CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2008-6621 DoS 2009-04-06 2009-04-14
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in GraphicsMagick before 1.2.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors in DPX images. NOTE: some of these details are obtained from third party information.
502 CVE-2008-6620 79 XSS 2009-04-06 2017-08-17
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in javascript/editor/editor/filemanager/browser/mcpuk/connectors/php/connector.php in GraFX miniCWB 2.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) errcontext, (2) _GET, (3) _POST, (4) _SESSION, (5) _SERVER, and (6) fckphp_config[Debug_SERVER] parameters.
503 CVE-2008-6619 264 Exec Code 2009-04-06 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in class/ApplyDB.php in ClassSystem 2.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in class/UploadHomepage/.
504 CVE-2008-6618 89 Exec Code Sql 2009-04-06 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ClassSystem 2.3 allow remote attackers to execute arbitrary SQL commands via the teacher_id parameter in (1) class/HomepageMain.php and (2) class/HomepageTop.php, and (3) the message_id parameter in class/MessageReply.php.
505 CVE-2008-6617 264 Exec Code 2009-04-06 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in adm/visual/upload.php in SiteXS CMS 0.1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/.
506 CVE-2008-6616 79 XSS 2009-04-06 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
507 CVE-2008-6615 89 Exec Code Sql 2009-04-06 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
508 CVE-2008-6614 89 Exec Code Sql 2009-04-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in microcms-admin-login.php in Implied By Design (IBD) Micro CMS 3.5 (aka 0.3.5) allow remote attackers to execute arbitrary SQL commands via (1) the administrators_username parameter (aka the Username field) or (2) the administrators_pass parameter (aka the Password field).
509 CVE-2008-6613 264 +Priv 2009-04-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
uploader.php in minimal-ablog 0.4 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request.
510 CVE-2008-6612 94 Exec Code 2009-04-06 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/uploader.php in Minimal ABlog 0.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in img/.
511 CVE-2008-6611 89 Exec Code Sql 2009-04-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Minimal ABlog 0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
512 CVE-2008-6610 22 1 Dir. Trav. 2009-04-06 2017-08-17
6.4
None Remote Low Not required Partial Partial None
Absolute path traversal vulnerability in phpcksec.php in Stefan Ott phpcksec 0.2.0 allows remote attackers to list arbitrary directories and read arbitrary files via a full pathname in the file parameter.
513 CVE-2008-6609 79 1 XSS 2009-04-06 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in phpcksec.php in Stefan Ott phpcksec 0.2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.
514 CVE-2008-6608 89 Exec Code Sql 2009-04-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in DevelopItEasy Events Calendar 1.2 allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter (aka user field) to admin/index.php, (2) the user_pass parameter (aka pass field) to admin/index.php, or (3) the id parameter to calendar_details.php. NOTE: some of these details are obtained from third party information.
515 CVE-2008-6607 79 XSS 2009-04-06 2017-09-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in view.php in MatPo Link 1.2 Beta allows remote attackers to inject arbitrary web script or HTML via the thema parameter.
516 CVE-2008-6606 89 Exec Code Sql 2009-04-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in view.php in MatPo Link 1.2 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter.
517 CVE-2008-6605 352 DoS CSRF 2009-04-06 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the xslt script in the web-based management interface on the 2wire 1701HG, 1800HW, 2071HG, and 2700HG with firmware 3.17.5, 3.7.1, 4.25.19, or 5.29.51 allows remote attackers to hijack the intranet connectivity of arbitrary users for requests that cause a denial of service (network outage) via a page parameter with a % (percent) character followed by a non-alphanumeric character.
518 CVE-2008-6604 22 Dir. Trav. 2009-04-04 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in index.php in PicoFlat CMS 0.5.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pagina parameter, a different vulnerability than CVE-2007-5390.
519 CVE-2008-6603 264 Bypass 2009-04-03 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937.
520 CVE-2008-6602 2009-04-03 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Download Center Lite before 2.1 has unknown impact and attack vectors related to "A minor security fix."
521 CVE-2008-6601 2009-04-03 2017-08-17
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Epona 1.5rc3 allows remote attackers to obtain the real IP address of users via unknown vectors.
522 CVE-2008-6600 79 XSS 2009-04-03 2009-04-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter.
523 CVE-2008-6599 264 2009-04-03 2017-08-17
5.0
None Remote Low Not required Partial None None
cookiecheck.php in CookieCheck 1.0 stores tmp/cc_sessions under the web root with insufficient access control, which allows remote attackers to obtain session data via a direct request related to the "default session save path."
524 CVE-2008-6598 362 2009-04-03 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Multiple race conditions in WANPIPE before 3.3.6 have unknown impact and attack vectors related to "bri restart logic."
525 CVE-2008-6597 79 XSS 2009-04-03 2009-04-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in upload/install/index.php in PHCDownload 1.1 allows remote attackers to inject arbitrary web script or HTML via the step parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
526 CVE-2008-6596 89 Exec Code Sql 2009-04-03 2009-04-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/index.php in PHCDownload 1.1 allows remote attackers to execute arbitrary SQL commands via the hash parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
527 CVE-2008-6595 89 Exec Code Sql 2009-04-03 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the pmk_rssnewsexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
528 CVE-2008-6594 89 Exec Code Sql 2009-04-03 2019-03-12
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the cm_rdfexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
529 CVE-2008-6593 89 Sql 2009-04-03 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
530 CVE-2008-6592 22 Dir. Trav. 2009-04-03 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).
531 CVE-2008-6591 94 2009-04-03 2018-10-11
5.0
None Remote Low Not required None Partial None
LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allows remote attackers to create arbitrary files via the page parameter to (1) index.php and (2) LightNEasy.php.
532 CVE-2008-6590 22 Dir. Trav. 2009-04-03 2018-10-11
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.
533 CVE-2008-6589 79 XSS 2009-04-03 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
534 CVE-2008-6588 255 2009-04-03 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed.
535 CVE-2008-6587 352 CSRF 2009-04-03 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in index.tmpl in Vuze (formerly Azureus HTML WebUI), probably 0.7.6, allows remote attackers to hijack the authentication of users for requests that force the download of arbitrary torrent files via the upurl parameter.
536 CVE-2008-6586 352 CSRF 2009-04-03 2020-02-10
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in gui/index.php in ĀµTorrent (uTorrent) WebUI 0.315 allows remote attackers to (1) hijack the authentication of users for requests that force the download of arbitrary torrent files via the add-url action and (2) hijack the authentication of administrators for requests that modify the administrator account via the setsetting action.
537 CVE-2008-6585 352 CSRF 2009-04-03 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in html/admin.php in TorrentFlux 2.3 allows remote attackers to hijack the authentication of administrators for requests that add new accounts via the addUser action.
538 CVE-2008-6584 94 Exec Code 2009-04-03 2018-10-11
6.0
None Remote Medium ??? Partial Partial Partial
html/index.php in TorrentFlux 2.3 allows remote authenticated users to execute arbitrary code via a URL with a file containing an executable extension in the url_upload parameter, which is downloaded by TorrentFlux and can be accessed via a direct request in a html/downloads/ user directory.
539 CVE-2008-6583 119 DoS Exec Code Overflow 2009-04-03 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in BS.player 2.27 build 959 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .SRT file.
540 CVE-2008-6582 89 Exec Code Sql 2009-04-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Miniweb 2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
541 CVE-2008-6581 287 Bypass 2009-04-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
login.php in PhpAddEdit 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the addedit cookie parameter.
542 CVE-2008-6580 264 2009-04-02 2017-09-29
5.0
None Remote Low Not required Partial None None
The Red_Reservations script for ColdFusion stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database via a direct request to (1) makered.mdb and (2) makered97.mdb.
543 CVE-2008-6579 2009-04-01 2017-08-17
5.0
None Remote Low Not required Partial None None
Nortel Communication Server 1000 4.50.x allows remote attackers to obtain Web application structure via unknown vectors related to "web resources to phones and administrators."
544 CVE-2008-6578 DoS Exec Code +Priv +Info 2009-04-01 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Nortel Communication Server 1000 4.50.x allow remote attackers to execute arbitrary commands to gain privileges, obtain sensitive information, or cause a denial of service via unknown vectors.
545 CVE-2008-6577 255 +Priv 2009-04-01 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Nortel MG1000S, Signaling Server, and Call Server on the Communications Server 1000 (CS1K) 4.50.x contain multiple unspecified hard-coded accounts and passwords, which allows remote attackers to gain privileges.
546 CVE-2008-6576 DoS 2009-04-01 2017-08-17
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in the "session limitation technique" in the FTP service on Nortel Communications Server 1000 (CS1K) 4.50.x, when running on VGMC or signaling nodes, allows remote attackers to cause a denial of service (resource exhaustion and failed updates) via unknown vectors that causes consumption of all available sessions.
547 CVE-2008-6575 DoS 2009-04-01 2017-08-17
6.8
None Remote Low ??? None None Complete
Unspecified vulnerability in the SIP server in SIP Enablement Services (SES) in Avaya Communication Manager 3.1.x and 4.x allows remote authenticated users to cause a denial of service (resource consumption) via unknown vectors.
548 CVE-2008-6574 DoS +Priv 2009-04-01 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in SIP Enablement Services (SES) in Avaya Communication Manager 3.1.x and 4.x allows remote attackers to gain privileges and cause a denial of service via unknown vectors related to reuse of valid credentials.
549 CVE-2008-6573 89 Exec Code Sql 2009-04-01 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Avaya SIP Enablement Services (SES) in Avaya Avaya Communication Manager 3.x, 4.0, and 5.0 (1) allow remote attackers to execute arbitrary SQL commands via unspecified vectors related to profiles in the SIP Personal Information Manager (SPIM) in the web interface; and allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to (2) permissions for SPIM profiles in the web interface and (3) a crafted SIP request to the SIP server.
550 CVE-2008-5519 200 +Info 2009-04-09 2019-04-15
2.6
None Remote High Not required Partial None None
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
Total number of vulnerabilities : 567   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.