) folder.php; page parameter and REQUEST_URI to (5) login.php; ver parameter to (6) media.php; theme parameter to (7) modules/iconset/iconset-debug.php; and the REQUEST_URI to (8) index.php. | 4.3 |
2009-02-25 | CVE-2008-6283 | Subtextproject | Cross-Site Scripting vulnerability in Subtextproject Subtext 2.0 Cross-site scripting (XSS) vulnerability in Subtext 2.0 allows remote attackers to inject arbitrary web script or HTML via a comment, related to "the feature which converts URLs to anchor tags." | 4.3 |
2009-02-25 | CVE-2008-6280 | Cisco | Cross-Site Scripting vulnerability in Cisco Wrt160N Cross-site scripting (XSS) vulnerability in apply.cgi on the Linksys WRT160N allows remote attackers to inject arbitrary web script or HTML via the action parameter in a DHCP_Static operation. | 4.3 |
2009-02-25 | CVE-2008-6278 | Rakhisoftware | Cross-Site Scripting vulnerability in Rakhisoftware Shopping Cart Multiple cross-site scripting (XSS) vulnerabilities in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allow remote attackers to inject arbitrary web script or HTML via the (1) category_id and (2) subcategory_id parameters. | 4.3 |
2009-02-25 | CVE-2008-6275 | Drupal Joomla | Cross-Site Scripting vulnerability in Drupal User Karma Module Cross-site scripting (XSS) vulnerability in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified messages. | 4.3 |
2009-02-25 | CVE-2009-0736 | Simon Brown | Cross-Site Scripting vulnerability in Simon Brown Pebble Cross-site scripting (XSS) vulnerability in Pebble before 2.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-02-25 | CVE-2009-0541 | Magentocommerc | Cross-Site Scripting vulnerability in Magentocommerc Magento 1.2.0/1.2.1.1 Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 and 1.2.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username field in an admin/ request to index.php, possibly related to the login[username] parameter and the app/code/core/Mage/Admin/Model/Session.php login function; (2) the email address field in an admin/index/forgotpassword/ request to index.php, possibly related to the email parameter and the app/code/core/Mage/Adminhtml/controllers/IndexController.php forgotpasswordAction function; or (3) the return parameter to the default URI under downloader/. | 4.3 |
2009-02-25 | CVE-2009-0540 | Insightinformatics | Cross-Site Scripting vulnerability in Insightinformatics Libero 5.3 Cross-site scripting (XSS) vulnerability in Libero 5.3 SP5, and possibly other versions before 5.5 SP1, allows remote attackers to inject arbitrary web script or HTML via the search term field. | 4.3 |
2009-02-25 | CVE-2008-6267 | Sadi Samami | Cross-Site Scripting vulnerability in Sadi Samami Multi Languages Webshop Online 1.02 Cross-site scripting (XSS) vulnerability in detail.php in Multi Languages WebShop Online 1.02 allows remote attackers to inject arbitrary web script or HTML via the name parameter. | 4.3 |
2009-02-24 | CVE-2008-6259 | Quadcomm | Cross-Site Scripting vulnerability in Quadcomm Q-Shop Cross-site scripting (XSS) vulnerability in search.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the srkeys parameter. | 4.3 |
2009-02-23 | CVE-2008-6248 | Galatolo | Cross-Site Scripting vulnerability in Galatolo Webmanager 1.3A Cross-site scripting (XSS) vulnerability in all.php in Galatolo WebManager 1.3a and earlier allows remote attackers to inject arbitrary web script or HTML via the tag parameter. | 4.3 |
2009-02-23 | CVE-2009-0710 | Vlad Alexa Mancini | Cross-Site Scripting vulnerability in Vlad Alexa Mancini PHPfootball 1.6 Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. | 4.3 |
2009-02-23 | CVE-2008-6240 | Openedit | Cross-Site Scripting vulnerability in Openedit Digital Asset Management Cross-site scripting (XSS) vulnerability in data/views/index.html in OpenEdit Digital Asset Management (DAM) before 5.2014 allows remote attackers to inject arbitrary web script or HTML via the catalogid parameter. | 4.3 |
2009-02-23 | CVE-2008-6238 | Openedit | Cross-Site Scripting vulnerability in Openedit Digital Asset Management Cross-site scripting (XSS) vulnerability in archive/savedqueries/savequeryfinish.html in OpenEdit Digital Asset Management (DAM) before 5.2014 allows remote attackers to inject arbitrary web script or HTML via the name parameter. | 4.3 |
2009-02-26 | CVE-2009-0507 | IBM | Configuration vulnerability in IBM Websphere Process Server 6.1.2/6.1.2.1 IBM WebSphere Process Server (WPS) 6.1.2 before 6.1.2.3 and 6.2 before 6.2.0.1 does not properly restrict configuration data during an export of the cluster configuration file from the administrative console, which allows remote authenticated users to obtain the (1) JMSAPI, (2) ESCALATION, and (3) MAILSESSION (aka mail session) cleartext passwords via vectors involving access to a cluster member. | 4.0 |
2009-02-23 | CVE-2009-0700 | Plunet | Permissions, Privileges, and Access Controls vulnerability in Plunet Business Manager Plunet BusinessManager 4.1 and earlier allows remote authenticated users to bypass access restrictions and (1) read sensitive Customer or Order data via a modified Pfad parameter to pagesUTF8/Sys_DirAnzeige.jsp, or (2) list sensitive Jobs via a direct request to pagesUTF8/auftrag_job.jsp. | 4.0 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-02-27 | CVE-2009-0743 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Meetingplace 6.0/7.0 Cross-site scripting (XSS) vulnerability in the edit account page in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote authenticated users to inject arbitrary web script or HTML via the E-mail Address field. | 3.5 |
2009-02-26 | CVE-2008-6299 | Joomla | Cross-Site Scripting vulnerability in Joomla Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5.7 and earlier allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) the title and description parameters to the com_weblinks module and (2) unspecified vectors in the com_content module related to "article submission." | 3.5 |
2009-02-23 | CVE-2009-0699 | Plunet | Cross-Site Scripting vulnerability in Plunet Business Manager Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters. | 3.5 |
2009-02-25 | CVE-2009-0737 | Mediawiki | Cross-Site Scripting vulnerability in Mediawiki Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2.6 |
2009-02-27 | CVE-2009-0028 | Linux | Permissions, Privileges, and Access Controls vulnerability in Linux Kernel The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit. | 2.1 |