Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-4365 | 1 Scriptsez | 1 Ez Blog | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ScriptsEz Ez Blog 1.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a blog via the add_blog action, (2) approve a comment via the approve_comment action, (3) change administrator information including the password via the admin_opt action, and (4) delete a blog via the delete action. | |||||
| CVE-2009-4366 | 1 Scriptsez | 1 Ez Blog | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez Blog 1.0 allows remote attackers to inject arbitrary web script or HTML via the yr parameter in a bmonth action. | |||||
| CVE-2009-4368 | 1 Merethis | 1 Centreon | 2017-08-17 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in Centreon before 2.1.4 have unknown impact and attack vectors in the (1) ping tool, (2) traceroute tool, and (3) ldap import, possibly related to improper authentication. | |||||
| CVE-2009-4369 | 1 Drupal | 1 Drupal | 2017-08-17 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. | |||||
| CVE-2009-4370 | 1 Drupal | 1 Drupal | 2017-08-17 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview. | |||||
| CVE-2009-4371 | 1 Drupal | 1 Drupal | 2017-08-17 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form. | |||||
| CVE-2009-4372 | 1 Alienvault | 1 Open Source Security Information Management | 2017-08-17 | 7.5 HIGH | N/A |
| AlienVault Open Source Security Information Management (OSSIM) 2.1.5, and possibly other versions before 2.1.5-4, allows remote attackers to execute arbitrary commands via shell metacharacters in the uniqueid parameter to (1) wcl.php, (2) storage_graphs.php, (3) storage_graphs2.php, (4) storage_graphs3.php, and (5) storage_graphs4.php in sem/. | |||||
| CVE-2009-4381 | 1 Texmedia | 1 Million Pixel Script | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in texmedia Million Pixel Script 3 allows remote attackers to inject arbitrary web script or HTML via the pa parameter. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4404 | 1 Jochen Striepe | 1 T-prot | 2017-08-17 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in t-prot (TOFU Protection) before 2.8 allows remote attackers to cause a denial of service via unspecified vectors related to the "--maxlines" option and a crafted email message. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4405 | 1 Edgewall | 1 Trac | 2017-08-17 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknown impact and attack vectors, possibly related to (1) "policy checks in report results when using alternate formats" or (2) a "check for the 'raw' role that is missing in docutils < 0.6." | |||||
| CVE-2009-4411 | 1 Xfs | 1 Acl | 2017-08-17 | 3.7 LOW | N/A |
| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack. | |||||
| CVE-2009-4412 | 1 S9y | 1 Serendipity | 2017-08-17 | 6.0 MEDIUM | N/A |
| Unrestricted file upload vulnerability in Serendipity before 1.5 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4414 | 1 Phpgroupware | 1 Phpgroupware | 2017-08-17 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in phpgwapi /inc/class.auth_sql.inc.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the passwd parameter to login.php. | |||||
| CVE-2009-4415 | 1 Phpgroupware | 1 Phpgroupware | 2017-08-17 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allow remote attackers to (1) read arbitrary files via the csvfile parameter to addressbook/csv_import.php, or (2) include and execute arbitrary local files via the conv_type parameter in addressbook/inc/class.uiXport.inc.php. | |||||
| CVE-2009-4416 | 1 Phpgroupware | 1 Phpgroupware | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter whose name begins with the "phpgw_" sequence. | |||||
| CVE-2009-4419 | 1 Intel | 5 Gm45 Chipset, Pm45 Express Chipset, Q35 Chipset and 2 more | 2017-08-17 | 7.2 HIGH | N/A |
| Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in the SINIT Authenticated Code Module (ACM), which allows local users to bypass the Trusted Execution Technology protection mechanism and gain privileges by modifying the MCHBAR register to point to an attacker-controlled region, which prevents the SENTER instruction from properly applying VT-d protection while an MLE is being loaded. | |||||
| CVE-2009-4423 | 1 Weentech | 1 Weencompany | 2017-08-17 | 7.5 HIGH | N/A |
| SQL injection vulnerability in index.php in weenCompany 4.0.0 allows remote attackers to execute arbitrary SQL commands via the moduleid parameter. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4424 | 2 Imotta, Wordpress | 2 Pyrmont Plugin, Wordpress | 2017-08-17 | 7.5 HIGH | N/A |
| SQL injection vulnerability in results.php in the Pyrmont plugin 2 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2009-4425 | 1 Idevspot | 1 Idevcart | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in iDevCart 1.09 allows remote attackers to inject arbitrary web script or HTML via the SEARCH parameter in a browse action. | |||||
| CVE-2009-4426 | 1 Launchpad | 1 Ignition | 2017-08-17 | 6.8 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in Ignition 1.2, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the blog parameter to (1) comment.php and (2) view.php. | |||||
| CVE-2009-4428 | 2 Joomla, Joomplace | 2 Joomla, Com Joomportfolio | 2017-08-17 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the JoomPortfolio (com_joomportfolio) component 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the secid parameter in a showcat action to index.php. | |||||
| CVE-2009-4429 | 2 Alexander Hass, Drupal | 2 Sections Module, Drupal | 2017-08-17 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field). | |||||
| CVE-2009-4433 | 1 Idevspot | 1 Isupport | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSupport 1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (a) 5 or (b) 9 field in a post action to ticket_function.php, reachable through ticket_submit.php and index.php; (c) the which parameter to function.php, or (d) the which parameter to index.php, related to knowledgebase_list.php. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4435 | 1 Compmaster.prv.pl | 1 F3site | 2017-08-17 | 6.8 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in F3Site 2009 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the GLOBALS[nlang] parameter to (1) mod/poll.php and (2) mod/new.php. | |||||
| CVE-2009-4436 | 1 Activewebsoftwares | 1 Ewebquiz | 2017-08-17 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Active Web Softwares eWebquiz 8 allow remote attackers to execute arbitrary SQL commands via the QuizID parameter to (1) questions.asp, (2) importquestions.asp, and (3) quiztakers.asp, different vectors than CVE-2007-1706. | |||||
| CVE-2009-4437 | 1 Activewebsoftwares | 1 Active Auction House | 2017-08-17 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Active Auction House 3.6 allow remote attackers to execute arbitrary SQL commands via the (1) catid parameter to wishlist.asp and the (2) linkid parameter to links.asp. NOTE: vector 1 might overlap CVE-2005-1029.1. | |||||
| CVE-2009-4445 | 1 Microsoft | 1 Internet Information Services | 2017-08-17 | 6.0 MEDIUM | N/A |
| Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon. | |||||
| CVE-2009-4446 | 1 Ikemcg | 1 Phpinstantgallery | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin.php in phpInstantGallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | |||||
| CVE-2009-4447 | 1 Jax Scripts | 1 Jax Guestbook | 2017-08-17 | 7.5 HIGH | N/A |
| Jax Guestbook 3.5.0 allows remote attackers to bypass authentication and modify administrator settings via a direct request to admin/guestbook.admin.php. | |||||
| CVE-2009-4453 | 1 Softcab | 1 Sound Converter Activex | 2017-08-17 | 8.8 HIGH | N/A |
| Insecure method vulnerability in SoftCab Sound Converter ActiveX control (sndConverter.ocx) 1.2 allows remote attackers to create or overwrite arbitrary files via the SaveFormat method. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4458 | 1 Freepbx | 1 Freepbx | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 and 2.6.0rc2, and possibly other versions, allow remote attackers to inject arbitrary web script or HTML via the (1) tech parameter to admin/admin/config.php during a trunks display action, the (2) description parameter during an Add Zap Channel action, and (3) unspecified vectors during an Add Recordings action. | |||||
| CVE-2009-4459 | 1 Redmine | 1 Redmine | 2017-08-17 | 4.3 MEDIUM | N/A |
| Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as script by Internet Explorer 7 and 8. | |||||
| CVE-2009-4464 | 1 Activewebsoftwares | 1 Active Business Directory | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in searchadvance.asp in Active Business Directory 2 allows remote attackers to inject arbitrary web script or HTML via the search parameter. | |||||
| CVE-2009-4465 | 1 Deluxebb | 1 Deluxebb | 2017-08-17 | 7.5 HIGH | N/A |
| DeluxeBB 1.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and configuration information, log data, and gain administrative access via a direct request to scripts in (1) templates/ including (2) templates/deluxe/admincp/, (3) templates/corporate/admincp/, and (4) templates/blue/admincp/; (5) images/; (6) logs/ including (7) logs/cp.php; (8) wysiwyg/; (9) docs/; (10) classes/; (11) lang/; and (12) settings/. | |||||
| CVE-2009-4466 | 1 Deluxebb | 1 Deluxebb | 2017-08-17 | 5.0 MEDIUM | N/A |
| DeluxeBB 1.3 allows remote attackers to obtain sensitive information via a crafted page parameter to misc.php, which reveals the installation path in an error message. NOTE: this issue might be resultant from improperly controlled computation in tools.php that leads to a denial of service (CPU or memory consumption). | |||||
| CVE-2009-4467 | 1 Deluxebb | 1 Deluxebb | 2017-08-17 | 4.0 MEDIUM | N/A |
| misc.php in DeluxeBB 1.3 allows remote attackers to register accounts without a valid email address via a valemail action with the valmem set to a pre-assigned user ID, which is visible from a memberlist action. | |||||
| CVE-2009-4468 | 1 Deluxebb | 1 Deluxebb | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in misc.php in DeluxeBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
| CVE-2009-4469 | 1 Giombetti | 1 Phppowercards | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in pagenumber.inc.php in phpPowerCards 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) archiv parameter, and the (3) subcat parameter. | |||||
| CVE-2009-4473 | 1 Ektron | 1 Cms4000.net | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WorkArea/ContentDesigner/ekformsiframe.aspx in Ektron CMS400.NET 7.6.1.53 and 7.6.6.47, and possibly 7.52 through 7.66sp2, allow remote attackers to inject arbitrary web script or HTML via the (1) css, (2) eca, (3) id, and (4) skin parameters. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4486 | 1 Novell | 1 Imanager | 2017-08-17 | 7.5 HIGH | N/A |
| Stack-based buffer overflow in the eDirectory plugin in Novell iManager before 2.7.3 allows remote attackers to execute arbitrary code via vectors that trigger long arguments to an unspecified sub-application, related to importing and exporting from a schema. | |||||
| CVE-2009-4512 | 1 Indymedia | 1 Oscailt | 2017-08-17 | 5.1 MEDIUM | N/A |
| Directory traversal vulnerability in index.php in Oscailt 3.3, when Use Friendly URL's is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the obj_id parameter. | |||||
| CVE-2009-4513 | 2 Drupal, John Vandyk | 2 Drupal, Workflow | 2017-08-17 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Workflow module 5.x before 5.x-2.4 and 6.x before 6.x-1.2, a module for Drupal, allow remote authenticated users, with "administer workflow" privileges, to inject arbitrary web script or HTML via the name of a (1) workflow or (2) workflow state. | |||||
| CVE-2009-4519 | 1 Ortro | 1 Ortro | 2017-08-17 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in Ortro before 1.3.4 have unknown impact and attack vectors. | |||||
| CVE-2009-4522 | 1 Bloofox | 1 Bloofoxcms | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCMS 0.3.5 allows remote attackers to inject arbitrary web script or HTML via the search parameter to index.php. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4523 | 1 Zainu | 1 Zainu | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in Zainu 1.0 allows remote attackers to inject arbitrary web script or HTML via the searchSongKeyword parameter in a SearchSong action. | |||||
| CVE-2009-4524 | 2 Drupal, Nancy Wichmann | 2 Drupal, Realname | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element. | |||||
| CVE-2009-4525 | 2 Drupal, Joao Ventura | 2 Drupal, Print | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via crafted data in a list of links. | |||||
| CVE-2009-4527 | 2 Drupal, Niif | 2 Drupal, Shib Auth | 2017-08-17 | 4.6 MEDIUM | N/A |
| The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain privileges by using an unattended web browser. | |||||
| CVE-2009-4528 | 2 Drupal, Moshe Weitzman | 2 Drupal, Og Vocab | 2017-08-17 | 6.5 MEDIUM | N/A |
| The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors. | |||||
| CVE-2009-4529 | 1 Intervations | 1 Navicopa Web Server | 2017-08-17 | 5.0 MEDIUM | N/A |
| InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote attackers to obtain the source code for a web page via a trailing encoded space character in a URI, as demonstrated by /index.html%20 and /index.php%20 URIs. | |||||