CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2008-1983 79 XSS 2008-04-27 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Advanced Electron Forum (AEF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the beg parameter in a members action to index.php.
52 CVE-2008-1982 89 Exec Code Sql 2008-04-27 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
53 CVE-2008-1981 352 CSRF 2008-04-27 2019-08-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to perform unauthorized actions as other users via unspecified vectors.
54 CVE-2008-1980 79 XSS 2008-04-27 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
55 CVE-2008-1979 189 DoS 2008-04-27 2021-04-07
5.0
None Remote Low Not required None None Partial
The Discovery Service (casdscvc) in CA ARCserve Backup 12.0.5454.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large integer value used in an increment to TCP port 41523, which triggers a buffer over-read.
56 CVE-2008-1978 79 XSS 2008-04-27 2017-08-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector than CVE-2008-1428.
57 CVE-2008-1977 352 CSRF 2008-04-27 2019-08-01
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in the Internationalization (i18n) Drupal module 5.x before 5.x-2.3 and 5.x-1.1, and 6.x before 6.x-1.0 beta 1, allows remote attackers to change node translation relationships via unspecified vectors.
58 CVE-2008-1976 79 XSS 2008-04-27 2019-08-01
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Drupal modules (1) Internationalization (i18n) 5.x before 5.x-2.3 and 5.x-1.1 and 6.x before 6.x-1.0 beta 1; and (2) Localizer 5.x before 5.x-3.4, 5.x-2.1, and 5.x-1.11; allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
59 CVE-2008-1975 89 Exec Code Sql 2008-04-27 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in E-RESERV 2.1 allows remote attackers to execute arbitrary SQL commands via the ID_loc parameter.
60 CVE-2008-1974 79 XSS 2008-04-27 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
61 CVE-2008-1973 119 DoS Exec Code Overflow 2008-04-27 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in SubEdit Player build 4056 and 4066 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long subtitle file.
62 CVE-2008-1972 79 XSS 2008-04-27 2017-08-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the user account creation feature in Exponent CMS 0.96.6-GA20071003 and earlier, when the Allow Registration? configuration option is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) firstname, (3) lastname, and (4) e-mail address fields. NOTE: some of these details are obtained from third party information.
63 CVE-2008-1971 287 +Priv 2008-04-27 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php.
64 CVE-2008-1970 255 2008-04-27 2017-08-08
2.1
None Local Low Not required Partial None None
muCommander before 0.8.2 stores credentials.xml with insecure permissions, which allows local users to obtain credentials.
65 CVE-2008-1969 79 XSS 2008-04-27 2018-10-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Cezanne 6.5.1 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) LookUPId and (2) CbFun parameters to (a) CFLookUP.asp; (3) TitleParms, (4) WidgetsHeights, (5) WidgetsLinks, and (6) WidgetsTitles parameters to (b) CznCommon/CznCustomContainer.asp, (7) CFTARGET parameter to (c) home.asp, (8) PersonOid parameter to (d) PeopleWeb/Cards/CVCard.asp, (9) DESTLINKOID and PersonOID parameters to (e) PeopleWeb/Cards/PayrollCard.asp, and the (10) FolderTemplateId and (11) FolderTemplateName parameters to (f) PeopleWeb/CznDocFolder/CznDFStartProcess.asp.
66 CVE-2008-1968 89 Exec Code Sql 2008-04-27 2018-10-11
6.0
None Remote Medium ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Cezanne 7 allow remote authenticated users to execute arbitrary SQL commands via the FUNID parameter to (1) CFLookup.asp and (2) CznCommon/CznCustomContainer.asp.
67 CVE-2008-1967 79 XSS 2008-04-27 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in CFLogon/CFLogon.asp in Cezanne 6.5.1 and 7 allows remote attackers to inject arbitrary web script or HTML via the SleUserName parameter.
68 CVE-2008-1966 119 DoS Overflow 2008-04-27 2018-10-11
4.0
None Remote Low ??? None None Partial
Multiple buffer overflows in the JAR file administration routines in the BSU JAVA subcomponent in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allow remote authenticated users to cause a denial of service (instance crash) via a call to the (1) RECOVERJAR or (2) REMOVE_JAR procedure with a crafted parameter, related to (a) sqlj.install_jar and (b) sqlj.replace_jar.
69 CVE-2008-1965 94 Exec Code 2008-04-25 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony and possibly other products, allows remote attackers to execute arbitrary code by injecting a -launcher option via a cai: URI, as demonstrated by a reference to a UNC share pathname.
70 CVE-2008-1964 119 Overflow 2008-04-25 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length.
71 CVE-2008-1963 94 Exec Code File Inclusion 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/functions.php in Quate Grape Web Statistics 0.2a allows remote attackers to execute arbitrary PHP code via a URL in the location parameter.
72 CVE-2008-1962 22 Dir. Trav. 2008-04-25 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Aterr 0.9.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) class parameter to include/functions.inc.php and the (2) file parameter to include/common.inc.php.
73 CVE-2008-1961 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action.
74 CVE-2008-1960 79 XSS 2008-04-25 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in cgi-bin/contray/search.cgi in ContRay 3.x allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
75 CVE-2008-1959 119 DoS Exec Code Overflow 2008-04-25 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message. NOTE: some of these details are obtained from third party information.
76 CVE-2008-1958 94 Exec Code 2008-04-25 2017-09-29
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in the ajout_cat mode in admin/main.php in Tr Script News 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with a .php extension.
77 CVE-2008-1957 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in news.php in Tr Script News 2.1 allows remote attackers to execute arbitrary SQL commands via the nb parameter in voir mode.
78 CVE-2008-1956 79 XSS 2008-04-25 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to inject arbitrary web script or HTML via the wiki parameter.
79 CVE-2008-1955 79 XSS 2008-04-25 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in rep.php in Martin BOUCHER MyBoard 1.0.12 allows remote attackers to inject arbitrary web script or HTML via the id parameter. information.
80 CVE-2008-1954 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
81 CVE-2008-1953 79 XSS 2008-04-25 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Sitedesigner before 1.1.5 search template in Magnolia Enterprise Edition allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
82 CVE-2008-1942 20 DoS Exec Code Mem. Corr. 2008-04-25 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
Foxit Reader 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with (1) a malformed ExtGState resource containing a /Font resource, or (2) an XObject resource with a Rotate setting, which triggers memory corruption. NOTE: this is probably a different vulnerability than CVE-2007-2186.
83 CVE-2008-1941 79 XSS 2008-04-25 2017-08-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the profile update feature in Akiva WebBoard 8.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in the form field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
84 CVE-2008-1940 264 Bypass 2008-04-25 2017-08-08
4.6
None Local Low Not required Partial Partial Partial
The RBAC functionality in grsecurity before 2.1.11-2.6.24.5 and 2.1.11-2.4.36.2 does not enforce user_transition_deny and user_transition_allow rules for the (1) sys_setfsuid and (2) sys_setfsgid calls, which allows local users to bypass restrictions for those calls.
85 CVE-2008-1939 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920.
86 CVE-2008-1938 287 +Info 2008-04-25 2017-08-08
6.4
None Remote Low Not required Partial None Partial
Sony Mylo COM-2 Japanese model firmware before 1.002 does not properly verify web server SSL certificates, which allows remote attackers to obtain sensitive information and conduct spoofing attacks.
87 CVE-2008-1937 264 +Priv 2008-04-25 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges.
88 CVE-2008-1936 89 Exec Code Sql 2008-04-25 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Classifieds Caffe allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an add action. NOTE: this issue might be site-specific.
89 CVE-2008-1935 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the idFiliale parameter.
90 CVE-2008-1934 89 Exec Code Sql 2008-04-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in commentaires.php in Crazy Goomba 1.2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
91 CVE-2008-1933 22 Dir. Trav. 2008-04-25 2018-10-11
4.3
None Remote Medium Not required None Partial None
Absolute path traversal vulnerability in a certain ActiveX control in Zune allows user-assisted remote attackers to overwrite arbitrary files via the SaveToFile method. NOTE: the victim must explicitly allow the code to run.
92 CVE-2008-1932 189 Exec Code Overflow 2008-04-25 2018-10-11
6.8
None Local Low ??? Complete Complete Complete
Integer overflow in Realtek HD Audio Codec Drivers RTKVHDA.sys and RTKVHDA64.sys before 6.0.1.5605 on Windows Vista allows local users to execute arbitrary code via a crafted IOCTL request.
93 CVE-2008-1931 264 2008-04-25 2018-10-11
6.8
None Local Low ??? Complete Complete Complete
Realtek HD Audio Codec Drivers RTKVHDA.sys and RTKVHDA64.sys before 6.0.1.5605 on Windows Vista allow local users to create, write, and read registry keys via a crafted IOCTL request.
94 CVE-2008-1930 287 2008-04-28 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013.
95 CVE-2008-1928 119 DoS Overflow 2008-04-24 2017-08-08
5.0
None Remote Low Not required None None Partial
Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause a denial of service (crash) via an image based fill in which the number of input channels is different from the number of output channels.
96 CVE-2008-1927 399 DoS Mem. Corr. 2008-04-24 2018-10-11
5.0
None Remote Low Not required None None Partial
Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.
97 CVE-2008-1926 94 2008-04-24 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
98 CVE-2008-1925 119 DoS Overflow 2008-04-24 2020-09-14
5.0
None Remote Low Not required None None Partial
Buffer overflow in InspIRCd before 1.1.18, when using the namesx and uhnames modules, allows remote attackers to cause a denial of service (daemon crash) via a large number of channel users with crafted nicknames, idents, and long hostnames.
99 CVE-2008-1924 200 +Info 2008-04-23 2017-08-08
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable.
100 CVE-2008-1923 16 DoS 2008-04-23 2017-08-08
7.1
None Remote Medium Not required None None Complete
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
Total number of vulnerabilities : 454   Page : 1 2 (This Page)3 4 5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.