CVE List - 2009 / April
Showing 501 - 567 of 567 CVEs for April 2009 (Page 6 of 6)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2009-1449 | 2009-04-27 | Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka CoolPlayer+ Portable) 2.19.1 allows remote attackers to execute arbitrary code via a skin file (skin.ini) with a large PlaylistSkin parameter. NOTE: this... |
| CVE-2009-1450 | 2009-04-28 | PHP remote file inclusion vulnerability in format.php in SMA-DB 0.3.12 allows remote attackers to execute arbitrary PHP code via a URL in the _page_content parameter. |
| CVE-2009-1451 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in startpage.php in SMA-DB 0.3.12 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. |
| CVE-2008-2438 | 2009-04-28 | Integer overflow in ovalarmsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a crafted command to TCP port... |
| CVE-2008-6757 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in manuals_search.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to inject arbitrary web script or HTML via the manuals_search parameter. |
| CVE-2008-6758 | 2009-04-28 | Cross-site request forgery (CSRF) vulnerability in cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to hijack the authentication of arbitrary users for requests that conduct persistent cross-site... |
| CVE-2008-6759 | 2009-04-28 | ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via a URL in the POST_DATA parameter to manuals_search.php, which reveals the installation path in an error... |
| CVE-2008-6760 | 2009-04-28 | ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via an unauthenticated add and save action for a shopping cart in cart_save.php, which reveals the SQL... |
| CVE-2008-6761 | 2009-04-28 | Static code injection vulnerability in admin/install.php in Flexcustomer 0.0.6 might allow remote attackers to inject arbitrary PHP code into const.inc.php via the installdbname parameter (aka the Database Name field). NOTE:... |
| CVE-2008-6762 | 2009-04-28 | Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter. |
| CVE-2008-6763 | 2009-04-28 | login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username. |
| CVE-2008-6764 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in login.php in Silentum LoginSys 1.0.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter. |
| CVE-2008-6765 | 2009-04-28 | ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to access the contents of an arbitrary shopping cart via a modified cart_name parameter. |
| CVE-2008-6766 | 2009-04-28 | cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to cause a denial of service (excessive shopping carts) via a flood of requests. |
| CVE-2008-6767 | 2009-04-28 | wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. |
| CVE-2009-1452 | 2009-04-28 | Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters.... |
| CVE-2009-1453 | 2009-04-28 | SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka the Username field).... |
| CVE-2009-1454 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab before 2.50 (aka Billy Goat) allows remote attackers to inject arbitrary web script or HTML via the selection parameter in a todo... |
| CVE-2009-1455 | 2009-04-28 | Multiple cross-site request forgery (CSRF) vulnerabilities in WebCollab before 2.50 (aka Billy Goat) allow remote attackers to hijack the authentication of administrators for requests that change an arbitrary password or... |
| CVE-2009-1456 | 2009-04-28 | Directory traversal vulnerability in admin.php in Malleo 1.2.3 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the module parameter. |
| CVE-2009-1457 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in player.php in Nuke Evolution Xtreme 2.x allows remote attackers to inject arbitrary web script or HTML via the defaultVisualExt parameter. NOTE: the provenance of this... |
| CVE-2009-1458 | 2009-04-28 | Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action,... |
| CVE-2009-1459 | 2009-04-28 | Cross-site request forgery (CSRF) vulnerability in razorCMS before 0.4 allows remote attackers to hijack the authentication of administrators for requests that create a web page containing PHP code. |
| CVE-2009-1460 | 2009-04-28 | razorCMS before 0.4 uses weak permissions for (1) admin/core/admin_config.php, which allows local users to obtain the administrator's password hash and FTP user credentials; and (2) the root directory, (3) datastore/,... |
| CVE-2009-1461 | 2009-04-28 | Cross-site scripting (XSS) vulnerability in the Create New Page form in razorCMS 0.3 RC2 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Page... |
| CVE-2009-1462 | 2009-04-28 | The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local... |
| CVE-2009-1463 | 2009-04-28 | Static code injection vulnerability in razorCMS before 0.4 allows remote attackers to inject arbitrary PHP code into any page by saving content as a .php file. |
| CVE-2009-0719 | 2009-04-29 | Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unknown vectors, a different issue than CVE-2008-1660. |
| CVE-2009-1428 | 2009-04-29 | Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in the Symantec Log Viewer, as used in Symantec AntiVirus (SAV) before 10.1 MR8, Symantec Endpoint Protection (SEP) 11.0 before 11.0 MR1, Norton... |
| CVE-2009-1429 | 2009-04-29 | The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec... |
| CVE-2009-1430 | 2009-04-29 | Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec... |
| CVE-2009-1431 | 2009-04-29 | XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central... |
| CVE-2009-1478 | 2009-04-29 | Multiple unspecified vulnerabilities in the DTrace ioctl handlers in Sun Solaris 10, and OpenSolaris before snv_114, allow local users to cause a denial of service (panic) via unknown vectors. |
| CVE-2008-6768 | 2009-04-29 | Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a... |
| CVE-2008-6769 | 2009-04-29 | Unrestricted file upload vulnerability in upload.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it... |
| CVE-2008-6770 | 2009-04-29 | YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for... |
| CVE-2008-6771 | 2009-04-29 | YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function. |
| CVE-2008-6772 | 2009-04-29 | login/register_form.php in YourPlace 1.0.2 and earlier does not check that a username already exists when a new account is created, which allows remote attackers to bypass intended access restrictions by... |
| CVE-2008-6773 | 2009-04-29 | Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url, (2) fav1_name, (3) fav2_url,... |
| CVE-2008-6774 | 2009-04-29 | internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is detected, which allows remote attackers to bypass intended restrictions and edit toolbar settings via an... |
| CVE-2009-1480 | 2009-04-29 | SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors. |
| CVE-2009-1481 | 2009-04-29 | SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) 3.0.6.170 allows remote attackers to execute arbitrary SQL commands via the cname parameter in a checkAlias action, as exploited in the... |
| CVE-2009-1482 | 2009-04-29 | Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an AttachFile sub-action in the error_msg... |
| CVE-2009-1483 | 2009-04-29 | Unrestricted file upload vulnerability in upload-file.php in Adam Patterson Studio Lounge Address Book 2.5, as reachable from index2.php, allows remote attackers to execute arbitrary code by uploading a file with... |
| CVE-2009-1485 | 2009-04-29 | The logging feature in eMule Plus before 1.2e allows remote attackers to cause a denial of service (infinite loop) via unspecified attack vectors. |
| CVE-2009-1486 | 2009-04-29 | Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the with parameter. |
| CVE-2009-1487 | 2009-04-29 | SQL injection vulnerability in pages/login.php in FunGamez RC1 allows remote attackers to execute arbitrary SQL commands via the login_user (aka username) parameter. NOTE: some of these details are obtained from... |
| CVE-2009-1488 | 2009-04-29 | Directory traversal vulnerability in admin/load.php in FunGamez RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php. |
| CVE-2009-1489 | 2009-04-29 | includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter. |
| CVE-2009-1484 | 2009-04-29 | Cross-site scripting (XSS) vulnerability in the web mail interface feature in AXIGEN Mail Server 6.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving e-mail... |
| CVE-2009-0663 | 2009-04-30 | Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses... |
| CVE-2009-1255 | 2009-04-30 | The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in... |
| CVE-2009-1291 | 2009-04-30 | Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, SmartSockets Product Family (aka RTworks) before 4.0.5, and Enterprise Message Service (EMS) 4.0.0 through 5.1.1, as used in SmartSockets Server and RTworks... |
| CVE-2009-1295 | 2009-04-30 | Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.10, and before 1.0-0ubuntu5.2 on Ubuntu 9.04 does not properly remove files from the application's crash-report directory, which allows... |
| CVE-2009-1339 | 2009-04-30 | Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL... |
| CVE-2009-1341 | 2009-04-30 | Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory... |
| CVE-2009-1348 | 2009-04-30 | The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, Internet Security, SecurityShield for Microsoft ISA Server, Security for Microsoft Sharepoint, Security for Email Servers, Email Gateway, and Active... |
| CVE-2009-1415 | 2009-04-30 | lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified... |
| CVE-2009-1416 | 2009-04-30 | lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on... |
| CVE-2009-1417 | 2009-04-30 | gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet... |
| CVE-2009-1432 | 2009-04-30 | Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corporate Edition 10.1 before 10.1 MR8 and 10.2 before 10.2 MR2, Symantec Client Security (SCS) before 3.1 MR8, and the Symantec... |
| CVE-2009-1434 | 2009-04-30 | Cross-site request forgery (CSRF) vulnerability in Foswiki before 1.0.5 allows remote attackers to hijack the authentication of arbitrary users for requests that modify pages, change permissions, or change group memberships,... |
| CVE-2009-1492 | 2009-04-30 | The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or... |
| CVE-2009-1493 | 2009-04-30 | The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory... |
| CVE-2009-1494 | 2009-04-30 | The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to... |
| CVE-2009-1313 | 2009-04-30 | The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this... |
| CVE-2008-6775 | 2009-05-01 | HTC Touch Pro and HTC Touch Cruise vCard allows remote attackers to cause denial of service (CPU consumption, SMS consumption, and connectivity loss) via a flood of vCards to UDP... |
| CVE-2009-1495 | 2009-05-01 | Web File Explorer 3.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for data/db.mdb. |
| CVE-2009-1496 | 2009-05-01 | Directory traversal vulnerability in the Cmi Marketplace (com_cmimarketplace) component 0.1 for Joomla! allows remote attackers to list arbitrary directories via a .. (dot dot) in the viewit parameter to index.php. |
| CVE-2009-1497 | 2009-05-01 | Stack-based buffer overflow in srt2smi.exe in Gretech Online Movie Player (GOM Player) 2.1.16.4635 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long... |
| CVE-2009-1498 | 2009-05-01 | Directory traversal vulnerability in inc/profilemain.php in Game Maker 2k Internet Discussion Boards (iDB) 0.2.5 Pre-Alpha SVN 243 allows remote attackers to include and execute arbitrary local files via a ..... |
| CVE-2009-1499 | 2009-05-01 | SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this... |
| CVE-2008-6776 | 2009-05-01 | SQL injection vulnerability in viewcomments.php in Scripts For Sites (SFS) EZ Hot or Not allows remote attackers to execute arbitrary SQL commands via the phid parameter. |
| CVE-2008-6777 | 2009-05-01 | Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a confirm action, the (2) user... |
| CVE-2008-6778 | 2009-05-01 | SQL injection vulnerability in viewfaqs.php in Scripts for Sites (SFS) EZ Auction allows remote attackers to execute arbitrary SQL commands via the cat parameter. |
| CVE-2008-6779 | 2009-05-01 | SQL injection vulnerability in the Sarkilar module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a showcontent action to modules.php. |
| CVE-2008-6780 | 2009-05-01 | SQL injection vulnerability in directory.php in Scripts for Sites (SFS) SFS EZ Affiliate allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. |
| CVE-2008-6781 | 2009-05-01 | SQL injection vulnerability in directory.php in Sites for Scripts (SFS) Gaming Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. |
| CVE-2008-6782 | 2009-05-01 | SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Hosting Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. |
| CVE-2008-6783 | 2009-05-01 | SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Home Business Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. |
| CVE-2008-6784 | 2009-05-01 | SQL injection vulnerability in directory.php in Scripts For Sites (SFS) EZ Adult Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. |
| CVE-2009-1364 | 2009-05-01 | Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF... |
| CVE-2009-1365 | 2009-05-01 | Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.0.4 and 3.5.x before 3.5.2, as used in Flash Media Interactive Server and Flash Media Streaming Server, allows remote attackers to... |
| CVE-2009-1500 | 2009-05-01 | SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows remote attackers to execute arbitrary SQL commands via the sn parameter. |
| CVE-2009-1501 | 2009-05-01 | Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x before 5.x-1.2 and 6.x-1.x-dev before April 13, 2009, a module for Drupal, allows remote attackers to inject arbitrary web script or... |
| CVE-2009-1502 | 2009-05-01 | Directory traversal vulnerability in plugin.php in S-Cms 1.1 Stable and 1.5.2 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter. |
| CVE-2009-1503 | 2009-05-01 | Multiple SQL injection vulnerabilities in login.php in Tiger Document Management System (DMS) allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. |
| CVE-2009-1504 | 2009-05-01 | Absolute Form Processor XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting the xlaAFPadmin cookie to "lvl=1&userid=1." |
| CVE-2009-1505 | 2009-05-01 | SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands... |
| CVE-2009-1506 | 2009-05-01 | SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to banner-details.php. |
| CVE-2009-1507 | 2009-05-01 | The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user,... |
| CVE-2008-6785 | 2009-05-01 | Unrestricted file upload vulnerability in Mini File Host 1.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct... |
| CVE-2008-6786 | 2009-05-01 | Multiple directory traversal vulnerabilities in geekigeeki.py in GeekiGeeki before 3.0 allow remote attackers to read arbitrary files via directory traversal sequences in a pagename argument in the (1) handle_edit and... |
| CVE-2008-6787 | 2009-05-01 | SQL injection vulnerability in administrator/index.php in Lizardware CMS 0.6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the user. |
| CVE-2009-1508 | 2009-05-01 | SQL injection vulnerability in the xforum_validateUser function in Common.php in X-Forum 0.6.2 allows remote attackers to execute arbitrary SQL commands, as demonstrated via the cookie_username parameter to Configure.php. |
| CVE-2009-1509 | 2009-05-01 | SQL injection vulnerability in ajaxp_backend.php in MyioSoft AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands via the page parameter. |
| CVE-2009-1510 | 2009-05-01 | Multiple directory traversal vulnerabilities in KoschtIT Image Gallery 1.82 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the file parameter to (1) ki_makepic.php... |
| CVE-2009-1511 | 2009-05-01 | GDI+ in Microsoft Windows XP SP3 allows remote attackers to cause a denial of service (infinite loop) via a PNG file that contains a certain large btChunkLen value. |
| CVE-2009-1512 | 2009-05-01 | Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php. |
| CVE-2009-1513 | 2009-05-04 | Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long... |