CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2008-1921 89 Exec Code Sql 2008-04-23 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter.
102 CVE-2008-1920 119 DoS Exec Code Overflow 2008-04-23 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the boxelyRenderer module in the Personal Status Manager feature in ICQ 6.0 build 6043 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted personal status message.
103 CVE-2008-1919 89 Exec Code Sql 2008-04-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter.
104 CVE-2008-1918 89 Exec Code Sql 2008-04-23 2017-09-29
6.0
None Remote Medium ??? Partial Partial Partial
SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected.
105 CVE-2008-1917 79 XSS 2008-04-23 2017-08-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in AMFPHP 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) class parameter to (a) methodTable.php, (b) code.php, and (c) details.php in browser/; and the (2) location parameter to browser/code.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
106 CVE-2008-1916 79 XSS 2008-04-23 2017-08-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attackers to inject arbitrary web script or HTML via text fields intended for the (1) address and (2) order information, which are later displayed on the order view page and unspecified other administrative pages, a different vulnerability than CVE-2008-1428.
107 CVE-2008-1915 89 Exec Code Sql 2008-04-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in view.asp in DevWorx BlogWorx 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
108 CVE-2008-1914 119 Exec Code Overflow 2008-04-22 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080. NOTE: some of these details are obtained from third party information.
109 CVE-2008-1913 89 Exec Code Sql 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action.
110 CVE-2008-1912 119 DoS Exec Code Overflow 2008-04-22 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in DivX Player 6.7 build 6.7.0.22 and earlier allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long subtitle in a .SRT file.
111 CVE-2008-1911 89 Exec Code Sql 2008-04-22 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 beta and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a cookpass cookie.
112 CVE-2008-1910 119 Exec Code Overflow 2008-04-22 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 SP2 allows remote attackers to execute arbitrary code via a malformed opcode 0x52 request to TCP port 3050. NOTE: this might overlap CVE-2007-5243 or CVE-2007-5244.
113 CVE-2008-1909 89 Exec Code Sql 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPKB) 1.5 and 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
114 CVE-2008-1908 22 Dir. Trav. 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the language parameter in a language action to the default URI, which is not properly handled in actions/language.act.php, or (2) the action parameter to category.php.
115 CVE-2008-1907 89 Exec Code Sql 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in functions/display_page.func.php in cpCommerce 1.1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components. NOTE: this probably overlaps CVE-2007-2959 and CVE-2007-2890.
116 CVE-2008-1906 79 XSS 2008-04-22 2017-09-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in calendar.php in cpCommerce 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a view.year action.
117 CVE-2008-1905 20 DoS 2008-04-22 2017-08-08
5.0
None Remote Low Not required None None Partial
NMMediaServer.exe in Nero MediaHome 3.3.3.0 and earlier, as used in Nero 8.3.2.1 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a long HTTP request to TCP port 54444, a different vector than CVE-2007-2322.
118 CVE-2008-1904 287 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Cicoandcico CcMail 1.0.1 and earlier does not verify that the this_cookie cookie corresponds to an authenticated session, which allows remote attackers to obtain access to the "admin area" via a modified this_cookie cookie.
119 CVE-2008-1903 94 Exec Code File Inclusion 2008-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in news_show.php in Newanz NewsOffice 1.0 and 1.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the newsoffice_directory parameter.
120 CVE-2008-1902 2008-04-22 2017-08-08
5.0
None Remote Low Not required None Partial None
The GUI for aptlinex before 0.91 does not sufficiently warn the user of potentially dangerous actions, which allows remote attackers to remove or modify packages via an apt:// URL.
121 CVE-2008-1901 59 2008-04-22 2017-08-08
7.2
None Local Low Not required Complete Complete Complete
aptlinex before 0.91 allows local users to overwrite arbitrary files via a symlink attack on the gambas-apt.lock temporary file.
122 CVE-2008-1900 2008-04-22 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
option_Update.asp in Carbon Communities 2.4 and earlier allows remote attackers to edit arbitrary member information via a modified ID field.
123 CVE-2008-1898 20 DoS Exec Code 2008-04-21 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call.
124 CVE-2008-1897 287 DoS 2008-04-23 2018-10-11
4.3
None Remote Medium Not required None None Partial
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
125 CVE-2008-1896 79 XSS 2008-04-18 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Redirect parameter to login.asp and the (2) OrderBy parameter to member_send.asp.
126 CVE-2008-1895 89 Exec Code Sql 2008-04-18 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to events.asp, the (2) UserName parameter to getpassword.asp, and possibly an unspecified parameter to (3) option_Update.asp in an edit action.
127 CVE-2008-1894 79 XSS 2008-04-18 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in desktoplaunch/InfoView/logon/logon.object in BusinessObjects InfoView XI R2 SP1, SP2, and SP3 Java version before FixPack 3.5 allows remote attackers to inject arbitrary web script or HTML via the cms parameter.
128 CVE-2008-1893 94 Exec Code File Inclusion 2008-04-18 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in index.php in W2B Online Banking allows remote attackers to execute arbitrary PHP code via a URL in the ilang parameter.
129 CVE-2008-1892 79 XSS 2008-04-18 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in bs_auth.php in Blogator-script 0.95 and 1.01 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
130 CVE-2008-1891 22 Dir. Trav. 2008-04-18 2017-08-08
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
131 CVE-2008-1890 89 Exec Code Sql 2008-04-18 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Jom Comment 2.0 build 345 component for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
132 CVE-2008-1889 89 Exec Code Sql 2008-04-18 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
133 CVE-2008-1888 79 XSS 2008-04-18 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoint Services 2.0 allows remote attackers to inject arbitrary web script or HTML via the Picture Source (aka picture object source) field in the Rich Text Editor.
134 CVE-2008-1887 119 Exec Code Overflow 2008-04-18 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.
135 CVE-2008-1886 310 Bypass 2008-04-18 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
The NeffyLauncher 1.0.5 ActiveX control (NeffyLauncher.dll) in CDNetworks Nefficient Download uses weak cryptography for a KeyCode that blocks unauthorized use of the control, which allows remote attackers to bypass this protection mechanism by calculating the required KeyCode. NOTE: this can be used by arbitrary web sites to host exploit code that targets this control.
136 CVE-2008-1885 22 Exec Code Dir. Trav. 2008-04-18 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in the NeffyLauncher 1.0.5 ActiveX control (NeffyLauncher.dll) in CDNetworks Nefficient Download allows remote attackers to download arbitrary code onto a client system via a .. (dot dot) in the SkinPath parameter and a .zip URL in the HttpSkin parameter. NOTE: this can be leveraged for code execution by writing to a Startup folder.
137 CVE-2008-1884 22 Dir. Trav. 2008-04-18 2017-08-08
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to read arbitrary files via directory traversal sequences in the wiki parameter, a different vector than CVE-2006-4418.
138 CVE-2008-1883 287 2008-04-18 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
The server in Blackboard Academic Suite 7.x stores MD5 password hashes that are provided directly by clients, which makes it easier for remote attackers to access accounts via a modified client that skips the javascript/md5.js hash calculation, and instead sends an arbitrary MD5 string.
139 CVE-2008-1881 119 Exec Code Overflow 2008-04-17 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.
140 CVE-2008-1878 119 DoS Exec Code Overflow 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title.
141 CVE-2008-1877 264 2008-04-17 2017-08-08
2.1
None Local Low Not required Partial None None
tss 0.8.1 allows local users to read arbitrary files via the -a parameter, which is processed while tss is running with privileges.
142 CVE-2008-1876 94 Exec Code File Inclusion 2008-04-17 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in index.php in VisualPic 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the _CONFIG[files][functions_page] parameter.
143 CVE-2008-1875 89 Exec Code Sql 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 allows remote attackers to execute arbitrary SQL commands via the photo_id parameter.
144 CVE-2008-1874 89 Exec Code Sql 2008-04-17 2017-09-29
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in account/user/mail.html in Xpoze Pro 3.05 and earlier allows remote authenticated users to execute arbitrary SQL commands via the reed parameter.
145 CVE-2008-1873 79 XSS 2008-04-17 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the private message feature in Nuke ET 3.2 and 3.4, when using Internet Explorer, allows remote authenticated users to inject arbitrary web script or HTML via a CSS property in the STYLE attribute of a DIV element in the mensaje parameter. NOTE: some of these details are obtained from third party information.
146 CVE-2008-1872 89 Exec Code Sql 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in home.news.php in Comdev News Publisher 4.1.2 allows remote attackers to execute arbitrary SQL commands via the arcmonth parameter. NOTE: some of these details are obtained from third party information.
147 CVE-2008-1871 89 Exec Code Sql 2008-04-17 2017-09-29
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in links.php in Scriptsagent.com Links Directory 1.1 allows remote authenticated users to execute arbitrary SQL commands via the cat_id parameter in a list action.
148 CVE-2008-1870 89 Exec Code Sql 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
149 CVE-2008-1869 89 Exec Code Sql 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Site Sift Listings allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: this issue might be site-specific.
150 CVE-2008-1868 287 +Info 2008-04-17 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
admin/sauvBase.php in Blog Pixel Motion (aka Blog PixelMotion) does not require authentication, which allows remote attackers to trigger a database backup dump, and obtain the resulting blogPM.sql file that contains sensitive information.
Total number of vulnerabilities : 454   Page : 1 2 3 (This Page)4 5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.