Search
Total
5300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-5130 | 1 Ocean12 Technologies | 1 Calendar Manager | 2017-08-08 | 5.0 MEDIUM | N/A |
| Ocean12 Calendar Manager Gold 2.04 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12cal.mdb. | |||||
| CVE-2008-5129 | 1 Ocean12 Technologies | 1 Poll Manager | 2017-08-08 | 5.0 MEDIUM | N/A |
| Ocean12 Poll Manager Pro 1.00 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12poll.mdb. | |||||
| CVE-2008-5128 | 1 Ocean12 Technologies | 1 Membership Manager Pro | 2017-08-08 | 5.0 MEDIUM | N/A |
| Ocean12 Membership Manager Pro stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12member.mdb. | |||||
| CVE-2008-5041 | 1 Sweex | 1 Ro002 Router | 2017-08-08 | 7.5 HIGH | N/A |
| Sweex RO002 Router with firmware Ts03-072 has "rdc123" as its default password for the "rdc123" account, which makes it easier for remote attackers to obtain access. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2008-4992 | 1 Sun | 13 Blade T6300 Server, Blade T6320 Server, Fire Enterprise Server T1000 and 10 more | 2017-08-08 | 4.6 MEDIUM | N/A |
| The SPARC hypervisor in Sun System Firmware 6.6.3 through 6.6.5 and 7.1.3 through 7.1.3.e on UltraSPARC T1, T2, and T2+ processors allows logical domain users to access memory in other logical domains via unknown vectors. | |||||
| CVE-2009-0169 | 1 Sun | 1 Java System Access Manager | 2017-08-08 | 9.0 HIGH | N/A |
| Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm. | |||||
| CVE-2009-0436 | 1 Ibm | 1 Websphere Application Server | 2017-08-08 | 7.2 HIGH | N/A |
| The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server (WAS), set incorrect permissions for AF_UNIX sockets, which has unknown impact and local attack vectors. | |||||
| CVE-2009-0439 | 1 Ibm | 1 Websphere Mq | 2017-08-08 | 7.2 HIGH | N/A |
| Unspecified vulnerability in the queue manager in IBM WebSphere MQ (WMQ) 5.3, 6.0 before 6.0.2.6, and 7.0 before 7.0.0.2 allows local users to gain privileges via vectors related to the (1) setmqaut, (2) dmpmqaut, and (3) dspmqaut authorization commands. | |||||
| CVE-2009-0419 | 1 Microsoft | 1 Xml Core Services | 2017-08-08 | 5.0 MEDIUM | N/A |
| Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033. | |||||
| CVE-2009-0438 | 2 Ibm, Microsoft | 2 Websphere Application Server, Windows | 2017-08-08 | 5.0 MEDIUM | N/A |
| IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412. | |||||
| CVE-2009-0411 | 1 Google | 1 Chrome | 2017-08-08 | 5.0 MEDIUM | N/A |
| Google Chrome before 1.0.154.46 does not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls and other web script. | |||||
| CVE-2009-0367 | 1 Wesnoth | 1 Wesnoth | 2017-08-08 | 9.3 HIGH | N/A |
| The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module. | |||||
| CVE-2009-0240 | 1 Tigris | 1 Websvn | 2017-08-08 | 3.5 LOW | N/A |
| listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN authz file, allows remote authenticated users to read changelogs or diffs for restricted projects via a modified repname parameter. | |||||
| CVE-2009-0180 | 2 Nfs, Redhat | 2 Nfs-utils, Fedora | 2017-08-08 | 7.5 HIGH | N/A |
| Certain Fedora build scripts for nfs-utils before 1.1.2-9.fc9 on Fedora 9, and before 1.1.4-6.fc10 on Fedora 10, omit TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions, possibly a related issue to CVE-2008-1376. | |||||
| CVE-2009-0141 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2017-08-08 | 2.1 LOW | N/A |
| XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user. | |||||
| CVE-2008-4811 | 1 Smarty | 1 Smarty | 2017-08-08 | 7.5 HIGH | N/A |
| The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character. | |||||
| CVE-2008-4793 | 1 Drupal | 1 Drupal | 2017-08-08 | 7.5 HIGH | N/A |
| The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. | |||||
| CVE-2008-4790 | 1 Drupal | 1 Drupal | 2017-08-08 | 6.0 MEDIUM | N/A |
| The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. | |||||
| CVE-2008-4676 | 1 Citrix | 3 Access Essentials, Presentation Server, Xenapp | 2017-08-08 | 6.8 MEDIUM | N/A |
| Unspecified vulnerability in Citrix XenApp (formerly Presentation Server) 4.5 Feature Pack 1 and earlier, Presentation Server 4.0, and Access Essentials 1.0, 1.5, and 2.0 allows local users to gain privileges via unknown attack vectors related to creating an unspecified file. NOTE: this might be the same issue as CVE-2008-3485, but the vendor advisory is too vague to be certain. | |||||
| CVE-2008-4597 | 1 Drupal | 1 Shindig-integrator | 2017-08-08 | 7.5 HIGH | N/A |
| Shindig-Integrator 5.x, a module for Drupal, does not properly restrict generated page access, which allows remote attackers to gain privileges via unspecified vectors. | |||||
| CVE-2008-4789 | 1 Drupal | 1 Drupal | 2017-08-08 | 6.0 MEDIUM | N/A |
| The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." | |||||
| CVE-2008-4581 | 1 Ibm | 1 Enovia Smarteam | 2017-08-08 | 4.0 MEDIUM | N/A |
| The Editor in IBM ENOVIA SmarTeam 5 before release 18 SP5, and release 19 before SP01, allows remote authenticated users to bypass intended access restrictions and read Document objects via the Workflow Process (aka Flow Process) view. | |||||
| CVE-2008-4545 | 1 Cisco | 1 Unity | 2017-08-08 | 4.0 MEDIUM | N/A |
| Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x before 7.0(2)ES8 uses weak permissions for the D:\CommServer\Reports directory, which allows remote authenticated users to obtain sensitive information by reading files in this directory. | |||||
| CVE-2008-4507 | 1 Ibm | 1 Lotus Quickr | 2017-08-08 | 7.5 HIGH | N/A |
| Unspecified vulnerability in IBM Lotus Quickr 8.1 before Fix pack 1 (8.1.0.1) allows editors to delete pages that were created by a different author via unknown vectors. | |||||
| CVE-2008-4506 | 1 Ibm | 1 Lotus Quickr | 2017-08-08 | 7.5 HIGH | N/A |
| Unspecified vulnerability in IBM Lotus Quickr 8.1 before Fix pack 1 (8.1.0.1) allows a place manager to "demote or delete a place superuser group" via unknown vectors. | |||||
| CVE-2008-4414 | 1 Hp | 1 Tru64 | 2017-08-08 | 7.2 HIGH | N/A |
| Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UNIX 5.1B-3 and 5.1B-4 allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2008-4413 | 1 Hp | 2 Hp-ux, System Management Homepage | 2017-08-08 | 6.2 MEDIUM | N/A |
| Unspecified vulnerability in HP System Management Homepage (SMH) 2.2.6 and earlier on HP-UX B.11.11 and B.11.23, and SMH 2.2.6 and 2.2.8 and earlier on HP-UX B.11.23 and B.11.31, allows local users to gain "unauthorized access" via unknown vectors, possibly related to temporary file permissions. | |||||
| CVE-2008-4698 | 1 Opera | 1 Opera Browser | 2017-08-08 | 5.8 MEDIUM | N/A |
| Opera before 9.61 does not properly block scripts during preview of a news feed, which allows remote attackers to create arbitrary new feed subscriptions and read the contents of arbitrary feeds. | |||||
| CVE-2008-4339 | 1 Symantec | 2 Netbackup Enterprise Server, Netbackup Server | 2017-08-08 | 6.5 MEDIUM | N/A |
| Unspecified vulnerability in the Java Administration GUI (jnbSA) in Symantec Veritas NetBackup Server and NetBackup Enterprise Server 5.1 before MP7, 6.0 before MP7, and 6.5 before 6.5.2 allows remote authenticated users to gain privileges via unknown attack vectors related to "bpjava* binaries." | |||||
| CVE-2008-4294 | 1 Ibm | 1 Tivoli Netcool Webtop | 2017-08-08 | 7.2 HIGH | N/A |
| IBM Tivoli Netcool/Webtop 2.1 before 2.1.0.5 preserves cached user privileges after logout, which allows physically proximate attackers to hijack a session by visiting an unattended workstation, as demonstrated by a root session that is still valid after a subsequent read-only session has begun. | |||||
| CVE-2008-4234 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2017-08-08 | 9.3 HIGH | N/A |
| Incomplete blacklist vulnerability in the Quarantine feature in CoreTypes in Apple Mac OS X 10.5 before 10.5.6 allows user-assisted remote attackers to execute arbitrary code via an executable file with the content type indicating no application association for the file, which does not trigger a "potentially unsafe" warning message. | |||||
| CVE-2008-4195 | 1 Opera | 1 Opera Browser | 2017-08-08 | 5.0 MEDIUM | N/A |
| Opera before 9.52 does not properly restrict the ability of a framed web page to change the address associated with a different frame, which allows remote attackers to trigger the display of an arbitrary address in a frame via unspecified use of web script. | |||||
| CVE-2008-4215 | 1 Apple | 1 Mac Os X Server | 2017-08-08 | 7.5 HIGH | N/A |
| Weblog in Mac OS X Server 10.4.11 does not properly check an error condition when a weblog posting access control list is specified for a user that has multiple short names, which might allow attackers to bypass intended access restrictions. | |||||
| CVE-2008-4214 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2017-08-08 | 4.6 MEDIUM | N/A |
| Unspecified vulnerability in Script Editor in Mac OS X 10.4.11 and 10.5.5 allows local users to cause the scripting dictionary to be written to arbitrary locations, related to an "insecure file operation" on temporary files. | |||||
| CVE-2008-4153 | 1 Drupal | 1 Talk | 2017-08-08 | 5.0 MEDIUM | N/A |
| The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2008-4109 | 2 Debian, Openbsd | 2 Linux, Openssh | 2017-08-08 | 5.0 MEDIUM | N/A |
| A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051. | |||||
| CVE-2008-3972 | 2 Opensc-project, Siemens | 2 Opensc, Cardos | 2017-08-08 | 6.6 MEDIUM | N/A |
| pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235. | |||||
| CVE-2008-3970 | 1 Pam Mount | 1 Pam Mount | 2017-08-08 | 6.9 MEDIUM | N/A |
| pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. | |||||
| CVE-2008-3920 | 1 Bitlbee | 1 Bitlbee | 2017-08-08 | 7.5 HIGH | N/A |
| Unspecified vulnerability in BitlBee before 1.2.2 allows remote attackers to "recreate" and "hijack" existing accounts via unspecified vectors. | |||||
| CVE-2008-3890 | 2 Amd, Freebsd | 2 Amd64, Freebsd | 2017-08-08 | 7.2 HIGH | N/A |
| The kernel in FreeBSD 6.3 through 7.0 on amd64 platforms can make an extra swapgs call after a General Protection Fault (GPF), which allows local users to gain privileges by triggering a GPF during the kernel's return from (1) an interrupt, (2) a trap, or (3) a system call. | |||||
| CVE-2008-3858 | 1 Ibm | 1 Db2 Universal Database | 2017-08-08 | 4.3 MEDIUM | N/A |
| The Downlevel DB2RA Support component in IBM DB2 9.1 before Fixpak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT data stream that simulates a V7 client connect request. | |||||
| CVE-2008-3856 | 1 Ibm | 1 Db2 Universal Database | 2017-08-08 | 7.5 HIGH | N/A |
| The routine infrastructure component in IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP1 on Unix and Linux does not change the ownership of the db2fmp process, which has unknown impact and attack vectors. | |||||
| CVE-2008-3855 | 1 Ibm | 1 Db2 Universal Database | 2017-08-08 | 4.6 MEDIUM | N/A |
| Unspecified vulnerability in the DB2 Administration Server (DAS) in the Core DAS function component in IBM DB2 9.1 before Fixpak 5 allows local users to gain privileges, aka a "FILE CREATION VULNERABILITY." NOTE: this may be the same as CVE-2007-5664. | |||||
| CVE-2008-3836 | 1 Mozilla | 1 Firefox | 2017-08-08 | 7.5 HIGH | N/A |
| feedWriter in Mozilla Firefox before 2.0.0.17 allows remote attackers to execute scripts with chrome privileges via vectors related to feed preview and the (1) elem.doCommand, (2) elem.dispatchEvent, (3) _setTitleText, (4) _setTitleImage, and (5) _initSubscriptionUI functions. | |||||
| CVE-2008-3789 | 1 Samba | 1 Samba | 2017-08-08 | 2.1 LOW | N/A |
| Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) group_mapping.ldb files, which allows local users to modify the membership of Unix groups. | |||||
| CVE-2008-3778 | 1 Avaya | 3 Communication Manager, S8300c Server, Sip Enablement Services | 2017-08-08 | 7.5 HIGH | N/A |
| The remote management interface in SIP Enablement Services (SES) Server in Avaya SIP Enablement Services 5.0, and Communication Manager (CM) 5.0 on the S8300C with SES enabled, proceeds with Core router updates even when a login is invalid, which allows remote attackers to cause a denial of service (messaging outage) or gain privileges via an update request. | |||||
| CVE-2008-3747 | 1 Wordpress | 1 Wordpress | 2017-08-08 | 7.5 HIGH | N/A |
| The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | |||||
| CVE-2008-3745 | 1 Drupal | 2 Drupal, Upload Module | 2017-08-08 | 5.5 MEDIUM | N/A |
| The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. | |||||
| CVE-2008-3742 | 1 Drupal | 1 Drupal | 2017-08-08 | 6.5 MEDIUM | N/A |
| Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated. | |||||
| CVE-2008-3728 | 1 Microworld Technologies | 1 Mailscan | 2017-08-08 | 5.0 MEDIUM | N/A |
| Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to determine the installation path, IP addresses, and error messages via direct requests to files under LOG/. | |||||