CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2008-1754 310 +Info 2008-04-11 2017-08-08
1.7
None Local Low ??? Partial None None
Symantec Altiris Deployment Solution before 6.9.164 stores the Deployment Solution Agent (aka AClient) password in cleartext in memory, which allows local users to obtain sensitive information by dumping the AClient.exe process memory.
252 CVE-2008-1753 79 XSS 2008-04-11 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.
253 CVE-2008-1752 200 +Info 2008-04-11 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
ezRADIUS 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials via a direct request for (1) config.ini or (2) database.ini. NOTE: some of these details are obtained from third party information.
254 CVE-2008-1751 22 Dir. Trav. 2008-04-11 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in index.php in Ksemail allow remote attackers to read arbitrary local files via a .. (dot dot) in the (1) language and (2) lang parameters.
255 CVE-2008-1750 89 Exec Code Sql 2008-04-11 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI.
256 CVE-2008-1738 20 DoS 2008-04-30 2018-10-11
2.1
None Local Low Not required None None Partial
Rising Antivirus 2008 before 20.38.20 allows local users to cause a denial of service (system crash) via an invalid pointer to the _CLIENT_ID structure in a call to the NtOpenProcess hooked System Service Descriptor Table (SSDT) function.
257 CVE-2008-1737 20 DoS +Priv 2008-04-30 2018-10-11
6.9
None Local Medium Not required Complete Complete Complete
Sophos Anti-Virus 7.0.5, and other 7.x versions, when Runtime Behavioural Analysis is enabled, allows local users to cause a denial of service (reboot with the product disabled) and possibly gain privileges via a zero value in a certain length field in the ObjectAttributes argument to the NtCreateKey hooked System Service Descriptor Table (SSDT) function.
258 CVE-2008-1736 DoS 2008-04-30 2018-10-11
7.2
None Local Low Not required Complete Complete Complete
Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709.
259 CVE-2008-1735 DoS 2008-04-30 2018-10-11
4.9
None Local Low Not required None None Complete
BitDefender Antivirus 2008 20080118 and earlier allows local users to cause a denial of service (system crash) via an invalid pointer to the CLIENT_ID structure in a call to the NtOpenProcess hooked System Service Descriptor Table (SSDT) function.
260 CVE-2008-1734 20 DoS 2008-04-18 2017-08-08
3.6
None Local Low Not required Partial None Partial
Interpretation conflict in PHP Toolkit before 1.0.1 on Gentoo Linux might allow local users to cause a denial of service (PHP outage) and read contents of PHP scripts by creating a file with a one-letter lowercase alphabetic name, which triggers interpretation of a certain unquoted [a-z] argument as a matching shell glob for this name, rather than interpretation as the literal [a-z] regular-expression string, and consequently blocks the launch of the PHP interpreter within the Apache HTTP Server.
261 CVE-2008-1733 89 Exec Code Sql 2008-04-11 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php.
262 CVE-2008-1732 89 Exec Code Sql 2008-04-11 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action.
263 CVE-2008-1731 264 Bypass 2008-04-11 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
The Simple Access module for Drupal 5.x through 5.x-1.2-2 does not properly handle the privacy information for nodes, which might allow remote attackers to bypass intended access restrictions, and read or modify nodes, in opportunistic circumstances related to interaction between Simple Access and (1) Node clone or (2) Project issue tracking.
264 CVE-2008-1730 22 Dir. Trav. 2008-04-11 2017-10-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in download.html in ARWScripts Gallery Script Lite (aka gallery-script-lite or Free Photo Gallery Site Script), as of 20080411, allows remote attackers to read arbitrary local files via directory traversal sequences in the path parameter.
265 CVE-2008-1729 +Info 2008-04-11 2021-04-19
5.8
None Remote Medium Not required Partial Partial None
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.
266 CVE-2008-1728 399 DoS 2008-04-11 2017-08-08
4.0
None Remote Low ??? None None Partial
ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages.
267 CVE-2008-1727 287 2008-04-11 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts.
268 CVE-2008-1726 89 Exec Code Sql 2008-04-11 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c) logincheck.php.
269 CVE-2008-1725 2008-04-11 2017-09-29
9.0
None Remote Medium Not required Partial Complete Complete
The IBizEBank.FIProfile.1 ActiveX control in fiprofile20.ocx in IBiz E-Banking Integrator (formerly IBiz OFX Integrator) 2.0.2932 exposes the unsafe WriteOFXDataFile method, which allows remote attackers to overwrite arbitrary files via a full pathname in the argument. NOTE: some of these details are obtained from third party information.
270 CVE-2008-1724 119 Exec Code Overflow 2008-04-11 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in Tumbleweed SecureTransport Server before 4.6.1 Hotfix 20 allows remote attackers to execute arbitrary code via a long remoteFile parameter.
271 CVE-2008-1722 20 DoS Overflow Mem. Corr. 2008-04-10 2018-10-03
4.3
None Remote Medium Not required None None Partial
Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image.
272 CVE-2008-1721 189 Exec Code Overflow 2008-04-10 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
273 CVE-2008-1720 119 Exec Code Overflow 2008-04-10 2018-10-03
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.
274 CVE-2008-1719 352 XSS CSRF 2008-04-10 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Nuke ET 3.2 and 3.4 allow remote attackers to perform actions as administrators, as demonstrated by inserting an XSS sequence into a document.
275 CVE-2008-1718 119 Exec Code Overflow 2008-04-10 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in mimesr.dll in Autonomy (formerly Verity) KeyView, as used in IBM Lotus Notes before 8.0, might allow user-assisted remote attackers to execute arbitrary code via an e-mail message with a crafted Text mail (MIME) attachment.
276 CVE-2008-1717 200 +Info 2008-04-09 2018-10-11
5.0
None Remote Low Not required Partial None None
WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to obtain the full path via invalid (1) page and (2) form parameters, which leaks the path from an exception handler when a valid class cannot be found.
277 CVE-2008-1716 79 XSS 2008-04-09 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page and (2) form parameters, which are not properly handled when they are reflected back in an error message.
278 CVE-2008-1715 89 Exec Code Sql 2008-04-09 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter.
279 CVE-2008-1714 89 Exec Code Sql 2008-04-09 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
280 CVE-2008-1713 DoS 2008-04-09 2017-09-29
5.0
None Remote Low Not required None None Partial
MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp).
281 CVE-2008-1712 94 Exec Code File Inclusion 2008-04-09 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in includes/functions_weblog.php in mxBB mx_blogs 2.0.0 beta allows remote attackers to execute arbitrary PHP code via a URL in the mx_root_path parameter.
282 CVE-2008-1711 310 +Info 2008-04-09 2017-09-29
5.0
None Remote Low Not required Partial None None
Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information.
283 CVE-2008-1710 264 +Priv 2008-04-09 2017-09-29
7.2
None Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in chnfsmnt in IBM AIX 6.1 allows local users to gain privileges via a modified PATH environment variable.
284 CVE-2008-1709 119 Exec Code Overflow 2008-04-09 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Microsoft Visual InterDev 6.0 (SP6) allows user-assisted attackers to execute arbitrary code via a Studio Solution (.SLN) file with a long malformed Project line beginning with a 'Project("{}") =' sequence, probably a different vector than CVE-2008-0250.
285 CVE-2008-1708 399 DoS 2008-04-09 2018-10-11
4.3
None Remote Medium Not required None None Partial
IBM solidDB 06.00.1018 and earlier does not validate a certain field that specifies an amount of memory to allocate, which allows remote attackers to cause a denial of service (daemon exit) via a packet with a large value in this field.
286 CVE-2008-1707 399 DoS 2008-04-09 2018-10-11
4.3
None Remote Medium Not required None None Partial
IBM solidDB 06.00.1018 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a packet with an 0x11 value in a certain "type" field.
287 CVE-2008-1706 189 DoS 2008-04-09 2018-10-11
4.3
None Remote Medium Not required None None Partial
Uncontrolled array index in IBM solidDB 06.00.1018 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large value in a certain 32-bit field.
288 CVE-2008-1705 134 Exec Code 2008-04-09 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Format string vulnerability in the logging function in IBM solidDB 06.00.1018 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) user name, (2) peer name, and possibly unspecified other fields.
289 CVE-2008-1704 119 Exec Code Overflow 2008-04-11 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in TIBCO Software Enterprise Message Service (EMS) before 4.4.3, and iProcess Engine 10.6.0 through 10.6.1, allow remote attackers to execute arbitrary code via a crafted message to the EMS server.
290 CVE-2008-1703 119 Exec Code Overflow 2008-04-11 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Multiple buffer overflows in TIBCO Software Rendezvous before 8.1.0, as used in multiple TIBCO products, allow remote attackers to execute arbitrary code via a crafted message.
291 CVE-2008-1702 22 Dir. Trav. +Info 2008-04-08 2018-10-11
4.3
None Remote Medium Not required Partial None None
Absolute path traversal vulnerability in dload.php in the my_gallery 2.3 plugin for e107 allows remote attackers to obtain sensitive information via a full pathname in the file parameter. NOTE: some of these details are obtained from third party information.
292 CVE-2008-1701 DoS 2008-04-08 2017-08-08
5.0
None Remote Low Not required None None Partial
Novell NetWare 6.5 allows attackers to cause a denial of service (ABEND) via a crafted Macintosh iPrint client request.
293 CVE-2008-1700 399 DoS 2008-04-08 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
The Web TransferCtrl Class 8,2,1,4 (iManFile.cab), as used in WorkSite Web 8.2 before SP1 P2, allows remote attackers to cause a denial of service (memory consumption) via a large number of SendNrlLink directives, which opens a separate window for each directive.
294 CVE-2008-1699 89 Exec Code Sql 2008-04-08 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in permalink.php in Desi Quintans Writer's Block CMS 3.8a allows remote attackers to execute arbitrary SQL commands via the PostID parameter.
295 CVE-2008-1698 79 XSS 2008-04-08 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gallery 2.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
296 CVE-2008-1697 119 Exec Code Overflow 2008-04-08 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in ovwparser.dll in HP OpenView Network Node Manager (OV NNM) 7.53, 7.51, and earlier allows remote attackers to execute arbitrary code via a long URI in an HTTP request processed by ovas.exe, as demonstrated by a certain topology/homeBaseView request. NOTE: some of these details are obtained from third party information.
297 CVE-2008-1696 22 Dir. Trav. 2008-04-08 2017-09-29
3.7
None Local High Not required Partial Partial Partial
Directory traversal vulnerability in makepost.php in DaZPHPNews 0.1-1, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the prefixdir parameter.
298 CVE-2008-1694 59 2008-04-22 2018-10-03
4.6
None Local Low Not required Partial Partial Partial
vcdiff in Emacs 20.7 to 22.1.50, when used with SCCS, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
299 CVE-2008-1693 20 Exec Code 2008-04-18 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object.
300 CVE-2008-1692 264 2008-04-07 2009-02-26
6.9
None Local Medium Not required Complete Complete Complete
Eterm 0.9.4 opens a terminal window on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.
Total number of vulnerabilities : 454   Page : 1 2 3 4 5 6 (This Page)7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.