| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-1434 | 0.00 | — | 0.01 | Apr 30, 2009 | Cross-site request forgery (CSRF) vulnerability in Foswiki before 1.0.5 allows remote attackers to hijack the authentication of arbitrary users for requests that modify pages, change permissions, or change group memberships, as demonstrated by a URL for a (1) save or (2) view… | |||
| CVE-2009-1432 | 0.00 | — | 0.04 | Apr 30, 2009 | Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corporate Edition 10.1 before 10.1 MR8 and 10.2 before 10.2 MR2, Symantec Client Security (SCS) before 3.1 MR8, and the Symantec Endpoint Protection Manager (SEPM) component in Symantec Endpoint Protection (SEP)… | |||
| CVE-2009-1417 | 0.00 | — | 0.01 | Apr 30, 2009 | gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the… | |||
| CVE-2009-1416 | 0.03 | — | 0.04 | Apr 30, 2009 | lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key. | |||
| CVE-2009-1415 | 0.04 | — | 0.08 | Apr 30, 2009 | lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of… | |||
| CVE-2009-1348 | 0.00 | — | 0.03 | Apr 30, 2009 | The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, Internet Security, SecurityShield for Microsoft ISA Server, Security for Microsoft Sharepoint, Security for Email Servers, Email Gateway, and Active Virus Defense allows remote attackers to bypass virus… | |||
| CVE-2009-1341 | 0.00 | — | 0.02 | Apr 30, 2009 | Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns. | |||
| CVE-2009-1339 | 0.00 | — | 0.01 | Apr 30, 2009 | Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the SRC attribute of an IMG element, a related… | |||
| CVE-2009-1295 | 0.00 | — | 0.00 | Apr 30, 2009 | Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.10, and before 1.0-0ubuntu5.2 on Ubuntu 9.04 does not properly remove files from the application's crash-report directory, which allows local users to delete arbitrary files via unspecified vectors. | |||
| CVE-2009-1291 | 0.01 | — | 0.06 | Apr 30, 2009 | Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, SmartSockets Product Family (aka RTworks) before 4.0.5, and Enterprise Message Service (EMS) 4.0.0 through 5.1.1, as used in SmartSockets Server and RTworks Server (aka RTserver), SmartSockets client libraries and… | |||
| CVE-2009-1255 | 0.00 | — | 0.02 | Apr 30, 2009 | The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain… | |||
| CVE-2009-0663 | 0.00 | — | 0.04 | Apr 30, 2009 | Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows. | |||
| CVE-2009-1489 | 0.03 | — | 0.03 | Apr 29, 2009 | includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter. | |||
| CVE-2009-1488 | 0.03 | — | 0.02 | Apr 29, 2009 | Directory traversal vulnerability in admin/load.php in FunGamez RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php. | |||
| CVE-2009-1487 | 0.03 | — | 0.01 | Apr 29, 2009 | SQL injection vulnerability in pages/login.php in FunGamez RC1 allows remote attackers to execute arbitrary SQL commands via the login_user (aka username) parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2009-1486 | 0.03 | — | 0.02 | Apr 29, 2009 | Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the with parameter. | |||
| CVE-2009-1485 | 0.00 | — | 0.01 | Apr 29, 2009 | The logging feature in eMule Plus before 1.2e allows remote attackers to cause a denial of service (infinite loop) via unspecified attack vectors. | |||
| CVE-2009-1484 | 0.00 | — | 0.01 | Apr 29, 2009 | Cross-site scripting (XSS) vulnerability in the web mail interface feature in AXIGEN Mail Server 6.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving e-mail messages. NOTE: the provenance of this information is unknown; the… | |||
| CVE-2009-1483 | 0.03 | — | 0.04 | Apr 29, 2009 | Unrestricted file upload vulnerability in upload-file.php in Adam Patterson Studio Lounge Address Book 2.5, as reachable from index2.php, allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to… | |||
| CVE-2009-1482 | 0.00 | — | 0.02 | Apr 29, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an AttachFile sub-action in the error_msg function or (2) multiple vectors related to package file… | |||
| CVE-2009-1481 | 0.00 | — | 0.01 | Apr 29, 2009 | SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) 3.0.6.170 allows remote attackers to execute arbitrary SQL commands via the cname parameter in a checkAlias action, as exploited in the wild in April 2009. NOTE: the provenance of this information is… | |||
| CVE-2009-1480 | 0.03 | — | 0.01 | Apr 29, 2009 | SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors. | |||
| CVE-2008-6774 | 0.00 | — | 0.02 | Apr 29, 2009 | internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is detected, which allows remote attackers to bypass intended restrictions and edit toolbar settings via an invalid username. NOTE: the provenance of this information is… | |||
| CVE-2008-6773 | 0.03 | — | 0.02 | Apr 29, 2009 | Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url, (2) fav1_name, (3) fav2_url, (4) fav2_name, (5) fav3_url,… | |||
| CVE-2008-6772 | 0.03 | — | 0.02 | Apr 29, 2009 | login/register_form.php in YourPlace 1.0.2 and earlier does not check that a username already exists when a new account is created, which allows remote attackers to bypass intended access restrictions by registering a new account with the username of a target user. | |||
| CVE-2008-6771 | 0.03 | — | 0.06 | Apr 29, 2009 | YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function. | |||
| CVE-2008-6770 | 0.03 | — | 0.06 | Apr 29, 2009 | YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for users.txt. | |||
| CVE-2008-6769 | 0.03 | — | 0.05 | Apr 29, 2009 | Unrestricted file upload vulnerability in upload.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file. | |||
| CVE-2008-6768 | 0.03 | — | 0.04 | Apr 29, 2009 | Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/upload/. | |||
| CVE-2009-1478 | 0.03 | — | 0.01 | Apr 29, 2009 | Multiple unspecified vulnerabilities in the DTrace ioctl handlers in Sun Solaris 10, and OpenSolaris before snv_114, allow local users to cause a denial of service (panic) via unknown vectors. | |||
| CVE-2009-1431 | 0.01 | — | 0.08 | Apr 29, 2009 | XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7,… | |||
| CVE-2009-1430 | 0.07 | — | 0.55 | Apr 29, 2009 | Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV)… | |||
| CVE-2009-1429 | 0.10 | — | 0.88 | Apr 29, 2009 | The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1… | |||
| CVE-2009-1428 | 0.00 | — | 0.02 | Apr 29, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in the Symantec Log Viewer, as used in Symantec AntiVirus (SAV) before 10.1 MR8, Symantec Endpoint Protection (SEP) 11.0 before 11.0 MR1, Norton 360 1.0, and Norton Internet Security 2005 through 2008, allow… | |||
| CVE-2009-0719 | 0.00 | — | 0.00 | Apr 29, 2009 | Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unknown vectors, a different issue than CVE-2008-1660. | |||
| CVE-2009-1463 | 0.00 | — | 0.02 | Apr 28, 2009 | Static code injection vulnerability in razorCMS before 0.4 allows remote attackers to inject arbitrary PHP code into any page by saving content as a .php file. | |||
| CVE-2009-1462 | 0.00 | — | 0.00 | Apr 28, 2009 | The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact. | |||
| CVE-2009-1461 | 0.00 | — | 0.01 | Apr 28, 2009 | Cross-site scripting (XSS) vulnerability in the Create New Page form in razorCMS 0.3 RC2 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Page Title field. | |||
| CVE-2009-1460 | 0.00 | — | 0.00 | Apr 28, 2009 | razorCMS before 0.4 uses weak permissions for (1) admin/core/admin_config.php, which allows local users to obtain the administrator's password hash and FTP user credentials; and (2) the root directory, (3) datastore/, and (4) admin/core/, which allows local users to have an… | |||
| CVE-2009-1459 | 0.00 | — | 0.01 | Apr 28, 2009 | Cross-site request forgery (CSRF) vulnerability in razorCMS before 0.4 allows remote attackers to hijack the authentication of administrators for requests that create a web page containing PHP code. | |||
| CVE-2009-1458 | 0.03 | — | 0.02 | Apr 28, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action, (2) the catname parameter in a showcats action, and (3) the cat parameter in… | |||
| CVE-2009-1457 | 0.00 | — | 0.01 | Apr 28, 2009 | Cross-site scripting (XSS) vulnerability in player.php in Nuke Evolution Xtreme 2.x allows remote attackers to inject arbitrary web script or HTML via the defaultVisualExt parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third… | |||
| CVE-2009-1456 | 0.03 | — | 0.02 | Apr 28, 2009 | Directory traversal vulnerability in admin.php in Malleo 1.2.3 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the module parameter. | |||
| CVE-2009-1455 | 0.00 | — | 0.01 | Apr 28, 2009 | Multiple cross-site request forgery (CSRF) vulnerabilities in WebCollab before 2.50 (aka Billy Goat) allow remote attackers to hijack the authentication of administrators for requests that change an arbitrary password or have other unspecified impact. | |||
| CVE-2009-1454 | 0.00 | — | 0.01 | Apr 28, 2009 | Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab before 2.50 (aka Billy Goat) allows remote attackers to inject arbitrary web script or HTML via the selection parameter in a todo action. | |||
| CVE-2009-1453 | 0.03 | — | 0.01 | Apr 28, 2009 | SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka the Username field). NOTE: some of these details are obtained from third party… | |||
| CVE-2009-1452 | 0.03 | — | 0.02 | Apr 28, 2009 | Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _page_content vector is already is covered by CVE-2009-1450. | |||
| CVE-2008-6767 | 0.00 | — | 0.05 | Apr 28, 2009 | wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. | |||
| CVE-2008-6766 | 0.00 | — | 0.01 | Apr 28, 2009 | cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to cause a denial of service (excessive shopping carts) via a flood of requests. | |||
| CVE-2008-6765 | 0.03 | — | 0.02 | Apr 28, 2009 | ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to access the contents of an arbitrary shopping cart via a modified cart_name parameter. |
- CVE-2009-1434Apr 30, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Foswiki before 1.0.5 allows remote attackers to hijack the authentication of arbitrary users for requests that modify pages, change permissions, or change group memberships, as demonstrated by a URL for a (1) save or (2) view…
- CVE-2009-1432Apr 30, 2009risk 0.00cvss —epss 0.04
Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corporate Edition 10.1 before 10.1 MR8 and 10.2 before 10.2 MR2, Symantec Client Security (SCS) before 3.1 MR8, and the Symantec Endpoint Protection Manager (SEPM) component in Symantec Endpoint Protection (SEP)…
- CVE-2009-1417Apr 30, 2009risk 0.00cvss —epss 0.01
gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the…
- CVE-2009-1416Apr 30, 2009risk 0.03cvss —epss 0.04
lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.
- CVE-2009-1415Apr 30, 2009risk 0.04cvss —epss 0.08
lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of…
- CVE-2009-1348Apr 30, 2009risk 0.00cvss —epss 0.03
The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, Internet Security, SecurityShield for Microsoft ISA Server, Security for Microsoft Sharepoint, Security for Email Servers, Email Gateway, and Active Virus Defense allows remote attackers to bypass virus…
- CVE-2009-1341Apr 30, 2009risk 0.00cvss —epss 0.02
Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns.
- CVE-2009-1339Apr 30, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the SRC attribute of an IMG element, a related…
- CVE-2009-1295Apr 30, 2009risk 0.00cvss —epss 0.00
Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.10, and before 1.0-0ubuntu5.2 on Ubuntu 9.04 does not properly remove files from the application's crash-report directory, which allows local users to delete arbitrary files via unspecified vectors.
- CVE-2009-1291Apr 30, 2009risk 0.01cvss —epss 0.06
Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, SmartSockets Product Family (aka RTworks) before 4.0.5, and Enterprise Message Service (EMS) 4.0.0 through 5.1.1, as used in SmartSockets Server and RTworks Server (aka RTserver), SmartSockets client libraries and…
- CVE-2009-1255Apr 30, 2009risk 0.00cvss —epss 0.02
The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain…
- CVE-2009-0663Apr 30, 2009risk 0.00cvss —epss 0.04
Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows.
- CVE-2009-1489Apr 29, 2009risk 0.03cvss —epss 0.03
includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter.
- CVE-2009-1488Apr 29, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in admin/load.php in FunGamez RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php.
- CVE-2009-1487Apr 29, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in pages/login.php in FunGamez RC1 allows remote attackers to execute arbitrary SQL commands via the login_user (aka username) parameter. NOTE: some of these details are obtained from third party information.
- CVE-2009-1486Apr 29, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the with parameter.
- CVE-2009-1485Apr 29, 2009risk 0.00cvss —epss 0.01
The logging feature in eMule Plus before 1.2e allows remote attackers to cause a denial of service (infinite loop) via unspecified attack vectors.
- CVE-2009-1484Apr 29, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the web mail interface feature in AXIGEN Mail Server 6.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving e-mail messages. NOTE: the provenance of this information is unknown; the…
- CVE-2009-1483Apr 29, 2009risk 0.03cvss —epss 0.04
Unrestricted file upload vulnerability in upload-file.php in Adam Patterson Studio Lounge Address Book 2.5, as reachable from index2.php, allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to…
- CVE-2009-1482Apr 29, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an AttachFile sub-action in the error_msg function or (2) multiple vectors related to package file…
- CVE-2009-1481Apr 29, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) 3.0.6.170 allows remote attackers to execute arbitrary SQL commands via the cname parameter in a checkAlias action, as exploited in the wild in April 2009. NOTE: the provenance of this information is…
- CVE-2009-1480Apr 29, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors.
- CVE-2008-6774Apr 29, 2009risk 0.00cvss —epss 0.02
internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is detected, which allows remote attackers to bypass intended restrictions and edit toolbar settings via an invalid username. NOTE: the provenance of this information is…
- CVE-2008-6773Apr 29, 2009risk 0.03cvss —epss 0.02
Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url, (2) fav1_name, (3) fav2_url, (4) fav2_name, (5) fav3_url,…
- CVE-2008-6772Apr 29, 2009risk 0.03cvss —epss 0.02
login/register_form.php in YourPlace 1.0.2 and earlier does not check that a username already exists when a new account is created, which allows remote attackers to bypass intended access restrictions by registering a new account with the username of a target user.
- CVE-2008-6771Apr 29, 2009risk 0.03cvss —epss 0.06
YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitive system information via a direct request via a direct request to user/uploads/phpinfo.php, which calls the phpinfo function.
- CVE-2008-6770Apr 29, 2009risk 0.03cvss —epss 0.06
YourPlace 1.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to a database containing user credentials via a direct request for users.txt.
- CVE-2008-6769Apr 29, 2009risk 0.03cvss —epss 0.05
Unrestricted file upload vulnerability in upload.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.
- CVE-2008-6768Apr 29, 2009risk 0.03cvss —epss 0.04
Unrestricted file upload vulnerability in admin/editor/images.php in K&S Shopsoftware allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/upload/.
- CVE-2009-1478Apr 29, 2009risk 0.03cvss —epss 0.01
Multiple unspecified vulnerabilities in the DTrace ioctl handlers in Sun Solaris 10, and OpenSolaris before snv_114, allow local users to cause a denial of service (panic) via unknown vectors.
- CVE-2009-1431Apr 29, 2009risk 0.01cvss —epss 0.08
XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7,…
- CVE-2009-1430Apr 29, 2009risk 0.07cvss —epss 0.55
Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV)…
- CVE-2009-1429Apr 29, 2009risk 0.10cvss —epss 0.88
The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1…
- CVE-2009-1428Apr 29, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in the Symantec Log Viewer, as used in Symantec AntiVirus (SAV) before 10.1 MR8, Symantec Endpoint Protection (SEP) 11.0 before 11.0 MR1, Norton 360 1.0, and Norton Internet Security 2005 through 2008, allow…
- CVE-2009-0719Apr 29, 2009risk 0.00cvss —epss 0.00
Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unknown vectors, a different issue than CVE-2008-1660.
- CVE-2009-1463Apr 28, 2009risk 0.00cvss —epss 0.02
Static code injection vulnerability in razorCMS before 0.4 allows remote attackers to inject arbitrary PHP code into any page by saving content as a .php file.
- CVE-2009-1462Apr 28, 2009risk 0.00cvss —epss 0.00
The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact.
- CVE-2009-1461Apr 28, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Create New Page form in razorCMS 0.3 RC2 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Page Title field.
- CVE-2009-1460Apr 28, 2009risk 0.00cvss —epss 0.00
razorCMS before 0.4 uses weak permissions for (1) admin/core/admin_config.php, which allows local users to obtain the administrator's password hash and FTP user credentials; and (2) the root directory, (3) datastore/, and (4) admin/core/, which allows local users to have an…
- CVE-2009-1459Apr 28, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in razorCMS before 0.4 allows remote attackers to hijack the authentication of administrators for requests that create a web page containing PHP code.
- CVE-2009-1458Apr 28, 2009risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action, (2) the catname parameter in a showcats action, and (3) the cat parameter in…
- CVE-2009-1457Apr 28, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in player.php in Nuke Evolution Xtreme 2.x allows remote attackers to inject arbitrary web script or HTML via the defaultVisualExt parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
- CVE-2009-1456Apr 28, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in admin.php in Malleo 1.2.3 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
- CVE-2009-1455Apr 28, 2009risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in WebCollab before 2.50 (aka Billy Goat) allow remote attackers to hijack the authentication of administrators for requests that change an arbitrary password or have other unspecified impact.
- CVE-2009-1454Apr 28, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab before 2.50 (aka Billy Goat) allows remote attackers to inject arbitrary web script or HTML via the selection parameter in a todo action.
- CVE-2009-1453Apr 28, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka the Username field). NOTE: some of these details are obtained from third party…
- CVE-2009-1452Apr 28, 2009risk 0.03cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _page_content vector is already is covered by CVE-2009-1450.
- CVE-2008-6767Apr 28, 2009risk 0.00cvss —epss 0.05
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request.
- CVE-2008-6766Apr 28, 2009risk 0.00cvss —epss 0.01
cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to cause a denial of service (excessive shopping carts) via a flood of requests.
- CVE-2008-6765Apr 28, 2009risk 0.03cvss —epss 0.02
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to access the contents of an arbitrary shopping cart via a modified cart_name parameter.