LiveActive security incident?Get immediate response
CVE archive

April 2008

Browse CVE records published in April 2008, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 659 matching CVEs · Page 1 of 14.

High · CVSS 8.1

CVE-2008-1083: Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP...

Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF or WMF image file with a malformed header that triggers an integer overflow, aka "GDI Heap Overflow Vulnerability."

Published Apr 8, 2008 · Updated Oct 15, 2024

Unknown · CVSS Not scored

CVE-2008-7311: The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session ha...

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.

Published Apr 4, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7289: IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 does not properly handle the simultane...

IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 does not properly handle the simultaneous changing of multiple passwords, which makes it easier for remote authenticated users to cause a denial of service (DB2 daemon deadlock) by making password changes that trigger updates to a DB2 password-history table.

Published Apr 21, 2011 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-7254: Directory traversal vulnerability in includes/template-loader.php in Irmin CMS (formerly Pepsi CMS) 0.5 and...

Directory traversal vulnerability in includes/template-loader.php in Irmin CMS (formerly Pepsi CMS) 0.5 and 0.6 BETA2, when register_globals is enabled, allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the _Root_Path parameter. NOTE: some of these details are obtained from third party information.

Published Apr 7, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6730: Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magi...

Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php.

Published Apr 20, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6719: U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scrip...

U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) aktivitet.php, (3) prop_aktivitet.php, (4) kategorier.php, (5) konfig.php, (6) security.php, (7) manual.php, and possibly (8) index.php.

Published Apr 13, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6722: Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically pr...

Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically proximate attackers to obtain a logged-in session by using a victim's web-browser process that continues to send the original and valid SSL sessionID, related to inability of Apache Tomcat to clear entries from its SSL cache.

Published Apr 14, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6741: SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote atta...

SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to produce a "\" (backslash) sequence that does not quote the "'" (single quote) character, as demonstrated via a manlabels action to index.php.

Published Apr 21, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6707: The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communi...

The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help."

Published Apr 10, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6774: internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is...

internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end execution when an invalid username is detected, which allows remote attackers to bypass intended restrictions and edit toolbar settings via an invalid username. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Apr 29, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6704: Integer overflow in the NET_Compressor::Decompress function in S.T.A.L.K.E.R.: Shadow of Chernobyl 1.0006 a...

Integer overflow in the NET_Compressor::Decompress function in S.T.A.L.K.E.R.: Shadow of Chernobyl 1.0006 and earlier allows remote attackers to cause a denial of service (server crash) via a crafted packet with a 0xc1 value that contains no compressed data, which triggers a copy of a large amount of memory.

Published Apr 10, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-6718: U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ di...

U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4) user_kundlista.php, (5) user_aktiva_kunder.php, (6) database.php, and possibly (7) index.php.

Published Apr 13, 2009 · Updated Aug 7, 2024