CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2008-5859 89 Exec Code Sql 2009-01-06 2017-09-29
5.1
None Remote High Not required Partial Partial Partial
SQL injection vulnerability in index.php in Constructr CMS 3.02.5 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the show_page parameter.
352 CVE-2008-5858 79 XSS 2009-01-06 2017-08-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in KnowledgeTree before 3.5.4a allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-4281.
353 CVE-2008-5857 +Priv 2009-01-06 2017-08-08
6.5
None Remote Low ??? Partial Partial Partial
The DropDocuments plugin in KnowledgeTree before 3.5.4a allows remote authenticated users to gain administrative privileges via a certain sequence of "browse documents" and dashboard requests.
354 CVE-2008-5856 22 Dir. Trav. 2009-01-06 2017-09-29
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in scripts/export.php in ClaSS before 0.8.61 allows remote attackers to read arbitrary files via directory traversal sequences in the ftype parameter.
355 CVE-2008-5855 264 2009-01-06 2017-09-29
5.0
None Remote Low Not required Partial None None
myPHPscripts Login Session 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover usernames, e-mail addresses, and password hashes via a direct request for users.txt.
356 CVE-2008-5854 79 XSS 2009-01-06 2017-09-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in login.php in myPHPscripts Login Session 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) ls_user and (2) ls_email parameters (aka the User form) in an ls_register action. NOTE: some of these details are obtained from third party information.
357 CVE-2008-5853 264 +Info 2009-01-06 2018-10-11
5.0
None Remote Low Not required Partial None None
Chilek Content Management System (aka ChiCoMaS) 2.0.4 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain database credentials via a direct request for config.inc or (2) read database backups via a request for a backup/ URI.
358 CVE-2008-5852 264 2009-01-06 2017-09-29
5.0
None Remote Low Not required Partial None None
Emefa Guestbook 3.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for guestbook.mdb.
359 CVE-2008-5851 89 Exec Code Sql 2009-01-06 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in My PHP Baseball Stats (MyPBS) allows remote attackers to execute arbitrary SQL commands via the seasonID parameter.
360 CVE-2008-5849 200 +Info 2009-01-06 2017-08-08
5.0
None Remote Low Not required Partial None None
Check Point VPN-1 R55, R65, and other versions, when Port Address Translation (PAT) is used, allows remote attackers to discover intranet IP addresses via a packet with a small TTL, which triggers an ICMP_TIMXCEED_INTRANS (aka ICMP time exceeded in-transit) response containing an encapsulated IP packet with an intranet address, as demonstrated by a TCP packet to the firewall management server on port 18264.
361 CVE-2008-5848 255 2009-01-06 2009-05-20
10.0
None Remote Low Not required Complete Complete Complete
The Advantech ADAM-6000 module has 00000000 as its default password, which makes it easier for remote attackers to obtain access through an HTTP session, and (1) monitor or (2) control the module's Modbus/TCP I/O activity.
362 CVE-2008-5847 255 +Info 2009-01-05 2017-09-29
2.6
None Remote High Not required Partial None None
Constructr CMS 3.02.5 and earlier stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information by reading the hash column.
363 CVE-2008-5846 264 Bypass 2009-01-05 2017-08-08
4.0
None Remote Low ??? None Partial None
Six Apart Movable Type (MT) before 4.23 allows remote authenticated users with create permission for posts to bypass intended access restrictions and publish posts via a "system-wide entry listing screen."
364 CVE-2008-5845 79 XSS 2009-01-05 2011-09-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Six Apart Movable Type (MT) before 4.23 allow remote attackers to inject arbitrary web script or HTML via a (1) MTEntryAuthorUsername, (2) MTAuthorDisplayName, (3) MTEntryAuthorDisplayName, or (4) MTCommenterName field in a Profile View template; a (5) listing screen or (6) edit screen in the CMS app; (7) a TrackBack title, related to the HTML sanitization library; or (8) a user archive name (aka archive title) on a published Community Blog template.
365 CVE-2008-5844 16 Sql 2009-01-05 2009-05-14
7.5
None Remote Low Not required Partial Partial Partial
PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality, and unintentionally disables magic_quotes_gpc regardless of the actual magic_quotes_gpc setting, which might make it easier for context-dependent attackers to conduct SQL injection attacks and unspecified other attacks.
366 CVE-2008-5843 +Priv 2009-01-05 2009-03-20
4.6
None Local Low Not required Partial Partial Partial
Multiple untrusted search path vulnerabilities in pdfjam allow local users to gain privileges via a Trojan horse program in (1) the current working directory or (2) /var/tmp, related to the (a) pdf90, (b) pdfjoin, and (c) pdfnup scripts.
367 CVE-2008-5842 79 XSS 2009-01-05 2009-01-06
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Fujitsu-Siemens WebTransactions 7.0, 7.1, and possibly other versions allow remote attackers to inject arbitrary web script or HTML via vectors associated with (1) a demo application shipped with WebTransactions and possibly (2) an unspecified "dynamic application."
368 CVE-2008-5841 89 Exec Code Sql 2009-01-05 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in iGaming 1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the browse parameter to (1) previews.php and (2) reviews.php, and the (3) id parameter to index.php in a viewarticle action.
369 CVE-2008-5840 264 Bypass 2009-01-05 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP iCalendar 2.24 and earlier allows remote attackers to bypass authentication by setting the phpicalendar and phpicalendar_login cookies to 1.
370 CVE-2008-5839 119 Exec Code Overflow 2009-01-05 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Foxmail 6.5 allows remote attackers to execute arbitrary code via a long mailto URI in the HREF attribute of an A element.
371 CVE-2008-5838 89 Exec Code Sql 2009-01-05 2017-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search_results.php in E-Php Scripts E-Shop (aka E-Php Shopping Cart) Shopping Cart Script allows remote attackers to execute arbitrary SQL commands via the cid parameter.
372 CVE-2008-5828 200 +Info 2009-01-02 2018-10-11
5.0
None Remote Low Not required Partial None None
Microsoft Windows Live Messenger Client 8.5.1 and earlier, when MSN Protocol Version 15 (MSNP15) is used over a NAT session, allows remote attackers to discover intranet IP addresses and port numbers by reading the (1) IPv4InternalAddrsAndPorts, (2) IPv4Internal-Addrs, and (3) IPv4Internal-Port header fields.
373 CVE-2008-5827 16 Exec Code 2009-01-02 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
The Nokia 6131 Near Field Communication (NFC) phone with 05.12 firmware automatically installs software upon completing the download of a JAR file, which makes it easier for remote attackers to execute arbitrary code via a crafted URI record in an NDEF tag.
374 CVE-2008-5826 20 DoS 2009-01-02 2017-08-08
7.8
None Remote Low Not required None None Complete
The Nokia 6131 Near Field Communication (NFC) phone with 05.12 firmware allows remote attackers to cause a denial of service (device crash) via (1) a large value in the payload length field in an NDEF record, or a certain length for a (2) tel: or (3) sms: NDEF URI.
375 CVE-2008-5825 59 2009-01-02 2017-08-08
2.6
None Remote High Not required None Partial None
The SmartPoster implementation on the Nokia 6131 Near Field Communication (NFC) phone with 05.12 firmware does not properly display the URI record when the Title record contains a certain combination of space, CR (aka \r), and . (dot) characters, which allows remote attackers to trick a user into loading an arbitrary URI via a crafted NDEF tag, as demonstrated by (1) an http: URI for a malicious web site, (2) a tel: URI for a premium-rate telephone number, and (3) an sms: URI that triggers purchase of a ringtone.
376 CVE-2008-5824 119 DoS Exec Code Overflow 2009-01-02 2010-03-26
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
377 CVE-2008-5823 189 DoS 2009-01-02 2018-10-30
4.3
None Remote Medium Not required None None Partial
An ActiveX control in prtstb06.dll in Microsoft Money 2006, when used with WScript in Windows Script Host (WSH) on Windows Vista, allows remote attackers to cause a denial of service (access violation and application crash) via a zero value for the Startup property.
378 CVE-2008-5822 399 DoS 2009-01-02 2017-08-08
5.0
None Remote Low Not required None None Partial
Memory leak in Libxul, as used in Mozilla Firefox 3.0.5 and other products, allows remote attackers to cause a denial of service (memory consumption and browser hang) via a long CLASS attribute in an HR element in an HTML document.
379 CVE-2008-5821 399 1 DoS 2009-01-02 2017-08-08
5.0
None Remote Low Not required None None Partial
Memory leak in WebKit.dll in WebKit, as used by Apple Safari 3.2 on Windows Vista SP1, allows remote attackers to cause a denial of service (memory consumption and browser crash) via a long ALINK attribute in a BODY element in an HTML document.
380 CVE-2008-5820 89 Exec Code Sql 2009-01-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in eDNews_view.php in eDreamers eDNews 2 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.
381 CVE-2008-5819 22 Dir. Trav. 2009-01-02 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in eDNews_archive.php in eDreamers eDNews 2, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lg parameter. NOTE: some of these details are obtained from third party information.
382 CVE-2008-5818 22 Dir. Trav. 2009-01-02 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in index.php in eDreamers eDContainer 2.22, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lg parameter. NOTE: some of these details are obtained from third party information.
383 CVE-2008-5817 89 Exec Code Sql 2009-01-02 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in index.php in Web Scribble Solutions webClassifieds 2005 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) password fields in a sign_in action.
384 CVE-2008-5816 89 Exec Code Sql 2009-01-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.
385 CVE-2008-5815 89 Exec Code Sql 2009-01-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Acomment.php in phpAlumni allows remote attackers to execute arbitrary SQL commands via the id parameter.
386 CVE-2008-5814 79 XSS 2009-01-02 2018-10-30
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.
387 CVE-2008-5813 89 Exec Code Sql 2009-01-02 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.
388 CVE-2008-5812 2009-01-02 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.
389 CVE-2008-5811 89 Exec Code Sql 2009-01-02 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the PaxGallery (com_paxgallery) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter in a table action to index.php.
390 CVE-2008-5810 20 Exec Code 2009-01-02 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
WBPublish (aka WBPublish.exe) in Fujitsu-Siemens WebTransactions 7.0, 7.1, and possibly other versions allows remote attackers to execute arbitrary commands via shell metacharacters in input that is sent through HTTP and improperly used during temporary session data cleanup, possibly related to (1) directory names, (2) template names, and (3) session IDs.
391 CVE-2008-5809 287 +Info 2009-01-02 2009-02-26
5.8
None Remote Medium Not required Partial Partial None
futomi CGI Cafe Access Analyzer CGI Standard 4.0.1 and earlier and Access Analyzer CGI Professional 4.11.3 and earlier use a predictable session id, which makes it easier for remote attackers to hijack sessions, and obtain sensitive information about analysis results, via a modified id.
392 CVE-2008-5808 79 XSS 2009-01-02 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Six Apart Movable Type Enterprise (MTE) 1.x before 1.56; Movable Type (MT) 3.x before 3.38; and Movable Type, Movable Type Open Source (MTOS), and Movable Type Enterprise 4.x before 4.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to "application management."
393 CVE-2008-5517 94 Exec Code 2009-01-13 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote attackers to execute arbitrary commands via shell metacharacters related to (1) git_snapshot and (2) git_object.
394 CVE-2008-5516 264 Exec Code 2009-01-20 2021-01-26
7.5
None Remote Low Not required Partial Partial Partial
The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.
395 CVE-2008-5463 2009-01-14 2012-10-23
4.9
None Remote Medium ??? Partial Partial None
Unspecified vulnerability in the PeopleSoft Enterprise Campus Solutions component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 and 9.0.8 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
396 CVE-2008-5462 264 2009-01-14 2012-10-23
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the WebLogic Portal component in BEA Product Suite 10.3, 10.2, 10.0 MP1, 9.2 MP3, and 8.1 SP6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
397 CVE-2008-5461 264 XSS 2009-01-14 2012-10-23
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0, and SP7 allows remote attackers to affect confidentiality, integrity, and availability, related to WLS. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is cross-site scripting.
398 CVE-2008-5460 200 +Info 2009-01-14 2012-10-23
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect confidentiality via unknown vectors.
399 CVE-2008-5459 264 2009-01-14 2012-10-23
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3 allows remote attackers to affect confidentiality via unknown vectors.
400 CVE-2008-5458 2009-01-14 2012-10-23
5.5
None Remote Low ??? Partial Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10 and CU2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Total number of vulnerabilities : 467   Page : 1 2 3 4 5 6 7 8 (This Page)9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.