CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2010 (CVSS score >= 6)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2010-3688 22 Dir. Trav. 2010-09-29 2010-09-30
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA WebSiteAdmin allows remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the lng parameter.
2 CVE-2010-3608 89 2 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) password (pw) parameters to (a) admin.php or (b) user.php.
3 CVE-2010-3606 22 Dir. Trav. 2010-09-24 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in AGENTS/index.php in NetArt MEDIA Real Estate Portal 2.0 allow remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) folder and (2) action parameters.
4 CVE-2010-3604 89 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
5 CVE-2010-3603 352 3 DoS CSRF 2010-09-24 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the file manager service (Services/FileService.ashx) in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to hijack the authentication of administrators for requests that rename arbitrary files, as demonstrated by causing the user.config file to be moved, leading to a denial of service (service stop) and possibly the exposure of sensitive information.
6 CVE-2010-3601 89 2 Exec Code Sql 2010-09-24 2010-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ibPhotohost 1.1.2 allows remote attackers to execute arbitrary SQL commands via the img parameter.
7 CVE-2010-3490 22 1 Dir. Trav. 2010-09-28 2019-12-10
6.5
None Remote Low ??? Partial Partial Partial
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.
8 CVE-2010-3485 89 Exec Code Sql 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the userhandle cookie to LightNEasy.php, a different vector than CVE-2008-6593. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
9 CVE-2010-3484 89 2 Exec Code Sql 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the handle parameter to LightNEasy.php, a different vector than CVE-2008-6593.
10 CVE-2010-3483 264 2 +Priv XSS 2010-09-22 2010-09-23
7.5
None Remote Low Not required Partial Partial Partial
cms_write.php in Primitive CMS 1.0.9 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request. NOTE: this vulnerability can be leveraged to conduct cross-site scripting attacks, as demonstrated using the (1) title, (2) content, and (3) menutitle parameters.
11 CVE-2010-3482 89 2 Exec Code Sql 2010-09-22 2010-09-23
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in cms_write.php in Primitive CMS 1.0.9 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) title and (2) menutitle parameters. NOTE: this can be leveraged with CVE-2010-3483 to conduct attacks without authentication.
12 CVE-2010-3481 89 1 Exec Code Sql 2010-09-22 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in login.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user_name and (2) password variables, possibly related to include/classes/Login.php. NOTE: some of these details are obtained from third party information. NOTE: the password vector might not be vulnerable.
13 CVE-2010-3480 22 1 Dir. Trav. 2010-09-22 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.
14 CVE-2010-3479 89 2 Exec Code Sql 2010-09-22 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in list.php in BoutikOne 1.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
15 CVE-2010-3467 89 2 Exec Code Sql 2010-09-17 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in modules/sections/index.php in E-Xoopport Samsara 3.1 and earlier, when the Tutorial module is enabled, allows remote attackers to execute arbitrary SQL commands via the secid parameter in a listarticles action.
16 CVE-2010-3464 352 1 CSRF 2010-09-17 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin/manager_users.class.php in SantaFox 2.02, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests, as demonstrated by adding administrative users via the save_admin action to admin/index.php.
17 CVE-2010-3461 89 1 Exec Code Sql 2010-09-17 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Publisher module in eNdonesia 8.4 allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printarticle action to mod.php, a different vector than CVE-2007-3394.
18 CVE-2010-3458 89 2 Exec Code Sql 2010-09-17 2020-08-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
19 CVE-2010-3434 119 DoS Exec Code Overflow 2010-09-30 2011-03-24
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the find_stream_bounds function in pdf.c in libclamav in ClamAV before 0.96.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document. NOTE: some of these details are obtained from third party information.
20 CVE-2010-3429 94 Exec Code 2010-09-30 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an "arbitrary offset dereference vulnerability."
21 CVE-2010-3428 89 1 Exec Code Sql 2010-09-16 2010-09-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in modules/notes/json.php in Intermesh Group-Office 3.5.9 allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a category action.
22 CVE-2010-3426 22 2 Dir. Trav. 2010-09-16 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
23 CVE-2010-3423 89 Exec Code Sql 2010-09-16 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
24 CVE-2010-3422 89 1 Exec Code Sql 2010-09-16 2010-09-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the JGen (com_jgen) component 0.9.33 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
25 CVE-2010-3419 94 2 Exec Code File Inclusion 2010-09-16 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the current_user_id parameter to (1) familynews.php and (2) settings.php.
26 CVE-2010-3416 119 DoS Overflow Mem. Corr. 2010-09-16 2020-08-04
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 6.0.472.59 on Linux does not properly implement the Khmer locale, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
27 CVE-2010-3415 119 DoS Overflow Mem. Corr. 2010-09-16 2020-07-31
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome before 6.0.472.59 does not properly implement Geolocation, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
28 CVE-2010-3414 119 DoS Overflow Mem. Corr. 2010-09-16 2021-09-08
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome before 6.0.472.59 on Mac OS X does not properly implement file dialogs, which allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. NOTE: this issue exists because of an incorrect fix for CVE-2010-3112 on Mac OS X.
29 CVE-2010-3412 362 2010-09-16 2020-07-31
9.3
None Remote Medium Not required Complete Complete Complete
Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors.
30 CVE-2010-3410 399 DoS 2010-09-16 2010-09-17
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Google Chrome before 6.0.472.59 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to nested SVG elements.
31 CVE-2010-3409 399 DoS 2010-09-16 2010-09-17
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Google Chrome before 6.0.472.59 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to SVG styles.
32 CVE-2010-3408 399 DoS 2010-09-16 2010-09-17
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Google Chrome before 6.0.472.59 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger use of document APIs during parsing.
33 CVE-2010-3407 119 1 Exec Code Overflow 2010-09-16 2018-10-10
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the MailCheck821Address function in nnotes.dll in the nrouter.exe service in the server in IBM Lotus Domino 8.0.x before 8.0.2 FP5 and 8.5.x before 8.5.1 FP2 allows remote attackers to execute arbitrary code via a long e-mail address in an ORGANIZER:mailto header in an iCalendar calendar-invitation e-mail message, aka SPR NRBY7ZPJ9V.
34 CVE-2010-3405 119 Overflow +Priv 2010-09-16 2018-11-28
6.8
None Local Low ??? Complete Complete Complete
Buffer overflow in sa_snap in the bos.esagent fileset in IBM AIX 6.1, 5.3, and earlier and VIOS 2.1, 1.5, and earlier allows local users to leverage system group membership and gain privileges via unspecified vectors.
35 CVE-2010-3404 89 1 Exec Code Sql 2010-09-16 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in eshtery CMS (aka eshtery.com) allow remote attackers to execute arbitrary SQL commands via the (1) Criteria field in an unspecified form related to catlgsearch.aspx or (2) user name to an unspecified form related to adminlogin.aspx.
36 CVE-2010-3403 Exec Code 2010-09-16 2010-09-17
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in Qualcomm eXtensible Diagnostic Monitor (QXDM) 03.09.19 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mfc71enu.dll that is located in the same folder as a .isf file.
37 CVE-2010-3402 Exec Code 2010-09-16 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in IDM Computer Solutions UltraEdit 16.20.0.1009, 16.10.0.1036, and probably other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a bin, cpp, css, c, dat, hpp, html, h, ini, java, log, mak, php, prj, txt, or xml file.
38 CVE-2010-3398 2010-09-15 2010-09-16
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the webcontainer implementation in IBM Lotus Sametime Connect 8.5.1 before CF1 has unknown impact and attack vectors, aka SPRs LXUU87S57H and LXUU87S93W.
39 CVE-2010-3397 Exec Code 2010-09-15 2018-10-10
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in PGP Desktop 9.9.0 Build 397, 9.10.x, 10.0.0 Build 2732, and probably other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tsp.dll or tvttsp.dll that is located in the same folder as a .p12, .pem, .pgp, .prk, .prvkr, .pubkr, .rnd, or .skr file.
40 CVE-2010-3396 119 1 Exec Code Overflow 2010-09-15 2018-10-30
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in kavfm.sys in Kingsoft Antivirus 2010.04.26.648 and earlier allows local users to execute arbitrary code via a long argument to IOCTL 0x80030004. NOTE: some of these details are obtained from third party information.
41 CVE-2010-3380 +Priv 2010-09-29 2010-09-30
6.9
None Local Medium Not required Complete Complete Complete
The (1) init.d/slurm and (2) init.d/slurmdbd scripts in SLURM before 2.1.14 place the . (dot) directory in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
42 CVE-2010-3332 209 2010-09-22 2020-11-23
6.4
None Remote Low Not required Partial Partial None
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
43 CVE-2010-3322 264 +Priv +Info 2010-09-14 2010-09-14
6.0
None Remote Medium ??? Partial Partial Partial
The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.
44 CVE-2010-3320 20 2010-09-13 2010-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Open redirect vulnerability in IBM Records Manager (RM) 4.5.x before 4.5.1.1-IER-FP001 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
45 CVE-2010-3313 94 1 Exec Code 2010-09-22 2013-08-18
7.5
None Remote Low Not required Partial Partial Partial
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
46 CVE-2010-3304 264 2010-09-24 2011-02-12
6.4
None Remote Low Not required Partial Partial None
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
47 CVE-2010-3301 269 +Priv 2010-09-22 2020-08-14
7.2
None Local Low Not required Complete Complete Complete
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
48 CVE-2010-3280 200 +Info 2010-09-23 2017-08-17
6.9
None Local Network Medium Not required Complete Partial Partial
The CCAgent option 9.0.8.4 and earlier in the management server (aka TSA) component in Alcatel-Lucent OmniTouch Contact Center Standard Edition relies on client-side authorization checking, and unconditionally sends the SuperUser password to the client for use during an authorized session, which allows remote attackers to monitor or reconfigure Contact Center operations via a modified client application.
49 CVE-2010-3279 16 2010-09-23 2017-08-17
7.6
None Local Network Medium Not required Complete Partial Complete
The default configuration of the CCAgent option before 9.0.8.4 in the management server (aka TSA) component in Alcatel-Lucent OmniTouch Contact Center Standard Edition enables maintenance access, which allows remote attackers to monitor or reconfigure Contact Center operations via vectors involving TSA_maintenance.exe.
50 CVE-2010-3278 119 Overflow +Priv 2010-09-10 2010-09-13
6.9
None Local Medium Not required Complete Complete Complete
Multiple buffer overflows in the Novell Client novfs module for the Linux kernel in SUSE Linux Enterprise 11 SP1 allow local users to gain privileges via unspecified vectors. NOTE: this might overlap CVE-2010-3110.
Total number of vulnerabilities : 161   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.