LiveActive security incident?Get immediate response
CVE archive

2008 CVE Archive

Browse CVE records published in 2008 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 7005 matching CVEs · Page 1 of 141.

Critical · CVSS 9.8 · CISA KEV

CVE-2008-4250: The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and S...

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Published Oct 23, 2008 · Updated May 20, 2026

High · CVSS 7.5

CVE-2008-20001: activePDF WebGrabber ActiveX Control Buffer Overflow

activePDF WebGrabber version 3.8.2.0 contains a stack-based buffer overflow vulnerability in the GetStatus() method of the APWebGrb.ocx ActiveX control. By passing an overly long string to this method, a remote attacker can execute arbitrary code in the context of the vulnerable process. Although the control is not marked safe for scripting, exploitation is possible via crafted HTML content in Internet Explorer under permissive security settings.

Published Aug 30, 2025 · Updated May 15, 2026

High · CVSS 8.8 · CISA KEV

CVE-2008-0015: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL...

Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."

Published Jul 7, 2009 · Updated Feb 18, 2026

High · CVSS 8.8 · CISA KEV

CVE-2008-3431: The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITH...

The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

Published Aug 5, 2008 · Updated Oct 22, 2025

Medium · CVSS 6.1

CVE-2008-0642: Cross-site scripting (XSS) vulnerability in files created by Adobe RoboHelp 6 and 7, possibly involving use...

Cross-site scripting (XSS) vulnerability in files created by Adobe RoboHelp 6 and 7, possibly involving use of a (1) WebHelp5 (WebHelp5Ext) or (2) WildFire (WildFireExt) extension, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-1280.

Published Feb 15, 2008 · Updated Apr 23, 2025

Medium · CVSS 5.5

CVE-2008-10001: Pro2col Stingray FTS cross site scriting

A vulnerability, which was classified as problematic, has been found in Pro2col Stingray FTS. The manipulation of the argument Username leads to cross site scripting. The attack may be initiated remotely. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Published Mar 28, 2022 · Updated Apr 15, 2025

Medium · CVSS 6.1

CVE-2008-3937: Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow...

Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) user_id parameter in an edit action to user_admin.php, the (2) title parameter to listings.php, and the (3) redirect_url parameter to user_profile.php.

Published Sep 5, 2008 · Updated Apr 3, 2025

Medium · CVSS 6.1

CVE-2008-1299: Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build...

Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Mar 12, 2008 · Updated Apr 3, 2025

Critical · CVSS 9.8

CVE-2008-1511: Multiple PHP remote file inclusion vulnerabilities in ooComments 1.0 allow remote attackers to execute arbi...

Multiple PHP remote file inclusion vulnerabilities in ooComments 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the PathToComment parameter for (1) classes/class_admin.php and (2) classes/class_comments.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Mar 25, 2008 · Updated Apr 3, 2025

Critical · CVSS 9.8

CVE-2008-3465: Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1...

Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows context-dependent attackers to cause a denial of service or execute arbitrary code via a WMF file with a malformed file-size parameter, which would not be properly handled by a third-party application that uses this API for a copy operation, aka "GDI Heap Overflow Vulnerability."

Published Dec 10, 2008 · Updated Jan 17, 2025

Medium · CVSS 6.5

CVE-2008-3474: Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of we...

Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy and obtain sensitive information via a crafted HTML document, aka "Cross-Domain Information Disclosure Vulnerability."

Published Oct 15, 2008 · Updated Jan 17, 2025

High · CVSS 7.8

CVE-2008-3282: Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocato...

Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in the memory allocator in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted document, related to a "numeric truncation error," a different vulnerability than CVE-2008-2152.

Published Aug 29, 2008 · Updated Jan 17, 2025

Critical · CVSS 9.8

CVE-2008-2374: src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 version...

src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read.

Published Jul 7, 2008 · Updated Jan 17, 2025

High · CVSS 7.8

CVE-2008-1246: The Cisco PIX/ASA Finesse Operation System 7.1 and 7.2 allows local users to gain privileges by entering ch...

The Cisco PIX/ASA Finesse Operation System 7.1 and 7.2 allows local users to gain privileges by entering characters at the enable prompt, erasing these characters via the Backspace key, and then holding down the Backspace key for one second after erasing the final character. NOTE: third parties, including one who works for the vendor, have been unable to reproduce the flaw unless the enable password is blank

Published Mar 10, 2008 · Updated Jan 17, 2025

Critical · CVSS 9.8

CVE-2008-4835: SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gol...

SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans2 request, related to "insufficiently validating the buffer size," aka "SMB Validation Remote Code Execution Vulnerability."

Published Jan 14, 2009 · Updated Oct 15, 2024

High · CVSS 8.4

CVE-2008-4036: Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold...

Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that triggers an erroneous decrement of a variable, related to validation of parameters for Virtual Address Descriptors (VADs) and a "memory allocation mapping error," aka "Virtual Address Descriptor Elevation of Privilege Vulnerability."

Published Oct 15, 2008 · Updated Oct 15, 2024

High · CVSS 8.1

CVE-2008-1083: Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP...

Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF or WMF image file with a malformed header that triggers an integer overflow, aka "GDI Heap Overflow Vulnerability."

Published Apr 8, 2008 · Updated Oct 15, 2024

Unknown · CVSS Not scored

CVE-2008-4724: Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to i...

Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 23, 2008 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-0442: PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attacker...

PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the ffile parameter, a different vector than CVE-2008-0376. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Jan 24, 2008 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7120: SQL injection vulnerability in Mr.

SQL injection vulnerability in Mr. CGI Guy Hot Links SQL-PHP 3 and earlier allows remote attackers to execute arbitrary SQL commands via the news.php parameter.

Published Aug 28, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7253: The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables t...

The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398.

Published Jan 25, 2010 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7297: Opera cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-...

Opera cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

Published Aug 9, 2011 · Updated Sep 17, 2024