Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to vote.php, which is not properly handled in libs/link.php; (2) id parameter to trackback.php; (3) an unspecified parameter to submit.php; (4) requestTitle variable in a query to story.php; (5) requestID and (6) requestTitle variables in recommend.php; (7) categoryID parameter to cloud.php; (8) title parameter to out.php; (9) username parameter to login.php; (10) id parameter to cvote.php; and (11) commentid parameter to edit.php.
Published Aug 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in Nero ShowTime 5.0.15.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long entry in a .M3U playlist file. NOTE: this issue might be related to CVE-2008-0619.
Published Aug 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the web server 1.0 in Velocity Security Management System allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
Published Aug 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in filesystem3.class.php in eFront 3.5.1 build 2710 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension as an avatar, then accessing it via a direct request to the file in (1) student/avatars/ or (2) professor/avatars/.
Published Aug 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The tooltip manager (chrome/views/tooltip_manager.cc) in Google Chrome 0.2.149.29 Build 1798 and possibly other versions before 0.2.149.30 allows remote attackers to cause a denial of service (CPU consumption or crash) via a tag with a long title attribute, which is not properly handled when displaying a tooltip, a different vulnerability than CVE-2008-6994. NOTE: there is inconsistent information about the environments under which this issue exists.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in BandSite CMS 1.1.4 allows remote attackers to hijack the authentication of administrators and force a logout via adminpanel/logout.php.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in NatterChat 1.12 allow remote attackers to inject arbitrary web script or HTML via the (1) txtUsername parameter to registerDo.asp, as invoked from register.asp, or (2) txtRoomName parameter to room_new.asp. NOTE: these issues might be resultant from XSS in SQL error messages.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in admin/comments.php in Gelato CMS 0.95 allows remote attackers to inject arbitrary web script or HTML via the content parameter in a comment. NOTE: some of these details are obtained from third party information.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
BandSite CMS 1.1.4 does not perform access control for adminpanel/phpmydump.php, which allows remote attackers to obtain copies of the database via a direct request.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in index.php in One-News Beta 2 allows remote attackers to execute arbitrary SQL commands via the q parameter.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
module.php in ezContents 2.0.3 allows remote attackers to bypass the directory traversal protection mechanism to include and execute arbitrary local files via "....//" (doubled dot dot slash) sequences in the link parameter, which is not properly filtered using the str_replace function.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
NatterChat 1.1 allows remote attackers to bypass authentication and gain administrator privileges to read or delete rooms and messages via a direct request to admin/home.asp.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to bypass authentication and reset poll votes via a direct request to admin/resetvote.php.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in admin/include/newpoll.php in AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to execute arbitrary SQL commands via the ques parameter.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the My_eGallery module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the gid parameter in a showgall action to modules.php. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in ezContents 2.0.3 allow remote attackers to include and execute arbitrary local files via the (1) gsLanguage and (2) language_home parameters to modules/diary/showdiary.php; (3) admin_home, (4) gsLanguage, and (5) language_home parameters to modules/diary/showdiarydetail.php; (6) gsLanguage and (7) language_home parameters to modules/diary/submit_diary.php; (8) admin_home parameter to modules/news/news_summary.php; (9) nLink, (10) gsLanguage, and (11) language_home parameters to modules/news/inlinenews.php; and possibly other unspecified vectors in (12) diary/showeventlist.php, (13) gallery/showgallery.php, (14) reviews/showreviews.php, (15) gallery/showgallerydetails.php, (16) reviews/showreviewsdetails.php, (17) news/shownewsdetails.php, (18) gallery/submit_gallery.php, (19) guestbook/submit_guestbook.php, (20) reviews/submit_reviews.php, (21) news/submit_news.php, (22) diary/inlineeventlist.php, and (23) news/archivednews_summary.php in modules/, related to the lack of directory traversal protection in modules/moduleSec.php.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in ahah/sf-profile.php in the Yellow Swordfish Simple Forum module for Wordpress allows remote attackers to execute arbitrary SQL commands via the u parameter. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in One-News Beta 2 allow remote attackers to inject arbitrary HTML and web script via the (1) title or (2) content parameters in a news item to add.php, and the (3) itemnum, (4) author, or (5) comment parameters in a comment to index.php. NOTE: vectors 1 and 2 require user authentication.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
LogMeIn Remote Access Utility ActiveX control (RACtrl.dll) allows remote attackers to cause a denial of service (crash) by setting the fgcolor and bgcolor properties to certain long values that trigger memory corruption.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in upload_flyer.php in 2532designs 2532|Gigs 1.2.2 Stable allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in flyers/.
Published Aug 6, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in multiscan.exe in Check Point ZoneAlarm Security Suite 7.0.483.000 and 8.0.020.000 allows local users to execute arbitrary code via a file or directory with a long path. NOTE: some of these details are obtained from third party information.
Published Aug 19, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in register.php in FreshScripts Fresh Email Script 1.0 through 1.11 allows remote attackers to inject arbitrary web script or HTML via the Email parameter. NOTE: this can be leveraged to modify cookies and conduct session fixation attacks.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in Rss.php in MauryCMS 0.53.2 and earlier allows remote attackers to execute arbitrary SQL commands via the c parameter.
Published Aug 12, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in ScriptsFeed Auto Classifieds allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a profile logo, then accessing it via a direct request to the file in cars_images/.
Published Aug 12, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.
Published Aug 7, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9) changepassword.php, (10) polling.php, and (11) logo.php in admin/.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.
Published Aug 10, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Web Management Console Cross-site request forgery (CSRF) vulnerability in the web management console in F5 BIG-IP 9.4.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrators and execute shell commands, as demonstrated using tmui/Control/form.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Integer underflow in net/base/escape.cc in chrome.dll in Google Chrome 0.2.149.27 allows remote attackers to cause a denial of service (browser crash) via a URI with an invalid handler followed by a "%" (percent) character, which triggers a buffer over-read, as demonstrated using an "about:%" URI.
Published Aug 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in eZoneScripts Dating Website script allows remote attackers to execute arbitrary code via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Aug 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in url.php in FreshScripts Fresh Email Script 1.0 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the tmp_sid parameter.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in usercp.php in AlilG Application AliBoard Beta allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as an avatar, then accessing it via a direct request to the file in uploads/avatars/.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum Script allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id parameter to (a) new_message.asp and (b) messages.asp, and the (2) query string to default.asp.
Published Aug 3, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in login.asp in NatterChat 1.1 and 1.12 allow remote attackers to execute arbitrary SQL commands via the (1) txtUsername parameter (aka Username) and (2) txtPassword parameter (aka Password) in a form generated by home.asp. NOTE: due to lack of details, it is not clear whether this is related to CVE-2004-2206.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
HyperStop Web Host Directory 1.2 allows remote attackers to bypass authentication and download a database backup via a direct request to admin/backup/db.
Published Aug 19, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in manageproject.php in Collabtive 0.4.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via the project Name, which is not properly handled when the administrator performs an editform action, related to admin.php.
Published Aug 12, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies.
Published Aug 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in apply.cgi in DD-WRT 24 sp2 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the ping_ip parameter; (2) change the administrative credentials via the http_username and http_passwd parameters; (3) enable remote administration via the remote_management parameter; or (4) configure port forwarding via certain from, to, ip, and pro parameters. NOTE: This issue reportedly exists because of a "weak ... anti-CSRF fix" implemented in 24 sp2.
Published Aug 14, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in PHPStore Complete Classifieds allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a logo, then accessing it via a direct request to the file in classifieds1/yellow_images/.
Published Aug 11, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Site2Nite Real Estate Web allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field to an unspecified component, possibly agentlist.asp. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Plesk 8.6.0, when short mail login names (SHORTNAMES) are enabled, allows remote attackers to bypass authentication and send spam e-mail via a message with (1) a base64-encoded username that begins with a valid shortname, or (2) a username that matches a valid password, as demonstrated using (a) SMTP and qmail, and (b) Courier IMAP and POP3.
Published Aug 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
fhttpd 0.4.2 allows remote attackers to cause a denial of service (crash) via an Authorization HTTP header with an invalid character after the Basic value.
Published Aug 19, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentication and download a backup of the database via a direct request to admin/backupdb.php.
Published Aug 19, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in profile.php in Pre Projects Pre Real Estate Listings allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a profile logo, then accessing it via a direct request to the file in re_images/.
Published Aug 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unreal engine 3, as used in Unreal Tournament 3 1.3, Frontlines: Fuel of War 1.1.1, and other products, allows remote attackers to cause a denial of service (server exit) via a packet with a large length value that triggers a memory allocation failure.
Published Aug 19, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
McAfee SafeBoot Device Encryption 4 build 4750 and earlier stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer.
Published Aug 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Libra File Manager 1.18 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user and pass cookies to 1.
Published Aug 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in PHPStore Job Search (aka PHPCareers) allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a resume photo, then accessing it via a direct request to the file in jobseekers/jobseeker_profile_images.
Published Aug 11, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Argument injection vulnerability in Exodus 0.10 allows remote attackers to inject arbitrary command line arguments, overwrite arbitrary files, and cause a denial of service via encoded spaces in a pres:// URI, a different vector than CVE-2008-6935.
Published Aug 11, 2009 · Updated Aug 7, 2024