CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2008-4299 189 DoS 2008-09-29 2018-10-11
5.0
None Remote Low Not required None None Partial
A certain ActiveX control in the Microsoft Internet Authentication Service (IAS) Helper COM Component in iashlpr.dll allows remote attackers to cause a denial of service (browser crash) via a large integer value in the first argument to the PutProperty method. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.
52 CVE-2008-4298 399 DoS 2008-09-27 2018-10-11
5.0
None Remote Low Not required None None Partial
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
53 CVE-2008-4297 264 2008-09-27 2018-10-11
5.0
None Remote Low Not required Partial None None
Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request.
54 CVE-2008-4296 255 2008-09-27 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
The Cisco Linksys WRT350N with firmware 1.0.3.7 has "admin" as its default password for the "admin" account, which makes it easier for remote attackers to obtain access.
55 CVE-2008-4295 20 DoS 2008-09-27 2017-09-29
5.4
None Remote High Not required None None Complete
Microsoft Windows Mobile 6.0 on HTC Wiza 200 and HTC MDA 8125 devices does not properly handle the first attempt to establish a Bluetooth connection to a peer with a long name, which allows remote attackers to cause a denial of service (device reboot) by configuring a Bluetooth device with a long hci name and (1) connecting directly to the Windows Mobile system or (2) waiting for the Windows Mobile system to scan for nearby devices.
56 CVE-2008-4294 264 2008-09-27 2017-08-08
7.2
None Local Low Not required Complete Complete Complete
IBM Tivoli Netcool/Webtop 2.1 before 2.1.0.5 preserves cached user privileges after logout, which allows physically proximate attackers to hijack a session by visiting an unattended workstation, as demonstrated by a root session that is still valid after a subsequent read-only session has begun.
57 CVE-2008-4293 DoS Exec Code 2008-09-27 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Opera before 9.52 on Windows, when registered as a protocol handler, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors in which Opera is launched by other applications.
58 CVE-2008-4292 255 2008-09-27 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Opera before 9.52 does not check the CRL override upon encountering a certificate that lacks a CRL, which has unknown impact and attack vectors. NOTE: it is not clear whether this is a vulnerability, but the vendor included it in a security section of the advisory.
59 CVE-2008-4247 352 Exec Code CSRF 2008-09-25 2012-10-23
7.5
None Remote Low Not required Partial Partial Partial
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
60 CVE-2008-4246 399 DoS 2008-09-25 2017-08-08
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Denora IRC Stats Server before 1.4.1 allows remote IRC servers to cause a denial of service (application crash) via a crafted CTCP response.
61 CVE-2008-4245 264 2008-09-25 2017-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Admin Control Panel in Rianxosencabos CMS 0.9 does not require administrator privileges, which allows remote authenticated users to (1) change a user's privileges, (2) delete a user account, or perform unspecified other administrative actions via vectors involving an admin lista action to the default URI, possibly related to useradmin.php.
62 CVE-2008-4244 287 Bypass 2008-09-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1.
63 CVE-2008-4243 22 Dir. Trav. 2008-09-25 2017-09-29
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in ImageServer (aka UTImageServer) in WebAdmin before 1.7 for Epic Games Unreal Tournament 3 (UT3) 1.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
64 CVE-2008-4242 352 Exec Code CSRF 2008-09-25 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
65 CVE-2008-4241 89 Exec Code Sql 2008-09-25 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via an SID cookie.
66 CVE-2008-4210 264 +Priv +Info 2008-09-29 2017-09-29
4.6
None Local Low Not required Partial Partial Partial
fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.
67 CVE-2008-4208 2008-09-24 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in OSADS Alliance Database before 2.1 has unknown impact and attack vectors, possibly related to includes/functions.php, a different issue than CVE-2006-2874.
68 CVE-2008-4207 200 +Info 2008-09-24 2018-10-11
5.0
None Remote Low Not required Partial None None
Attachmax Dolphin 2.1.0 and earlier does not properly protect info.php in the main folder, which allows remote attackers to obtain sensitive information via a direct request, which invokes the phpinfo function. NOTE: some of these details are obtained from third party information.
69 CVE-2008-4206 94 Exec Code File Inclusion 2008-09-24 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in config.php in Attachmax Dolphin 2.1.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the rel_path parameter.
70 CVE-2008-4205 89 Exec Code Sql 2008-09-24 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a Search action to index.php. NOTE: some of these details are obtained from third party information.
71 CVE-2008-4204 89 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System (HRS) allows remote attackers to execute arbitrary SQL commands via the city parameter.
72 CVE-2008-4203 89 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.
73 CVE-2008-4202 89 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 allows remote attackers to execute arbitrary SQL commands via the idd parameter in a deadlink action.
74 CVE-2008-4201 119 DoS Exec Code Overflow 2008-09-24 2011-01-03
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file.
75 CVE-2008-4200 20 2008-09-27 2017-08-08
6.4
None Remote Low Not required None Partial Partial
Opera before 9.52 does not ensure that the address field of a news feed represents the feed's actual URL, which allows remote attackers to change this field to display the URL of a page containing web script controlled by the attacker.
76 CVE-2008-4199 200 +Info 2008-09-27 2017-08-08
5.0
None Remote Low Not required Partial None None
Opera before 9.52 does not prevent use of links from web pages to feed source files on the local disk, which might allow remote attackers to determine the validity of local filenames via vectors involving "detection of JavaScript events and appropriate manipulation."
77 CVE-2008-4198 2008-09-27 2017-08-08
5.0
None Remote Low Not required None Partial None
Opera before 9.52, when rendering an http page that has loaded an https page into a frame, displays a padlock icon and offers a security information dialog reporting a secure connection, which might allow remote attackers to trick a user into performing unsafe actions on the http page.
78 CVE-2008-4197 399 Exec Code 2008-09-27 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Opera before 9.52 on Windows, Linux, FreeBSD, and Solaris, when processing custom shortcut and menu commands, can produce argument strings that contain uninitialized memory, which might allow user-assisted remote attackers to execute arbitrary code or conduct other attacks via vectors related to activation of a shortcut.
79 CVE-2008-4196 79 XSS 2008-09-27 2011-02-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
80 CVE-2008-4195 264 2008-09-27 2017-08-08
5.0
None Remote Low Not required None Partial None
Opera before 9.52 does not properly restrict the ability of a framed web page to change the address associated with a different frame, which allows remote attackers to trigger the display of an arbitrary address in a frame via unspecified use of web script.
81 CVE-2008-4194 399 DoS 2008-09-24 2017-08-08
5.0
None Remote Low Not required None None Partial
The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par allows remote attackers to cause a denial of service (daemon crash) via a long DNS reply with many entries in the answer section, related to a "dangling pointer bug."
82 CVE-2008-4193 119 Exec Code Overflow 2008-09-24 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologies SecurityGateway 1.0.1 allows remote attackers to execute arbitrary code via a long username parameter.
83 CVE-2008-4192 59 2008-09-29 2017-08-08
6.9
None Local Medium Not required Complete Complete Complete
The pserver_shutdown function in fence_egenera in cman 2.20080629 and 2.20080801 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/eglog temporary file.
84 CVE-2008-4191 59 2008-09-24 2017-08-08
6.6
None Local Low Not required None Complete Complete
extract-table.pl in Emacspeak 26 and 28 allows local users to overwrite arbitrary files via a symlink attack on the extract-table.csv temporary file.
85 CVE-2008-4190 59 Exec Code 2008-09-24 2019-07-29
4.4
None Local Medium Not required Partial Partial Partial
The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled.
86 CVE-2008-4188 94 Exec Code 2008-09-23 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the TYPO3 Secure Directory (kw_secdir) extension before 1.0.2 allows remote attackers to execute arbitrary code via unknown vectors related to "injection of control characters."
87 CVE-2008-4187 22 Dir. Trav. 2008-09-23 2017-09-29
4.3
None Remote Medium Not required Partial None None
Directory traversal vulnerability in index.php in ProActive CMS allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.
88 CVE-2008-4186 89 Exec Code Sql 2008-09-23 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id_doc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
89 CVE-2008-4185 89 Exec Code Sql 2008-09-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id parameter in a documentos action, a different vector than CVE-2008-3213.
90 CVE-2008-4184 79 XSS 2008-09-23 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in webCMS Portal Edition allows remote attackers to inject arbitrary web script or HTML via the patron parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
91 CVE-2008-4183 200 +Info 2008-09-23 2017-09-29
5.0
None Remote Low Not required Partial None None
IntegraMOD 1.4.x stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a backup via a direct request to a backup/backup-yyyy-dd-mm.sql filename.
92 CVE-2008-4182 79 1 XSS 2008-09-23 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session.
93 CVE-2008-4181 22 Dir. Trav. File Inclusion 2008-09-23 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in includes/xml.php in the Netenberg Fantastico De Luxe module before 2.10.4 r19 for cPanel, when cPanel PHP Register Globals is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) or absolute pathname in the fantasticopath parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
94 CVE-2008-4180 200 +Info 2008-09-23 2018-10-11
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in db.php in NooMS 1.1 allows remote attackers to conduct brute force attacks against passwords via a username in the g_dbuser parameter and a password in the g_dbpwd parameter, and possibly a "localhost" g_dbhost parameter value, related to a "Mysql Remote Brute Force Vulnerability."
95 CVE-2008-4179 79 XSS 2008-09-23 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NooMS 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to smileys.php and the (2) q parameter to search.php.
96 CVE-2008-4178 89 1 Exec Code Sql 2008-09-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in DownlineGoldmine Special Category Addon, Downline Builder Pro, New Addon, and Downline Goldmine Builder allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
97 CVE-2008-4177 89 Exec Code Sql 2008-09-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search.php in Pre Real Estate Listings allows remote attackers to execute arbitrary SQL commands via the c parameter.
98 CVE-2008-4176 89 Exec Code Sql 2008-09-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in izle.asp in FoT Video scripti 1.1 beta allows remote attackers to execute arbitrary SQL commands via the oyun parameter.
99 CVE-2008-4175 89 Exec Code Sql 2008-09-23 2017-09-29
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Link Bid Script 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) ucat parameter to upgrade.php and the (2) id parameter to linkadmin/edit.php.
100 CVE-2008-4174 79 1 XSS 2008-09-23 2017-08-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dynamic MP3 Lister 2.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) currentpath, (2) invert, (3) search, and (4) sort parameters.
Total number of vulnerabilities : 449   Page : 1 2 (This Page)3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.