CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2008-6772 20 Bypass 2009-04-29 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
login/register_form.php in YourPlace 1.0.2 and earlier does not check that a username already exists when a new account is created, which allows remote attackers to bypass intended access restrictions by registering a new account with the username of a target user.
352 CVE-2008-6771 264 +Info 2009-04-29 2017-09-29
5.0
None Remote Low Not required Partial None None
YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function.
353 CVE-2008-6770 264 2009-04-29 2017-09-29
5.0
None Remote Low Not required Partial None None
YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for users.txt.
354 CVE-2008-6769 Exec Code 2009-04-29 2017-09-29
6.0
None Remote Medium ??? Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.
355 CVE-2008-6768 Exec Code 2009-04-29 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/upload/.
356 CVE-2008-6767 DoS 2009-04-28 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request.
357 CVE-2008-6766 DoS 2009-04-28 2018-10-11
5.0
None Remote Low Not required None None Partial
cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to cause a denial of service (excessive shopping carts) via a flood of requests.
358 CVE-2008-6765 2009-04-28 2018-10-11
5.0
None Remote Low Not required Partial None None
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to access the contents of an arbitrary shopping cart via a modified cart_name parameter.
359 CVE-2008-6764 79 XSS 2009-04-28 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in login.php in Silentum LoginSys 1.0.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
360 CVE-2008-6763 287 Bypass 2009-04-28 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username.
361 CVE-2008-6762 59 2009-04-28 2017-08-17
4.3
None Remote Medium Not required Partial None None
Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter.
362 CVE-2008-6761 94 2009-04-28 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
Static code injection vulnerability in admin/install.php in Flexcustomer 0.0.6 might allow remote attackers to inject arbitrary PHP code into const.inc.php via the installdbname parameter (aka the Database Name field). NOTE: the installation instructions specify deleting admin/install.php.
363 CVE-2008-6760 59 +Info 2009-04-28 2018-10-11
4.3
None Remote Medium Not required Partial None None
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via an unauthenticated add and save action for a shopping cart in cart_save.php, which reveals the SQL table names in an error message, related to code that mishandles the lack of a user_id parameter.
364 CVE-2008-6759 59 +Info 2009-04-28 2018-10-11
4.3
None Remote Medium Not required Partial None None
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via a URL in the POST_DATA parameter to manuals_search.php, which reveals the installation path in an error message.
365 CVE-2008-6758 352 XSS CSRF 2009-04-28 2018-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to hijack the authentication of arbitrary users for requests that conduct persistent cross-site scripting (XSS) attacks via the cart_name parameter in a save action.
366 CVE-2008-6757 79 XSS 2009-04-28 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in manuals_search.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to inject arbitrary web script or HTML via the manuals_search parameter.
367 CVE-2008-6756 264 2009-04-27 2017-08-17
2.1
None Local Low Not required Partial None None
ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file.
368 CVE-2008-6755 264 2009-04-27 2017-08-17
5.0
None Remote Low Not required None Partial None
ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script.
369 CVE-2008-6754 200 +Info 2009-04-27 2018-10-11
4.0
None Remote Low ??? Partial None None
The Personal Sticky Threads addon 1.0.3c for vBulletin allows remote authenticated users to read the title, author, and pages of an arbitrary thread by toggling a personal sticky.
370 CVE-2008-6753 89 Exec Code Sql 2009-04-27 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SilverStripe before 2.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to AjaxUniqueTextField.
371 CVE-2008-6752 20 +Priv 2009-04-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
adminlogin/password.php in the Twitter Clone (TClone) plugin for ReVou Micro Blogging does not verify the original password before changing passwords, which allows remote attackers to change the administrator's password and gain privileges via a direct request with modified newpass1 and newpass2 parameters in a Change operation.
372 CVE-2008-6751 20 Exec Code 2009-04-24 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in index.php in the Twitter Clone (TClone) plugin for ReVou Micro Blogging allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in settings/my_photo.
373 CVE-2008-6750 20 Exec Code 2009-04-24 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in add.php in FlexPHPDirectory 0.0.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in photo/.
374 CVE-2008-6749 89 Exec Code Sql 2009-04-24 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters.
375 CVE-2008-6748 94 Exec Code 2009-04-24 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.
376 CVE-2008-6747 264 +Priv 2009-04-23 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
dotProject before 2.1.2 does not properly restrict access to administrative pages, which allows remote attackers to gain privileges. NOTE: some of these details are obtained from third party information.
377 CVE-2008-6746 79 XSS 2009-04-23 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name.
378 CVE-2008-6745 20 +Priv 2009-04-23 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
index.php in BlogPHP 2.0 allows remote attackers to gain administrator privileges via a crafted email parameter in a register2 action.
379 CVE-2008-6744 352 CSRF 2009-04-23 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cybozu Office 6, Cybozu Dezie before 6.0(1.0), and Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
380 CVE-2008-6743 287 +Priv Bypass 2009-04-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.php, (2) edit-submit.php, (3) edit.php, (4) submit.php, and (5) update.php, which bypasses the security check that is performed by verify.php.
381 CVE-2008-6742 20 DoS 2009-04-21 2017-09-29
4.3
None Remote Medium Not required None None Partial
Foxy P2P software allows remote attackers to cause a denial of service (memory consumption) via a foxy URI with a download action and a large fs value.
382 CVE-2008-6741 89 Exec Code Sql 2009-04-21 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to produce a "\" (backslash) sequence that does not quote the "'" (single quote) character, as demonstrated via a manlabels action to index.php.
383 CVE-2008-6740 94 Exec Code File Inclusion 2009-04-21 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
384 CVE-2008-6739 287 +Priv 2009-04-21 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request.
385 CVE-2008-6738 287 Bypass 2009-04-21 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.
386 CVE-2008-6737 200 +Info 2009-04-21 2017-08-17
7.8
None Remote Low Not required Complete None None
Crysis 1.21 and earlier allows remote attackers to obtain sensitive player information such as real IP addresses by sending a keyexchange packet without a previous join packet, which causes Crysis to send a disconnect packet that includes unrelated log information.
387 CVE-2008-6736 264 2009-04-21 2018-10-11
6.4
None Remote Low Not required None Partial Partial
Flat Calendar 1.1 does not properly restrict access to administrative functions, which allows remote attackers to (1) add new events via calAdd.php, as reachable from admin/add.php, or (2) delete events via admin/deleteEvent.php. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.
388 CVE-2008-6735 22 Dir. Trav. 2009-04-21 2017-09-29
5.8
None Remote Medium Not required Partial Partial None
Directory traversal vulnerability in qc/index.php in ThaiQuickCart 3 allows remote attackers to read arbitrary files via a .. (dot dot) in the sLanguage cookie.
389 CVE-2008-6734 22 Dir. Trav. 2009-04-21 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in Public/index.php in Keller Web Admin CMS 0.94 Pro allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter.
390 CVE-2008-6733 79 XSS 2009-04-21 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the error handling page in DotNetNuke 4.6.2 through 4.8.3 allows remote attackers to inject arbitrary web script or HTML via the querystring parameter.
391 CVE-2008-6732 79 XSS 2009-04-21 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Language skin object in DotNetNuke before 4.8.4 allows remote attackers to inject arbitrary web script or HTML via "newly generated paths."
392 CVE-2008-6731 20 Exec Code 2009-04-20 2017-09-29
9.3
None Remote Medium Not required Complete Complete Complete
Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the renamed file in linkphoto/.
393 CVE-2008-6730 89 Exec Code Sql 2009-04-20 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php.
394 CVE-2008-6729 352 CSRF 2009-04-20 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in password.php in PHPmotion 2.1 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that modify an account via the (1) password or (2) email_address parameter.
395 CVE-2008-6728 89 Exec Code Sql 2009-04-20 2018-10-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Sections module in PHP-Nuke, probably before 8.0, allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printpage action to modules.php.
396 CVE-2008-6727 79 XSS 2009-04-20 2017-09-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Ultimate PHP Board (UPB) 2.2.2, 2.2.1, and earlier 2.x versions allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
397 CVE-2008-6726 22 Dir. Trav. 2009-04-17 2017-09-29
6.0
None Remote Medium ??? Partial Partial Partial
Multiple directory traversal vulnerabilities in CMScout 2.06, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the bit parameter to (1) admin.php and (2) index.php, different vectors than CVE-2008-3415.
398 CVE-2008-6725 89 Exec Code Sql 2009-04-17 2017-09-29
6.0
None Remote Medium ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) index.php in a mythings page (mythings.php) and (2) the users page in admin.php.
399 CVE-2008-6724 79 XSS 2009-04-17 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.pl in Perl Nopaste 1.0 allows remote attackers to inject arbitrary web script or HTML via the language parameter. NOTE: some of these details are obtained from third party information.
400 CVE-2008-6723 287 Bypass 2009-04-14 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLogged cookie to Administrator.
Total number of vulnerabilities : 567   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.