CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2008 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-5284 189 DoS 2008-11-29 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
The web server in IEA Software RadiusNT and RadiusX 5.1.38 and other versions before 5.1.44, Emerald 5.0.49 and other versions before 5.0.52, Air Marshal 2.0.4 and other versions before 2.0.8, and Radius test client (aka Radlogin) 4.0.20 and earlier, allows remote attackers to cause a denial of service (crash) via an HTTP Content-Length header with a negative value, which triggers a single byte overwrite of memory using a NULL terminator. NOTE: some of these details are obtained from third party information.
2 CVE-2008-5283 264 2008-11-29 2008-12-02
6.4
None Remote Low Not required None Partial Partial
Google Hack Honeypot (GHH) File Upload Manager 1.3 allows remote attackers to delete uploaded files via unknown vectors related to the delall action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. CVE analysis suggests that the most recent version as of 20081128 is 1.2, and the File Upload Manager does not have a "delall" action.
3 CVE-2008-5282 119 Exec Code Overflow 2008-11-29 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 allow remote attackers to execute arbitrary code via (1) a link with a long HREF attribute, and (2) a DIV tag with a long id attribute.
4 CVE-2008-5281 119 1 Exec Code Overflow 2008-11-29 2008-12-01
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in Titan FTP Server 6.05 build 550 allows remote attackers to execute arbitrary code via a long DELE command.
5 CVE-2008-5280 399 DoS 2008-11-29 2011-03-08
5.0
None Remote Low Not required None None Partial
The Local ZIM Server in Zilab Chat and Instant Messaging (ZIM) Server 2.0 and 2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted requests without required parameters.
6 CVE-2008-5279 119 Exec Code Overflow +Info 2008-11-29 2011-03-08
10.0
None Remote Low Not required Complete Complete Complete
The Local ZIM Server (zcs.exe) in Zilab Chat and Instant Messaging (ZIM) Server 2.1 and earlier allow remote attackers to execute arbitrary code via (1) heap-based buffer overflows involving multiple vectors including a long room name and a long source account, and (2) a stack-based buffer overflow with a long username in an information request. NOTE: some of these details are obtained from third party information.
7 CVE-2008-5275 22 Exec Code Dir. Trav. 2008-11-28 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in the (a) "Unzip archive" and (b) "Upload files and archives" functionality in net2ftp 0.96 stable and 0.97 beta allow remote attackers to create, read, or delete arbitrary files via a .. (dot dot) in a filename within a (1) TAR or (2) ZIP archive. NOTE: this can be leveraged for code execution by creating a .php file.
8 CVE-2008-5274 264 2008-11-28 2017-08-08
5.0
None Remote Low Not required Partial None None
Todd Woolums ASP News Management 2.2 allows remote attackers to obtain news items via a direct request to (1) rss.asp, (2) viewheadings.asp, or (3) viewnews.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
9 CVE-2008-5273 89 Exec Code Sql 2008-11-28 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in viewnews.asp in Todd Woolums ASP News Management 2.2 allows remote attackers to execute arbitrary SQL commands via the newsID parameter.
10 CVE-2008-5270 89 Exec Code Sql 2008-11-28 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in view.topics.php in Yuhhu Superstar 2008 allows remote attackers to execute arbitrary SQL commands via the board parameter.
11 CVE-2008-5269 89 Exec Code Sql 2008-11-28 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in pSys 0.7.0 alpha allows remote attackers to execute arbitrary SQL commands via the shownews parameter.
12 CVE-2008-5268 89 Exec Code Sql 2008-11-28 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in content/forums/reply.asp in ASPPortal allows remote attackers to execute arbitrary SQL commands via the Topic_Id parameter.
13 CVE-2008-5267 89 Exec Code Sql 2008-11-28 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in answer.php in Experts 1.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the question_id parameter.
14 CVE-2008-5265 22 Dir. Trav. 2008-11-28 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in TNT Forum 0.9.4, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the modulo parameter.
15 CVE-2008-5246 119 Exec Code Overflow 2008-11-26 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow remote attackers to execute arbitrary code via vectors that send ID3 data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame functions in src/demuxers/id3.c. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
16 CVE-2008-5245 119 Overflow 2008-11-26 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
xine-lib before 1.1.15 performs V4L video frame preallocation before ascertaining the required length, which has unknown impact and attack vectors, possibly related to a buffer overflow in the open_video_capture_device function in src/input/input_v4l.c.
17 CVE-2008-5244 2008-11-26 2009-02-20
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact and attack vectors related to libfaad. NOTE: due to the lack of details, it is not clear whether this is an issue in xine-lib or in libfaad.
18 CVE-2008-5242 119 DoS Exec Code Overflow 2008-11-26 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not validate the count field before calling calloc for STSD_ATOM atom allocation, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted media file.
19 CVE-2008-5238 189 DoS Exec Code Overflow 2008-11-26 2018-10-11
7.1
None Remote Medium Not required None None Complete
Integer overflow in the real_parse_mdpr function in demux_real.c in xine-lib 1.1.12, and other versions before 1.1.15, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted stream_name_size field.
20 CVE-2008-5237 189 DoS Exec Code Overflow 2008-11-26 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) crafted width and height values that are not validated by the mymng_process_header function in demux_mng.c before use in an allocation calculation or (2) crafted current_atom_size and string_size values processed by the parse_reference_atom function in demux_qt.c for an RDRF_ATOM string.
21 CVE-2008-5236 119 Exec Code Overflow 2008-11-26 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to execute arbitrary code via vectors related to (1) a crafted EBML element length processed by the parse_block_group function in demux_matroska.c; (2) a certain combination of sps, w, and h values processed by the real_parse_audio_specific_data and demux_real_send_chunk functions in demux_real.c; and (3) an unspecified combination of three values processed by the open_ra_file function in demux_realaudio.c. NOTE: vector 2 reportedly exists because of an incomplete fix in 1.1.15.
22 CVE-2008-5235 119 Exec Code Overflow 2008-11-26 2011-03-08
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the demux_real_send_chunk function in src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote attackers to execute arbitrary code via a crafted Real Media file. NOTE: some of these details are obtained from third party information.
23 CVE-2008-5234 119 Exec Code Overflow 2008-11-26 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Multiple heap-based buffer overflows in xine-lib 1.1.12, and other versions before 1.1.15, allow remote attackers to execute arbitrary code via vectors related to (1) a crafted metadata atom size processed by the parse_moov_atom function in demux_qt.c and (2) frame reading in the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is possible that vector 1 has not been fixed in 1.1.15.
24 CVE-2008-5232 787 2 Exec Code Overflow 2008-11-26 2019-12-03
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the CallHTMLHelp method in the Microsoft Windows Media Services ActiveX control in nskey.dll 4.1.00.3917 in Windows Media Services on Microsoft Windows NT and 2000, and Avaya Media and Message Application servers, allows remote attackers to execute arbitrary code via a long argument. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
25 CVE-2008-5231 119 Exec Code Overflow 2008-11-26 2008-11-26
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the ExecuteRequest method in the Novell iPrint ActiveX control in ienipp.ocx in Novell iPrint Client 5.06 and earlier allows remote attackers to execute arbitrary code via a long target-frame option value, a different vulnerability than CVE-2008-2431.
26 CVE-2008-5230 310 2008-11-25 2008-12-03
6.8
None Remote Medium Not required Partial Partial Partial
The Temporal Key Integrity Protocol (TKIP) implementation in unspecified Cisco products and other vendors' products, as used in WPA and WPA2 on Wi-Fi networks, has insufficient countermeasures against certain crafted and replayed packets, which makes it easier for remote attackers to decrypt packets from an access point (AP) to a client and spoof packets from an AP to a client, and conduct ARP poisoning attacks or other attacks, as demonstrated by tkiptun-ng.
27 CVE-2008-5229 119 DoS Overflow +Priv 2008-11-25 2018-10-11
6.9
None Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in Microsoft Device IO Control in iphlpapi.dll in Microsoft Windows Vista Gold and SP1 allows local users in the Network Configuration Operator group to gain privileges or cause a denial of service (system crash) via a large invalid PrefixLength to the CreateIpForwardEntry2 method, as demonstrated by a "route add" command. NOTE: this issue might not cross privilege boundaries.
28 CVE-2008-5227 94 Exec Code File Inclusion 2008-11-25 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in PHPCow allows remote attackers to execute arbitrary code via unknown vectors, related to a "file inclusion vulnerability," as exploited in the wild in November 2008.
29 CVE-2008-5226 89 Exec Code Sql 2008-11-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the MambAds (com_mambads) component 1.0 RC1 Beta and 1.0 RC1 for Mambo allows remote attackers to execute arbitrary SQL commands via the ma_cat parameter in a view action to index.php, a different vector than CVE-2007-5177.
30 CVE-2008-5223 89 Exec Code Sql 2008-11-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Airvae Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via the pid parameter.
31 CVE-2008-5222 89 Exec Code Sql 2008-11-25 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.asp in Dvbbs 8.2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
32 CVE-2008-5221 287 2008-11-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype parameters.
33 CVE-2008-5220 20 Exec Code 2008-11-25 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Unrestricted file upload vulnerability in admin/upload_form.php in wPortfolio 0.3 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in admin/tmp/.
34 CVE-2008-5219 287 2008-11-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
The password change feature (admin/cp.php) in VideoScript 4.0.1.50 and earlier does not check for administrative authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified npass and npass1 parameters.
35 CVE-2008-5218 264 2008-11-25 2017-09-29
5.0
None Remote Low Not required Partial None None
ScriptsEz FREEze Greetings 1.0 stores pwd.txt under the web root with insufficient access control, which allows remote attackers to obtain cleartext passwords.
36 CVE-2008-5217 22 Dir. Trav. 2008-11-24 2017-09-29
5.1
None Remote High Not required Partial Partial Partial
Directory traversal vulnerability in index.php in txtCMS 0.3, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the id parameter.
37 CVE-2008-5216 89 Exec Code Sql 2008-11-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in category_list.php in AJ Square ZeusCart 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.
38 CVE-2008-5215 89 Exec Code Sql 2008-11-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in service/profil.php in ClanLite 2.2006.05.20 allows remote attackers to execute arbitrary SQL commands via the link parameter.
39 CVE-2008-5213 89 Exec Code Sql 2008-11-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in featured_article.php in AJ Article 1.0 allows remote attackers to execute arbitrary SQL commands via the artid parameter in a search detail action.
40 CVE-2008-5212 89 Exec Code Sql 2008-11-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in classifide_ad.php in AJ Auction 6.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the item_id parameter.
41 CVE-2008-5210 94 Exec Code File Inclusion 2008-11-24 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Multiple PHP remote file inclusion vulnerabilities in PhpBlock A8.5 allow remote attackers to execute arbitrary PHP code via a URL in the PATH_TO_CODE parameter to (1) script/init/createallimagecache.php, (2) allincludefortick.php and (3) test.php in script/tick/, and (4) modules/dungeon/tick/allincludefortick.php, different vectors than CVE-2008-1776.
42 CVE-2008-5209 22 Dir. Trav. 2008-11-24 2017-09-29
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in modules/download/get_file.php in Admidio 1.4.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
43 CVE-2008-5208 89 Exec Code Sql 2008-11-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sub_votepic.php in the Datsogallery (com_datsogallery) module 1.6 for Joomla! allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.
44 CVE-2008-5207 22 Dir. Trav. 2008-11-21 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Jonascms 1.2 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the taal parameter to (1) backup.php and (2) gb_voegtoe.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
45 CVE-2008-5206 94 Exec Code File Inclusion 2008-11-21 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in modules/mod_mainmenu.php in MosXML 1 Alpha allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
46 CVE-2008-5204 22 Exec Code Dir. Trav. 2008-11-21 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the lang parameter to (1) agb.php, (2) angemeldet.php, (3) anmelden.php, (4) charts.php, (5) external_vote.php, (6) guestbook.php, (7) impressum.php, (8) index.php, (9) rss-reader.php, (10) statistic.php, (11) teilnehmer.php, (12) topsites.php, (13) votecode.php, (14) voting.php, and (15) winner.php.
47 CVE-2008-5201 22 Dir. Trav. File Inclusion 2008-11-21 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in index.php in OTManager CMS 24a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conteudo parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
48 CVE-2008-5200 89 Exec Code Sql 2008-11-21 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Xe webtv (com_xewebtv) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
49 CVE-2008-5199 94 Exec Code File Inclusion 2008-11-21 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in include.php in PHPOutsourcing IdeaBox (aka IdeBox) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the gorumDir parameter.
50 CVE-2008-5198 89 Exec Code Sql 2008-11-21 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in memberlist.php in Acmlmboard 1.A2 allows remote attackers to execute arbitrary SQL commands via the pow parameter.
Total number of vulnerabilities : 360   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.