LiveActive security incident?Get immediate response
CVE archive

March 2008

Browse CVE records published in March 2008, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 737 matching CVEs · Page 2 of 15.

Unknown · CVSS Not scored

CVE-2008-6502: Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows remote authenticated users to select an ar...

Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows remote authenticated users to select an arbitrary local PHP script as an avatar via a .. (dot dot) in the avatar parameter, and cause other users to execute this script by using sendData.php to send a message to (1) an individual user or (2) a room, leading to cross-site request forgery (CSRF), cross-site scripting (XSS), or other impacts.

Published Mar 20, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6552: Red Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks o...

Red Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks on files in /tmp, involving unspecified components in Resource Group Manager (aka rgmanager) before 2.03.09-1, gfs2-utils before 2.03.09-1, and CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9.

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6545: PHP remote file inclusion vulnerability in news/include/createdb.php in Web Server Creator Web Portal 0.1 a...

PHP remote file inclusion vulnerability in news/include/createdb.php in Web Server Creator Web Portal 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the langfile parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6520: Multiple format string vulnerabilities in the SSI filter in Xitami Web Server 2.5c2, and possibly other ver...

Multiple format string vulnerabilities in the SSI filter in Xitami Web Server 2.5c2, and possibly other versions, allow remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in a URI that ends in (1) .ssi, (2) .shtm, or (3) .shtml, which triggers incorrect logging code involving the sendfmt function in the SMT kernel.

Published Mar 25, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6504: ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache St...

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

Published Mar 23, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6560: Buffer overflow in CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9 and Red Hat Enterprise Linux (RH...

Buffer overflow in CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9 and Red Hat Enterprise Linux (RHEL) 5 allows attackers to cause a denial of service (CPU consumption and memory corruption) via a cluster.conf file with many lines. NOTE: it is not clear whether this issue crosses privilege boundaries in realistic uses of the product.

Published Mar 31, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6551: Multiple directory traversal vulnerabilities in e-Vision CMS 2.0.2 and earlier, when magic_quotes_gpc is di...

Multiple directory traversal vulnerabilities in e-Vision CMS 2.0.2 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) an adminlang cookie to admin/ind_ex.php; or the module parameter to (2) 3rdparty/adminpart/add3rdparty.php, (3) polling/adminpart/addpolling.php, (4) contact/adminpart/addcontact.php, (5) brandnews/adminpart/addbrandnews.php, (6) newsletter/adminpart/addnewsletter.php, (7) game/adminpart/addgame.php, (8) tour/adminpart/addtour.php, (9) articles/adminpart/addarticles.php, (10) product/adminpart/addproduct.php, or (11) plain/adminpart/addplain.php in modules/.

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6544: Multiple PHP remote file inclusion vulnerabilities in Simple Machines Forum (SMF) 1.1.4 allow remote attack...

Multiple PHP remote file inclusion vulnerabilities in Simple Machines Forum (SMF) 1.1.4 allow remote attackers to execute arbitrary PHP code via a URL in the (1) settings[default_theme_dir] parameter to Sources/Subs-Graphics.php and (2) settings[default_theme_dir] parameter to Sources/Themes.php. NOTE: CVE and multiple third parties dispute this issue because the files contain a protection mechanism against direct request

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6543: Multiple PHP remote file inclusion vulnerabilities in ComScripts TEAM Quick Classifieds 1.0 via the DOCUMEN...

Multiple PHP remote file inclusion vulnerabilities in ComScripts TEAM Quick Classifieds 1.0 via the DOCUMENT_ROOT parameter to (1) index.php3, (2) locate.php3, (3) search_results.php3, (4) classifieds/index.php3, and (5) classifieds/view.php3; (6) index.php3, (7) manager.php3, (8) pass.php3, (9) remember.php3 (10) sign-up.php3, (11) update.php3, (12) userSet.php3, and (13) verify.php3 in controlcenter/; (14) alterCats.php3, (15) alterFeatured.php3, (16) alterHomepage.php3, (17) alterNews.php3, (18) alterTheme.php3, (19) color_help.php3, (20) createdb.php3, (21) createFeatured.php3, (22) createHomepage.php3, (23) createL.php3, (24) createM.php3, (25) createNews.php3, (26) createP.php3, (27) createS.php3, (28) createT.php3, (29) index.php3, (30) mailadmin.php3, and (31) setUp.php3 in controlpannel/; (32) include/sendit.php3 and (33) include/sendit2.php3; and possibly (34) include/adminHead.inc, (35) include/usersHead.inc, and (36) style/default.scheme.inc.

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6508: Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earli...

Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.

Published Mar 23, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6516: Multiple directory traversal vulnerabilities in phpKF-Portal 1.10 allow remote attackers to include arbitra...

Multiple directory traversal vulnerabilities in phpKF-Portal 1.10 allow remote attackers to include arbitrary files via a .. (dot dot) in the (1) tema_dizin parameter to baslik.php and (2) portal_ayarlarportal_dili parameter to anket_yonetim.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Mar 25, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6553: microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authent...

microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authentication as an administrator, which allows remote attackers to (1) create administrative accounts via an add_admin action, (2) remove administrative accounts via a delete_admin action, and (3) modify administrative passwords via a change_password action.

Published Mar 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6532: Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13...

Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.

Published Mar 26, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6519: Format string vulnerability in Xitami Web Server 2.2a through 2.5c2, and possibly other versions, allows re...

Format string vulnerability in Xitami Web Server 2.2a through 2.5c2, and possibly other versions, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in a Long Running Web Process (LRWP) request, which triggers incorrect logging code involving the sendfmt function in the SMT kernel.

Published Mar 25, 2009 · Updated Aug 7, 2024