Weekly Vulnerabilities Reports > March 2 to 8, 2009
Overview
159 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 64 high severity vulnerabilities. This weekly summary report vulnerabilities in 156 products from 128 vendors including Mozilla, Ocean12Tech, Bookelves, Drupal, and Brian Wilson. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Code Injection", and "Resource Management Errors".
- 149 reported vulnerabilities are remotely exploitables.
- 80 reported vulnerabilities have public exploit available.
- 83 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 148 reported vulnerabilities are exploitable by an anonymous user.
- Mozilla has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Mozilla has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
14 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-03-06 | CVE-2008-6415 | Youngzsoft | Buffer Errors vulnerability in Youngzsoft Ccproxy 6.5 Buffer overflow in YoungZSoft CCProxy 6.5 might allow remote attackers to execute arbitrary code via a CONNECTION request with a long hostname. | 10.0 |
| 2009-03-05 | CVE-2009-0775 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection. | 10.0 |
| 2009-03-05 | CVE-2009-0773 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang. | 10.0 |
| 2009-03-03 | CVE-2008-6393 | PSI IM Jabber | Numeric Errors vulnerability in Psi-Im PSI PSI Jabber client before 0.12.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a file transfer request with a negative value in a SOCKS5 option, which bypasses a signed integer check and triggers an integer overflow and a heap-based buffer overflow. | 10.0 |
| 2009-03-03 | CVE-2009-0752 | Sixapart | Unspecified vulnerability in Sixapart Movable Type Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown impact and attack vectors, possibly related to the password recovery mechanism. | 10.0 |
| 2009-03-05 | CVE-2009-0833 | Myplugins Nullsoft | Buffer Errors vulnerability in Myplugins GEN MSN 0.31 Heap-based buffer overflow in gen_msn.dll in the gen_msn plugin 0.31 for Winamp 5.541 allows remote attackers to execute arbitrary code via a playlist (.pls) file with a long URL in the File1 field. | 9.3 |
| 2009-03-05 | CVE-2009-0813 | Imera | Improper Input Validation vulnerability in Imera Teamlinks Insecure method vulnerability in the ImeraIEPlugin ActiveX control (ImeraIEPlugin.dll 1.0.2.54) in Imera TeamLinks Client allows remote attackers to force the download and execution of arbitrary URLs via modified DownloadProtocol, DownloadHost, DownloadPort, and DownloadURI parameters. | 9.3 |
| 2009-03-05 | CVE-2009-0774 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to gczeal, a different vulnerability than CVE-2009-0773. | 9.3 |
| 2009-03-05 | CVE-2009-0772 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption. | 9.3 |
| 2009-03-05 | CVE-2009-0367 | Wesnoth | Permissions, Privileges, and Access Controls vulnerability in Wesnoth The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module. | 9.3 |
| 2009-03-05 | CVE-2009-0186 | Nullsoft Mega Nerd | Numeric Errors vulnerability in multiple products Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow. | 9.3 |
| 2009-03-04 | CVE-2009-0812 | Bpsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Bpsoft HEX Workshop Stack-based buffer overflow in BreakPoint Software Hex Workshop 4.23, 6.0.1.4603, and other 6.x and earlier versions allows remote attackers to execute arbitrary code via a crafted Intel Hex Code (.hex) file. | 9.3 |
| 2009-03-04 | CVE-2009-0811 | Sopcast | Code Injection vulnerability in Sopcast Sopcore Activex Control 3.0.3.501 Insecure method vulnerability in the SopCast SopCore ActiveX control in sopocx.ocx 3.0.3.501 allows remote attackers to execute arbitrary programs via an executable file name in the argument to the SetExternalPlayer method. | 9.3 |
| 2009-03-02 | CVE-2008-6363 | Capilano | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Capilano Designworks 4.3.1/5.0.7 Stack-based buffer overflow in DesignWorks Professional 4.3.1 and 5.0.7 allows remote attackers to execute arbitrary code via a crafted .cct file. | 9.3 |
64 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-03-06 | CVE-2008-6424 | JUN Sota | Path Traversal vulnerability in JUN Sota Ffftp 1.96B Directory traversal vulnerability in FFFTP 1.96b allows remote FTP servers to create or overwrite arbitrary files via a response to an FTP LIST command with a filename that contains a .. | 8.8 |
| 2009-03-02 | CVE-2008-6367 | Socialgroupie | Improper Input Validation vulnerability in Socialgroupie Social Groupie Unrestricted file upload vulnerability in Photos/create_album.php in Social Groupie allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in Member_images/. | 8.5 |
| 2009-03-05 | CVE-2009-0619 | Cisco | Remote Denial Of Service vulnerability in Cisco Session Border Controller 3.0(1) Unspecified vulnerability in the Session Border Controller (SBC) before 3.0(2) for Cisco 7600 series routers allows remote attackers to cause a denial of service (SBC card reload) via crafted packets to TCP port 2000. | 7.8 |
| 2009-03-04 | CVE-2008-6395 | 3Com | USE of Externally-Controlled Format String vulnerability in 3Com Wireless 8760 Dual-Radio The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request. | 7.8 |
| 2009-03-03 | CVE-2009-0758 | Avahi | Resource Management Errors vulnerability in Avahi Avahi-Daemon 0.6.23 The originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm. | 7.8 |
| 2009-03-02 | CVE-2009-0749 | Optipng Project Suse Opensuse | Use After Free vulnerability in multiple products Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed. | 7.8 |
| 2009-03-06 | CVE-2008-6438 | E107Coders E107 | SQL Injection vulnerability in E107Coders Macguru Blog Engine Plugin 2.2 SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. | 7.5 |
| 2009-03-06 | CVE-2008-6434 | Blueriver | SQL Injection vulnerability in Blueriver Sava CMS SQL injection vulnerability in index.cfm in Blue River Interactive Group Sava CMS before 5.0.122 allows remote attackers to execute arbitrary SQL commands via the LinkServID parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6430 | Joomla | SQL Injection vulnerability in Joomla COM Mycontent 1.1.13 SQL injection vulnerability in the MyContent (com_mycontent) component 1.1.13 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. | 7.5 |
| 2009-03-06 | CVE-2008-6429 | Joomla Mike Leeper | SQL Injection vulnerability in Mike Leeper COM Prayercenter SQL injection vulnerability in the PrayerCenter (com_prayercenter) component 1.4.9 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view_request action to index2.php. | 7.5 |
| 2009-03-06 | CVE-2008-6425 | Comicshout | SQL Injection vulnerability in Comicshout 2.8 SQL injection vulnerability in news.php in ComicShout 2.8 allows remote attackers to execute arbitrary SQL commands via the news_id parameter, a different vector than CVE-2008-2456. | 7.5 |
| 2009-03-06 | CVE-2008-6422 | Psychostats | SQL Injection vulnerability in Psychostats 2.3/2.3.1/2.3.3 Multiple SQL injection vulnerabilities in PsychoStats 2.3, 2.3.1, and 2.3.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) weapon.php and (2) map.php. | 7.5 |
| 2009-03-06 | CVE-2008-6421 | Socialsitegenerator | Code Injection vulnerability in Socialsitegenerator Social Site Generator 2.0 PHP remote file inclusion vulnerability in social_game_play.php in Social Site Generator (SSG) 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6419 | Socialsitegenerator | SQL Injection vulnerability in Socialsitegenerator Social Site Generator 2.0 Multiple SQL injection vulnerabilities in Social Site Generator (SSG) 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) sgc_id parameter to display_blog.php, (2) scm_mem_id parameter to social_my_profile_download.php, and the (3) catid parameter to social_forum_subcategories.php. | 7.5 |
| 2009-03-06 | CVE-2008-6418 | Torrenttrader | SQL Injection vulnerability in Torrenttrader SQL injection vulnerability in scrape.php in TorrentTrader before 2008-05-13 allows remote attackers to execute arbitrary SQL commands via the info_hash parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6414 | AJ Square | SQL Injection vulnerability in AJ Square AJ Auction 2.0 SQL injection vulnerability in detail.php in AJ Auction Pro Platinum Skin 2 allows remote attackers to execute arbitrary SQL commands via the item_id parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6412 | Vignette | Security Bypass vulnerability in Vignette Content Management Unspecified vulnerability in Vignette Content Management 7.3.0.5, 7.3.1, 7.3.1.1, 7.4, and 7.5 allows "low privileged" users to gain administrator privileges via unknown attack vectors. | 7.5 |
| 2009-03-06 | CVE-2008-6411 | Explay | Improper Authentication vulnerability in Explay CMS 2.0 Explay CMS 2.1 and earlier allows remote attackers to bypass authentication and gain administrative access by setting the login cookie to 1. | 7.5 |
| 2009-03-06 | CVE-2008-6410 | Brian Wilson | Path Traversal vulnerability in Brian Wilson Ol'Bookmarks Directory traversal vulnerability in show.php in ol'bookmarks manager 0.7.5 and earlier allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2009-03-06 | CVE-2008-6409 | Brian Wilson | SQL Injection vulnerability in Brian Wilson Ol'Bookmarks 0.7.5 SQL injection vulnerability in index.php in ol'bookmarks manager 0.7.5 allows remote attackers to execute arbitrary SQL commands via the id parameter in a brain action. | 7.5 |
| 2009-03-06 | CVE-2008-6408 | Brian Wilson | Code Injection vulnerability in Brian Wilson Ol'Bookmarks 0.7.5 PHP remote file inclusion vulnerability in frame.php in ol'bookmarks manager 0.7.5 allows remote attackers to execute arbitrary PHP code via a URL in the framefile parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6407 | Brian Wilson | Path Traversal vulnerability in Brian Wilson Ol'Bookmarks 0.7.5 Directory traversal vulnerability in frame.php in ol'bookmarks manager 0.7.5 allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2009-03-06 | CVE-2008-6405 | Greatclone | SQL Injection vulnerability in Greatclone Hotscripts Clone SQL injection vulnerability in showcategory.php in Hotscripts Clone allows remote attackers to execute arbitrary SQL commands via the cid parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6403 | Openrat | Code Injection vulnerability in Openrat 0.8Beta1 PHP remote file inclusion vulnerability in themes/default/include/html/insert.inc.php in OpenRat 0.8-beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the tpl_dir parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6402 | Muskatli | Code Injection vulnerability in Muskatli Sofi Webgui 0.4.2/0.5.2/0.6.0Pre PHP remote file inclusion vulnerability in hu/modules/reg-new/modstart.php in Sofi WebGui 0.6.3 PRE and earlier allows remote attackers to execute arbitrary PHP code via a URL in the mod_dir parameter. | 7.5 |
| 2009-03-06 | CVE-2008-6401 | Jetik | SQL Injection vulnerability in Jetik Jetik-Web SQL injection vulnerability in sayfa.php in JETIK-WEB allows remote attackers to execute arbitrary SQL commands via the kat parameter. | 7.5 |
| 2009-03-06 | CVE-2009-0768 | Yapbb | SQL Injection vulnerability in Yapbb 1.1/1.2 SQL injection vulnerability in forumhop.php in YapBB 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the forumID parameter in a next action. | 7.5 |
| 2009-03-06 | CVE-2009-0766 | Bookelves | Path Traversal vulnerability in Bookelves Kipper 2.01 Directory traversal vulnerability in default.php in Kipper 2.01 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the configfile parameter. | 7.5 |
| 2009-03-06 | CVE-2009-0765 | Bookelves | Path Traversal vulnerability in Bookelves Kipper 2.01 Directory traversal vulnerability in index.php in Kipper 2.01 allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2009-03-05 | CVE-2009-0832 | Ausimods PHP Fusion | SQL Injection vulnerability in Ausimods E-Cart 1.3 SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter. | 7.5 |
| 2009-03-05 | CVE-2009-0829 | Andrew Freed | SQL Injection vulnerability in Andrew Freed Quotebook Multiple SQL injection vulnerabilities in QuoteBook allow remote attackers to execute arbitrary SQL commands via the (1) MyBox and (2) selectFavorites parameters to (a) quotes.php and the (3) QuoteName and (4) QuoteText parameters to (b) quotesadd.php. | 7.5 |
| 2009-03-05 | CVE-2009-0820 | PHP Brickhost | Code Injection vulnerability in PHP.Brickhost PHPscheduleit Multiple eval injection vulnerabilities in phpScheduleIt before 1.2.11 allow remote attackers to execute arbitrary code via (1) the end_date parameter to reserve.php and (2) the start_date and end_date parameters to check.php. | 7.5 |
| 2009-03-04 | CVE-2009-0810 | Xatrix | SQL Injection vulnerability in Xatrix Xguestbook 2.0 SQL injection vulnerability in login.php in xGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter. | 7.5 |
| 2009-03-04 | CVE-2009-0808 | Simple Cmms | SQL Injection vulnerability in Simple Cmms Simplecmms 0.1.0 Multiple SQL injection vulnerabilities in SimpleCMMS before 0.1.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
| 2009-03-04 | CVE-2009-0807 | Zfeeder | Permissions, Privileges, and Access Controls vulnerability in Zfeeder 1.6 zFeeder 1.6 allows remote attackers to gain administrative access via a direct request to admin.php. | 7.5 |
| 2009-03-04 | CVE-2008-6394 | CS Cart | SQL Injection vulnerability in Cs-Cart SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter. | 7.5 |
| 2009-03-03 | CVE-2009-0757 | Mpfr | Buffer Errors vulnerability in Mpfr GNU Mpfr 2.4.0 Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent attackers to cause a denial of service (crash) via the (1) mpfr_snprintf and (2) mpfr_vsnprintf functions. | 7.5 |
| 2009-03-02 | CVE-2009-0750 | Txtsql Tombstone | SQL Injection vulnerability in Tombstone Smnews SQL injection vulnerability in login.php in the smNews example script for txtSQL 2.2 Final allows remote attackers to execute arbitrary SQL commands via the username parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6392 | 1Scripts | SQL Injection vulnerability in 1Scripts Z1Exchange 1.0 SQL injection vulnerability in showads.php in Z1Exchange allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6391 | Nexusjnr | SQL Injection vulnerability in Nexusjnr Jbook SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the username (user parameter). | 7.5 |
| 2009-03-02 | CVE-2008-6390 | Ocean12Tech | SQL Injection vulnerability in Ocean12Tech Membership Manager PRO SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the Password parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6389 | Aliensoftcorp | SQL Injection vulnerability in Aliensoftcorp RAE Media Contact Management SQL injection vulnerability in asadmin/default.asp in Rae Media Contact Management Software SOHO, Standard, and Enterprise allows remote attackers to execute arbitrary SQL commands via the Password parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6380 | Activewebsoftwares | SQL Injection vulnerability in Activewebsoftwares Active web Helpdesk 2.0 SQL injection vulnerability in default.aspx in Active Web Helpdesk 2.0 allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6379 | Mxmania | SQL Injection vulnerability in Mxmania Gallery MX 2.0.0 SQL injection vulnerability in pics_pre.asp in Gallery MX 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6378 | Mxmania | SQL Injection vulnerability in Mxmania Calendar MX Professional 2.0.0 SQL injection vulnerability in calendar_Eventupdate.asp in Calendar Mx Professional 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6377 | Phpbb SEO | Code Injection vulnerability in PHPbb-Seo Multi SEO PHPbb 1.1.0 PHP remote file inclusion vulnerability in include/global.php in Multi SEO phpBB 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the pfad parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6376 | Nexusjnr | SQL Injection vulnerability in Nexusjnr Jbook SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the password (pass parameter). | 7.5 |
| 2009-03-02 | CVE-2008-6372 | Ocean12Tech | SQL Injection vulnerability in Ocean12Tech FAQ Manager PRO 1.0 SQL injection vulnerability in default.asp in Ocean12 FAQ Manager Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a Cat action. | 7.5 |
| 2009-03-02 | CVE-2008-6371 | Ocean12Tech | SQL Injection vulnerability in Ocean12Tech Membership Manager PRO SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the username (Username parameter). | 7.5 |
| 2009-03-02 | CVE-2008-6369 | Ocean12Tech | SQL Injection vulnerability in Ocean12Tech Contact Manager PRO 1.02 SQL injection vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to execute arbitrary SQL commands via the Sort parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6368 | Chipmunk Scripts | SQL Injection vulnerability in Chipmunk Scripts Chipmunk Guestbook 1.4M SQL injection vulnerability in index.php in Chipmunk Guestbook 1.4m allows remote attackers to execute arbitrary SQL commands via the start parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6366 | Adserversolutions | SQL Injection vulnerability in Adserversolutions Affiliate Software Java 4.0 SQL injection vulnerability in logon.jsp in Ad Server Solutions Affiliate Software Java 4.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, possibly related to the uname and pass parameters to logon_process.jsp. | 7.5 |
| 2009-03-02 | CVE-2008-6365 | Adserversolutions | SQL Injection vulnerability in Adserversolutions AD Management Software SQL injection vulnerability in logon.jsp in Ad Server Solutions Ad Management Software Java allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, related to the uname or pass parameters to logon.jsp or logon_processing.jsp. | 7.5 |
| 2009-03-02 | CVE-2008-6364 | Adserversolutions | SQL Injection vulnerability in Adserversolutions Banner Exchange Software SQL injection vulnerability in logon_process.jsp in Ad Server Solutions Banner Exchange Solution Java allows remote attackers to execute arbitrary SQL commands via the (1) username (uname parameter) and (2) password (pass parameter). | 7.5 |
| 2009-03-02 | CVE-2008-6362 | Ezonelink | SQL Injection vulnerability in Ezonelink multiple Membership Script 2.5 SQL injection vulnerability in sitepage.php in Multiple Membership Script 2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6358 | Socialgroupie | SQL Injection vulnerability in Socialgroupie Social Groupie SQL injection vulnerability in group_index.php in Social Groupie allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6353 | ASP CMS | SQL Injection vulnerability in Asp-Cms 1.0 SQL injection vulnerability in index.asp in ASP-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the cha parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6352 | Xpoze | SQL Injection vulnerability in Xpoze PRO 4.10 SQL injection vulnerability in home.html in Xpoze Pro 4.10 allows remote attackers to execute arbitrary SQL commands via the menu parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6350 | Turnkeyforms | SQL Injection vulnerability in Turnkeyforms Local Classifieds SQL injection vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to execute arbitrary SQL commands via the r parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6349 | Turnkeyforms | SQL Injection vulnerability in Turnkeyforms Business Survey PRO 1.0 SQL injection vulnerability in survey_results_text.php in TurnkeyForms Business Survey Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2009-03-02 | CVE-2008-6348 | Developiteasy | SQL Injection vulnerability in Developiteasy Photo Gallery 1.2 Multiple SQL injection vulnerabilities in DevelopItEasy Photo Gallery 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) cat_id parameter to gallery_category.php, (2) photo_id parameter to gallery_photo.php, and the (3) user_name and (4) user_pass parameters to admin/index.php. | 7.5 |
| 2009-03-02 | CVE-2008-6347 | Joomla Luigi Massa | Code Injection vulnerability in Luigi Massa Onguma Time Sheet 2.04 PHP remote file inclusion vulnerability in lib/onguma.class.php in the Onguma Time Sheet (com_ongumatimesheet20) 2.0 4b component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | 7.5 |
| 2009-03-04 | CVE-2009-0779 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM AIX 5.3/6.1 Buffer overflow in pppdial in IBM AIX 5.3 and 6.1 allows local users to gain privileges via a long "input string." | 7.2 |
| 2009-03-05 | CVE-2009-0776 | Mozilla | Information Exposure vulnerability in Mozilla Firefox, Seamonkey and Thunderbird nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect. | 7.1 |
76 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-03-04 | CVE-2008-6398 | Eric Raymond | Link Following vulnerability in Eric Raymond SNG 1.0.2 sng_regress in SNG 1.0.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/recompiled$$.png, (2) /tmp/decompiled$$.sng, and (3) /tmp/canonicalized$$.sng temporary files. | 6.9 |
| 2009-03-06 | CVE-2008-6427 | Hivemaker | SQL Injection vulnerability in Hivemaker SQL injection vulnerability in index.php in Hivemaker Professional 1.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cid parameter. | 6.8 |
| 2009-03-05 | CVE-2009-0037 | Curl | Cross-Site Request Forgery (CSRF) vulnerability in Curl and Libcurl The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. | 6.8 |
| 2009-03-02 | CVE-2008-6384 | Drupal | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Comment Mail 5.X0.1/5.X1.0/5.X1.X Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators. | 6.8 |
| 2009-03-02 | CVE-2008-6361 | Insun Podcast | Path Traversal vulnerability in Insun Podcast Feedcms 1.7.319Beta Directory traversal vulnerability in index.php in InSun Feed CMS 1.7.3 19Beta allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the lang parameter. | 6.8 |
| 2009-03-04 | CVE-2009-0806 | Opengoo | Permissions, Privileges, and Access Controls vulnerability in Opengoo Unspecified vulnerability in OpenGoo before 1.2.1 allows remote authenticated users to modify their own permissions via unknown attack vectors. | 6.5 |
| 2009-03-03 | CVE-2009-0759 | ZNC | Code Injection vulnerability in ZNC Multiple CRLF injection vulnerabilities in webadmin in ZNC before 0.066 allow remote authenticated users to modify the znc.conf configuration file and gain privileges via CRLF sequences in the quit message and other vectors. | 6.5 |
| 2009-03-05 | CVE-2008-6399 | Dotnetnuke | Permissions, Privileges, and Access Controls vulnerability in Dotnetnuke Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remote attackers to "add additional roles to their user account" via unknown attack vectors. | 6.4 |
| 2009-03-05 | CVE-2009-0578 | Ubuntu | Permissions, Privileges, and Access Controls vulnerability in Ubuntu Linux 8.10 GNOME NetworkManager before 0.7.0.99 does not properly verify privileges for dbus (1) modify and (2) delete requests, which allows local users to change or remove the network connections of arbitrary users via unspecified vectors related to org.freedesktop.NetworkManagerUserSettings and at_console. | 6.2 |
| 2009-03-05 | CVE-2009-0831 | PHP Fusion | SQL Injection vulnerability in PHP-Fusion Members CV Module 1.0 SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter. | 6.0 |
| 2009-03-02 | CVE-2008-6383 | Drupal | SQL Injection vulnerability in Drupal Storm SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via unspecified vectors. | 6.0 |
| 2009-03-05 | CVE-2009-0777 | Mozilla | Improper Input Validation vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks. | 5.8 |
| 2009-03-04 | CVE-2009-0804 | Ziproxy | Permissions, Privileges, and Access Controls vulnerability in Ziproxy 2.6.0 Ziproxy 2.6.0, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. | 5.4 |
| 2009-03-04 | CVE-2009-0803 | Smoothwall | Permissions, Privileges, and Access Controls vulnerability in Smoothwall Networkguardian, Schoolguardian and Smoothguardian SmoothWall SmoothGuardian, as used in SmoothWall Firewall, NetworkGuardian, and SchoolGuardian 2008, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. | 5.4 |
| 2009-03-04 | CVE-2009-0802 | Qbik | Permissions, Privileges, and Access Controls vulnerability in Qbik Wingate Qbik WinGate, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. | 5.4 |
| 2009-03-04 | CVE-2009-0801 | Squid | Permissions, Privileges, and Access Controls vulnerability in Squid web Proxy Cache Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. | 5.4 |
| 2009-03-06 | CVE-2008-6440 | Cerberus Webgroupmedia | Improper Authentication vulnerability in multiple products Cerberus Helpdesk before 4.0 (Build 600) allows remote attackers to obtain sensitive information via direct requests for "controllers ... | 5.0 |
| 2009-03-06 | CVE-2008-6423 | I Apps | Path Traversal vulnerability in I-Apps Passwiki Directory traversal vulnerability in passwiki.php in PassWiki 0.9.16 RC3 and earlier allows remote attackers to read arbitrary local files via a .. | 5.0 |
| 2009-03-06 | CVE-2008-6420 | Socialsitegenerator | Information Exposure vulnerability in Socialsitegenerator Social Site Generator 2.0 Social Site Generator (SSG) 2.0 allows remote attackers to read arbitrary files via the file parameter to (1) filedload.php, (2) webadmin/download.php, and (3) webadmin/download_file.php. | 5.0 |
| 2009-03-06 | CVE-2008-6417 | Greensql | Remote Security vulnerability in GreenSQL-Console Unspecified vulnerability in GreenSQL-Console before 0.3.5 allows attackers to obtain the "installation directory" via unknown vectors. | 5.0 |
| 2009-03-06 | CVE-2009-0770 | Dkim | Remote Denial of Service vulnerability in dkim-milter 'p' flag dkim-milter 2.6.0 through 2.8.0 allows remote attackers to cause a denial of service (crash) by signing a message with a key that has been revoked in DNS, which triggers an assertion error. | 5.0 |
| 2009-03-06 | CVE-2009-0767 | Bookelves | Permissions, Privileges, and Access Controls vulnerability in Bookelves Kipper 2.01 Kipper 2.01 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing credentials via a direct request for job/config.data. | 5.0 |
| 2009-03-06 | CVE-2009-0760 | Team5 | Permissions, Privileges, and Access Controls vulnerability in Team5 Team Board 1.0.0/2.0.0 Team Board 1.x and 2.x stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for data/team.mdb. | 5.0 |
| 2009-03-05 | CVE-2009-0828 | Freedville | Permissions, Privileges, and Access Controls vulnerability in Freedville Quotebook QuoteBook stores quotes.inc under the web root with insufficient access control, which allows remote attackers to obtain sensitive database information, including user credentials, via a direct request. | 5.0 |
| 2009-03-05 | CVE-2009-0827 | Freedville | Permissions, Privileges, and Access Controls vulnerability in Freedville Pollhelper PollHelper stores poll.inc under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request. | 5.0 |
| 2009-03-05 | CVE-2009-0826 | Freedville | Permissions, Privileges, and Access Controls vulnerability in Freedville Bloghelper BlogHelper stores common_db.inc under the web root with insufficient access control, which allows remote attackers to download the database file containing user credentials via a direct request. | 5.0 |
| 2009-03-05 | CVE-2009-0821 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox Mozilla Firefox 2.0.0.20 and earlier allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print function, as demonstrated by a window.print(window.print()) in the onclick attribute of an INPUT element. | 5.0 |
| 2009-03-05 | CVE-2009-0815 | Typo3 | Information Exposure vulnerability in Typo3 The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request. | 5.0 |
| 2009-03-04 | CVE-2009-0780 | Openbsd | Remote Denial of Service vulnerability in OpenBSD bgpd The aspath_prepend function in rde_attr.c in bgpd in OpenBSD 4.3 and 4.4 allows remote attackers to cause a denial of service (application crash) via an Autonomous System (AS) advertisement containing a long AS path. | 5.0 |
| 2009-03-03 | CVE-2009-0756 | Poppler | Denial of Service vulnerability in Poppler The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file that triggers a parsing error, which is not properly handled by JBIG2SymbolDict::~JBIG2SymbolDict and triggers an invalid memory dereference. | 5.0 |
| 2009-03-03 | CVE-2009-0755 | Poppler | Denial of Service vulnerability in Poppler The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file with an invalid Form Opt entry. | 5.0 |
| 2009-03-03 | CVE-2009-0753 | Mldonkey | Path Traversal vulnerability in Mldonkey Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 allows remote attackers to read arbitrary files via a leading "//" (double slash) in the filename. | 5.0 |
| 2009-03-02 | CVE-2009-0751 | Yaws | Resource Management Errors vulnerability in Yaws Yaws before 1.80 allows remote attackers to cause a denial of service (memory consumption and crash) via a request with a large number of headers. | 5.0 |
| 2009-03-02 | CVE-2008-6388 | 4U2Ges | Permissions, Privileges, and Access Controls vulnerability in 4U2Ges Rapid Classified 3.1/3.15 Rapid Classified 3.1 and 3.15 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to cldb.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6387 | Activewebsoftwares | Information Exposure vulnerability in Activewebsoftwares Quick Tree View .Net 3.1 Quick Tree View .NET 3.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to qtv.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6382 | Aspportal | Permissions, Privileges, and Access Controls vulnerability in Aspportal 3.2.5 ASP Portal 3.2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to ASPPortal.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6375 | Nexusjnr | Permissions, Privileges, and Access Controls vulnerability in Nexusjnr Jbook JBook stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to userids.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6374 | Codefixer | Permissions, Privileges, and Access Controls vulnerability in Codefixer Mailinglistpro CodefixerSoftware MailingListPro Free Edition stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to db/MailingList.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6373 | Nagios | Code Injection vulnerability in Nagios Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, "adaptive external commands," and "writing newlines and submitting service comments." | 5.0 |
| 2009-03-02 | CVE-2008-6357 | Donnafontenot | Permissions, Privileges, and Access Controls vulnerability in Donnafontenot Mycal Personal Events Calendar MyCal Personal Events Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to mycal.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6356 | Donnafontenot | Permissions, Privileges, and Access Controls vulnerability in Donnafontenot Evcal Events Calendar evCal Events Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to (1) evcal.mdb and (2) evcal97.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6355 | Thenetguys | Permissions, Privileges, and Access Controls vulnerability in Thenetguys Aspired2Protect The Net Guys ASPired2Protect stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to ASPired2Protect.mdb. | 5.0 |
| 2009-03-02 | CVE-2008-6354 | Thenetguys | Permissions, Privileges, and Access Controls vulnerability in Thenetguys Aspired2Poll The Net Guys ASPired2poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to ASPired2poll.mdb. | 5.0 |
| 2009-03-06 | CVE-2009-0838 | SUN | Resource Management Errors vulnerability in SUN Opensolaris and Sunos The crypto pseudo device driver in Sun Solaris 10, and OpenSolaris snv_88 through snv_102, does not properly free memory, which allows local users to cause a denial of service (panic) via unspecified vectors, related to the vmem_hash_delete function. | 4.9 |
| 2009-03-05 | CVE-2009-0365 | Ubuntu | Permissions, Privileges, and Access Controls vulnerability in Ubuntu Linux nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler. | 4.6 |
| 2009-03-02 | CVE-2008-6381 | Bcoos | SQL Injection vulnerability in Bcoos SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1.0.13, and possibly earlier, allows remote authenticated users with Addresses module permissions to execute arbitrary SQL commands via the cid parameter. | 4.6 |
| 2009-03-04 | CVE-2008-6397 | Alcovebook | Link Following vulnerability in Alcovebook Sgml2X 1.0.0 rlatex in AlcoveBook sgml2x 1.0.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files. | 4.4 |
| 2009-03-06 | CVE-2008-6439 | Abledating | Cross-Site Scripting vulnerability in Abledating 2.4 Cross-site scripting (XSS) vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. | 4.3 |
| 2009-03-06 | CVE-2008-6437 | Lukas Waldauf | Cross-Site Scripting vulnerability in Lukas Waldauf PHPfreeforum Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeForum 1.0 RC2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to error.php, and the (2) nickname and (3) randomid parameters to part/menu.php. | 4.3 |
| 2009-03-06 | CVE-2008-6436 | Xerox | Cross-Site Scripting vulnerability in Xerox Workcentre Cross-site scripting (XSS) vulnerability in the Web Server in Xerox WorkCentre 7132, 7228, 7235, and 7245 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-03-06 | CVE-2008-6435 | Phpsqlitecms | Cross-Site Scripting vulnerability in PHPsqlitecms 1 Multiple cross-site scripting (XSS) vulnerabilities in phpSQLiteCMS 1 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) lang[home], (2) lang[admin_menu], and (3) lang[admin_menu_page_overview] parameters to cms/includes/header.inc.php; and the (4) lang[login_username] and (5) lang[login_password] parameters to cms/includes/login.inc.php. | 4.3 |
| 2009-03-06 | CVE-2008-6433 | Blueriver | Cross-Site Scripting vulnerability in Blueriver Sava CMS Cross-site scripting (XSS) vulnerability in index.cfm in Blue River Interactive Group Sava CMS before 5.0.122 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a search action. | 4.3 |
| 2009-03-06 | CVE-2008-6431 | Bmforum | Cross-Site Scripting vulnerability in Bmforum 5.6 Multiple cross-site scripting (XSS) vulnerabilities in BMForum 5.6 allow remote attackers to inject arbitrary web script or HTML via the (1) outpused parameter to index.php, the (2) footer_copyright and (3) verandproname parameters to newtem/footer/bsd01footer.php, and the (4) topads and (5) myplugin parameters to newtem/header/bsd01header.php. | 4.3 |
| 2009-03-06 | CVE-2008-6428 | Kayalang | Cross-Site Scripting vulnerability in Kayalang Kaya 0.4.0 The CGI framework in Kaya 0.4.0 allows remote attackers to inject arbitrary HTTP headers and conduct cross-site scripting (XSS) attacks via unspecified vectors. | 4.3 |
| 2009-03-06 | CVE-2008-6416 | Greensql | Cross-Site Scripting vulnerability in Greensql Greensql-Console Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL-Console before 0.3.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "internal pages." | 4.3 |
| 2009-03-06 | CVE-2008-6413 | Drupal Ticklespace | Cross-Site Scripting vulnerability in Ticklespace Answers Module 5.X1.Xdev Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question. | 4.3 |
| 2009-03-06 | CVE-2008-6406 | Datalifecms | Cross-Site Scripting vulnerability in Datalifecms Datalife Engine 7.2 Cross-site scripting (XSS) vulnerability in admin.php in DataLife Engine (DLE) 7.2 allows remote attackers to inject arbitrary web script or HTML via the query string. | 4.3 |
| 2009-03-06 | CVE-2008-6404 | Extrosoft | Cross-Site Scripting vulnerability in Extrosoft Thyme 1.3 Cross-site scripting (XSS) vulnerability in add_calendars.php in eXtrovert Software Thyme 1.3 allows remote attackers to inject arbitrary web script or HTML via the callback parameter. | 4.3 |
| 2009-03-06 | CVE-2009-0769 | QIP | Resource Management Errors vulnerability in QIP 2005 QIP 2005 build 8082 allows remote attackers to cause a denial of service (CPU consumption and application hang) via a crafted Rich Text Format (RTF) ICQ message, as demonstrated by an {\rtf\pict\&&} message. | 4.3 |
| 2009-03-06 | CVE-2009-0764 | Bookelves | Cross-Site Scripting vulnerability in Bookelves Kipper 2.01 Multiple cross-site scripting (XSS) vulnerabilities in Kipper 2.01 allow remote attackers to inject arbitrary web script or HTML via the charm parameter to (1) index.php and (2) kipper.php. | 4.3 |
| 2009-03-06 | CVE-2009-0763 | Bookelves | Cross-Site Scripting vulnerability in Bookelves Kipper 2.01 Cross-site scripting (XSS) vulnerability in default.php in Kipper 2.01 allows remote attackers to inject arbitrary web script or HTML via the charm parameter. | 4.3 |
| 2009-03-06 | CVE-2009-0762 | Scriptsez | Cross-Site Scripting vulnerability in Scriptsez EZ PHP Comment Cross-site scripting (XSS) vulnerability in ScriptsEz Ez PHP Comment allows remote attackers to inject arbitrary web script or HTML via the name parameter. | 4.3 |
| 2009-03-06 | CVE-2009-0761 | Team5 Team Board | Cross-Site Scripting vulnerability in Team5.Team Board products Cross-site scripting (XSS) vulnerability in online.asp in Team Board 1.x allows remote attackers to inject arbitrary web script or HTML via the lookname parameter. | 4.3 |
| 2009-03-05 | CVE-2009-0830 | Andrew Freed | Cross-Site Scripting vulnerability in Andrew Freed Quotebook Cross-site scripting (XSS) vulnerability in QuoteBook allows remote attackers to inject arbitrary web script or HTML via the (1) QuoteName and (2) QuoteText parameters to quotesadd.php. | 4.3 |
| 2009-03-05 | CVE-2008-6400 | Refbase | Cross-Site Scripting vulnerability in Refbase Cross-site scripting (XSS) vulnerability in refbase before 0.9.5 allows remote attackers to inject arbitrary web script or HTML via the headerMsg parameter to (1) show.php and (2) search.php. | 4.3 |
| 2009-03-05 | CVE-2009-0816 | Typo3 | Cross-Site Scripting vulnerability in Typo3 Multiple cross-site scripting (XSS) vulnerabilities in the backend user interface in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 allow remote attackers to inject arbitrary web script or HTML via unspecified fields. | 4.3 |
| 2009-03-05 | CVE-2009-0814 | Blogsa | Cross-Site Scripting vulnerability in Blogsa Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 Beta 3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. | 4.3 |
| 2009-03-04 | CVE-2009-0805 | Mihai Bazon Xoops | Cross-Site Scripting vulnerability in Mihai Bazon Pical Cross-site scripting (XSS) vulnerability in piCal 0.91h and earlier, a module for XOOPS, allows remote attackers to inject arbitrary web script or HTML via the event_id parameter in index.php. | 4.3 |
| 2009-03-04 | CVE-2008-6396 | Celerondude | Cross-Site Scripting vulnerability in Celerondude Uploader 6.1 Cross-site scripting (XSS) vulnerability in account.php in Celerondude Uploader 6.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter. | 4.3 |
| 2009-03-02 | CVE-2008-6386 | 1Scripts | Cross-Site Scripting vulnerability in 1Scripts Z1Exchange 1.0 Cross-site scripting (XSS) vulnerability in showads.php in Z1Exchange 1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | 4.3 |
| 2009-03-02 | CVE-2008-6385 | W3Matter | Cross-Site Scripting vulnerability in W3Matter Revsense 1.0 Cross-site scripting (XSS) vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter. | 4.3 |
| 2009-03-02 | CVE-2008-6370 | Ocean12Tech | Cross-Site Scripting vulnerability in Ocean12Tech Contact Manager PRO 1.02 Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to inject arbitrary web script or HTML via the DisplayFormat parameter. | 4.3 |
| 2009-03-02 | CVE-2008-6360 | Impresscms | Cross-Site Scripting vulnerability in Impresscms 1.0.2 Cross-site scripting (XSS) vulnerability in the userranks feature in modules/system/admin.php in ImpressCMS 1.0.2 final allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter. | 4.3 |
| 2009-03-02 | CVE-2008-6359 | Phpf1 | Cross-Site Scripting vulnerability in PHPf1 Max'S Guestbook Cross-site scripting (XSS) vulnerability in index.php in Max's Guestbook allows remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, and (3) message parameters. | 4.3 |
| 2009-03-02 | CVE-2008-6351 | Turnkeyforms | Cross-Site Scripting vulnerability in Turnkeyforms Local Classifieds Cross-site scripting (XSS) vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to inject arbitrary web script or HTML via the r parameter. | 4.3 |
| 2009-03-05 | CVE-2009-0819 | Mysql Oracle | Remote Denial Of Service vulnerability in MySQL XPath Expression sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure. | 4.0 |
5 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-03-06 | CVE-2009-0835 | Linux | Permissions, Privileges, and Access Controls vulnerability in Linux Kernel The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343. | 3.6 |
| 2009-03-05 | CVE-2009-0818 | Drupal | Cross-Site Scripting vulnerability in Drupal Taxonomy Theme Module Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_table_builder function (taxonomy_theme_admin.inc) in Taxonomy Theme module before 5.x-1.2, a module for Drupal, allows remote authenticated users with the "administer taxonomy" permission, or the ability to create pages when tagging is enabled, to inject arbitrary web script or HTML via the Vocabulary name (name parameter) to index.php. | 3.5 |
| 2009-03-04 | CVE-2009-0809 | 3DS IBM | Permissions, Privileges, and Access Controls vulnerability in multiple products The Web Editor in Dassault Systemes ENOVIA SmarTeam V5 before Release 18 Service Pack 8, and possibly CATIA and other products, allows remote authenticated users to read the profile card of an object in the document class via a link that is sent from the owner of the document object. | 3.5 |
| 2009-03-03 | CVE-2009-0754 | PHP Apache | USE of Externally-Controlled Format String vulnerability in PHP 4.4.4/5.1.6 PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. | 2.1 |
| 2009-03-02 | CVE-2009-0368 | Opensc Project | Cryptographic Issues vulnerability in Opensc-Project Opensc OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program. | 2.1 |