CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2008-4901 89 Exec Code Sql 2008-11-04 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/admin.php in Article Publisher Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the username parameter.
352 CVE-2008-4900 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Blaster Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
353 CVE-2008-4899 352 CSRF 2008-11-04 2017-08-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Planetluc RateMe 1.3.3 allows remote attackers to perform unauthorized actions as other users via unspecified vectors.
354 CVE-2008-4898 79 XSS 2008-11-04 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in planetluc RateMe 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the rate parameter in a submit rate action.
355 CVE-2008-4897 89 1 Exec Code Sql 2008-11-04 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in fichiers/add_url.php in Logz podcast CMS 1.3.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the art parameter.
356 CVE-2008-4896 79 XSS 2008-11-04 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in fichiers/add_url.php in Logz CMS 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the art parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
357 CVE-2008-4895 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Downline Builder allows remote attackers to execute arbitrary SQL commands via the id parameter.
358 CVE-2008-4894 22 Dir. Trav. 2008-11-04 2017-10-19
5.1
None Remote High Not required Partial Partial Partial
Directory traversal vulnerability in templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php in Tribiq CMS 5.0.10a, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the template_path parameter. NOTE: it was later reported that this issue also affects 5.0.12c.
359 CVE-2008-4893 79 XSS 2008-11-04 2017-08-08
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php in Tribiq CMS 5.0.10a, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the template_path parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
360 CVE-2008-4892 79 XSS 2008-11-04 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in gallery.inc.php in Planetluc MyGallery 1.7.2 and earlier, and possibly other versions before 1.8.1, allows remote attackers to inject arbitrary web script or HTML via the mghash parameter. NOTE: some of these details are obtained from third party information.
361 CVE-2008-4891 79 XSS 2008-11-04 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in signme.inc.php in Planetluc SignMe 1.5 before 1.55 allows remote attackers to inject arbitrary web script or HTML via the hash parameter. NOTE: some of these details are obtained from third party information.
362 CVE-2008-4890 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in products.php in 1st News 4 Professional (PR 1) allows remote attackers to execute arbitrary SQL commands via the id parameter.
363 CVE-2008-4889 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in deV!L'z Clanportal (DZCP) 1.4.9.6 and earlier allows remote attackers to execute arbitrary SQL commands via the users parameter in an addbuddy operation in a buddys action.
364 CVE-2008-4888 79 XSS 2008-11-04 2017-09-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in error.php in NetRisk 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter to index.php. NOTE: some of these details are obtained from third party information.
365 CVE-2008-4887 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in NetRisk 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) profile page (profile.php) or (2) game page (game.php). NOTE: some of these details are obtained from third party information.
366 CVE-2008-4886 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in YourFreeWorld Shopping Cart Script allows remote attackers to execute arbitrary SQL commands via the c parameter.
367 CVE-2008-4885 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr1.php in YourFreeWorld Scrolling Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
368 CVE-2008-4884 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Hosting Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
369 CVE-2008-4883 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Blog Blaster Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
370 CVE-2008-4882 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Autoresponder Hosting Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
371 CVE-2008-4881 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in tr.php in YourFreeWorld Reminder Service Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
372 CVE-2008-4880 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in prodshow.php in Maran PHP Shop allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-4879.
373 CVE-2008-4879 89 Exec Code Sql 2008-11-04 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in prod.php in Maran PHP Shop allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2008-4880.
374 CVE-2008-4878 20 Exec Code 2008-11-01 2017-09-29
8.5
None Remote Medium ??? Complete Complete Complete
Unrestricted file upload vulnerability in the "Add Image Macro" feature in WebCards 1.3 allows remote authenticated administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the uploaded file.
375 CVE-2008-4877 89 Exec Code Sql 2008-11-01 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in admin.php in WebCards 1.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: some of these details are obtained from third party information.
376 CVE-2008-4876 79 XSS 2008-11-01 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the web server component in Philips Electronics VOIP841 DECT Phone with firmware 1.0.4.50 and 1.0.4.80 allows remote attackers to inject arbitrary web script or HTML via the request URL, which is not properly handled in a 404 web error page.
377 CVE-2008-4875 22 Dir. Trav. 2008-11-01 2018-10-11
6.8
None Remote Low ??? Complete None None
Directory traversal vulnerability in the web server in Philips Electronics VOIP841 DECT Phone with firmware 1.0.4.50 and 1.0.4.80 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a GET request. NOTE: this can be leveraged with CVE-2008-4874 for unauthenticated access to sensitive files such as (1) save.dat and (2) apply.log, which can contain other credentials such as the Skype username and password.
378 CVE-2008-4874 255 2008-11-01 2018-10-11
5.0
None Remote Low Not required Partial None None
The web component in Philips Electronics VOIP841 DECT Phone with firmware 1.0.4.50 and 1.0.4.80 has a back door "service" account with "service" as its password, which makes it easier for remote attackers to obtain access.
379 CVE-2008-4873 Exec Code 2008-11-01 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
board.cgi in Sepal SPBOARD 4.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter during a down_file action.
380 CVE-2008-4872 79 XSS 2008-11-01 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in bidhistory.php in iTechBids Gold 5.0 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
381 CVE-2008-4871 79 XSS 2008-11-01 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in My Little Forum 1.75 and 2.0 Beta 23 allows remote attackers to inject arbitrary web script or HTML via BBcode IMG tags.
382 CVE-2008-4870 264 2008-11-01 2017-09-29
2.1
None Local Low Not required Partial None None
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
383 CVE-2008-4869 399 DoS 2008-11-01 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a "Tcp/udp memory leak."
384 CVE-2008-4868 2008-11-01 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the avcodec_close function in libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, has unknown impact and attack vectors, related to a free "on random pointers."
385 CVE-2008-4867 119 Overflow 2008-11-01 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as used by MPlayer, allows context-dependent attackers to have an unknown impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.
386 CVE-2008-4866 119 Exec Code Overflow 2008-11-01 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9 before r14715, as used by MPlayer, allow context-dependent attackers to have an unknown impact via vectors related to execution of DTS generation code with a delay greater than MAX_REORDER_DELAY.
387 CVE-2008-4865 Exec Code 2008-11-01 2009-03-30
7.2
None Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.
388 CVE-2008-4864 189 Exec Code Overflow 2008-11-01 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.
389 CVE-2008-4863 Exec Code 2008-11-01 2010-04-15
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.
390 CVE-2008-4832 59 2008-11-17 2017-08-08
6.9
None Local Medium Not required Complete Complete Complete
rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows local users to delete arbitrary files via a symlink attack on a directory under (1) /var/lock or (2) /var/run. NOTE: this issue exists because of a race condition in an incorrect fix for CVE-2008-3524. NOTE: exploitation may require an unusual scenario in which rc.sysinit is executed other than at boot time.
391 CVE-2008-4831 264 +Priv Bypass +Info 2008-11-10 2011-03-08
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in Adobe ColdFusion 8 and 8.0.1 and ColdFusion MX 7.0.2 allows local users to bypass sandbox restrictions, and obtain sensitive information or possibly gain privileges, via unknown vectors.
392 CVE-2008-4829 119 Exec Code Overflow 2008-11-25 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Multiple buffer overflows in lib/http.c in Streamripper 1.63.5 allow remote attackers to execute arbitrary code via (1) a long "Zwitterion v" HTTP header, related to the http_parse_sc_header function; (2) a crafted pls playlist with a long entry, related to the http_get_pls function; or (3) a crafted m3u playlist with a long File entry, related to the http_get_m3u function.
393 CVE-2008-4824 20 Exec Code 2008-11-17 2018-11-02
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0 allow remote attackers to execute arbitrary code via unknown vectors related to "input validation errors."
394 CVE-2008-4823 79 XSS 2008-11-10 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to loose interpretation of an ActionScript attribute.
395 CVE-2008-4822 264 Bypass 2008-11-10 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Flash Player 9.0.124.0 and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.
396 CVE-2008-4821 200 +Info 2008-11-10 2018-10-30
4.3
None Remote Medium Not required Partial None None
Adobe Flash Player 9.0.124.0 and earlier, when a Mozilla browser is used, does not properly interpret jar: URLs, which allows attackers to obtain sensitive information via unknown vectors.
397 CVE-2008-4820 200 +Info 2008-11-10 2018-10-30
7.1
None Remote Medium Not required Complete None None
Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player 9.0.124.0 and earlier on Windows allows attackers to obtain sensitive information via unknown vectors.
398 CVE-2008-4819 2008-11-10 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in Adobe Flash Player 9.0.124.0 and earlier makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors.
399 CVE-2008-4818 79 XSS 2008-11-10 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP response headers.
400 CVE-2008-4817 20 Exec Code 2008-11-05 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
The Download Manager in Adobe Acrobat Professional and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that calls an AcroJS function with a long string argument, triggering heap corruption.
Total number of vulnerabilities : 448   Page : 1 2 3 4 5 6 7 8 (This Page)9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.