LiveActive security incident?Get immediate response
CVE archive

September 2008

Browse CVE records published in September 2008, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 561 matching CVEs · Page 1 of 12.

Medium · CVSS 6.1

CVE-2008-3937: Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow...

Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) user_id parameter in an edit action to user_admin.php, the (2) title parameter to listings.php, and the (3) redirect_url parameter to user_profile.php.

Published Sep 5, 2008 · Updated Apr 3, 2025

Unknown · CVSS Not scored

CVE-2008-7166: Buffer overflow in the web interface in BitTorrent 6.0.1 (build 7859) and earlier, and uTorrent 1.7.6 (buil...

Buffer overflow in the web interface in BitTorrent 6.0.1 (build 7859) and earlier, and uTorrent 1.7.6 (build 7859) and earlier, allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted Range header. NOTE: this is probably a different vulnerability than CVE-2008-0071 and CVE-2008-0364.

Published Sep 4, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7146: IntraLearn Software IntraLearn 2.1, and possibly other versions before 4.2.3, allows remote attackers to ob...

IntraLearn Software IntraLearn 2.1, and possibly other versions before 4.2.3, allows remote attackers to obtain sensitive information via a direct request to (1) Knowledge_Impact_Course.htm, (2) LRN-formatted_Course.htm, or (3) Create_Course.htm in help/1/Instructor/, which reveals the installation path in an error message.

Published Sep 1, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-4325: lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type head...

lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.

Published Sep 30, 2008 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7219: Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2;...

Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors.

Published Sep 13, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-7147: Multiple cross-site scripting (XSS) vulnerabilities in IntraLearn Software IntraLearn 2.1, and possibly oth...

Multiple cross-site scripting (XSS) vulnerabilities in IntraLearn Software IntraLearn 2.1, and possibly other versions before 4.2.3, allow remote attackers to inject arbitrary web script or HTML via the (1) outline and (2) course parameters to library/description_link.cfm, or the (3) records_to_display and (4) the_start parameters to library/courses_catalog.cfm.

Published Sep 1, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-7217: Microsoft Office 2008 for Mac, when running on Macintosh systems that restrict Office access to administrat...

Microsoft Office 2008 for Mac, when running on Macintosh systems that restrict Office access to administrators, does not enforce this restriction for user ID 502, which allows local users with that ID to bypass intended security policy and access Office programs, related to permissions and ownership for certain directories.

Published Sep 13, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-2464: The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is...

The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ICMPv6 Multicast Listener Discovery (MLD) query with a certain Maximum Response Delay value.

Published Sep 10, 2008 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-3901: Software suspend 2 2-2.2.1, when used with the Linux kernel 2.6.16, stores pre-boot authentication password...

Software suspend 2 2-2.2.1, when used with the Linux kernel 2.6.16, stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer.

Published Sep 3, 2008 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-4126: PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not use random source ports for DNS requests...

PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not use random source ports for DNS requests and does not use random transaction IDs for DNS retries, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4099.

Published Sep 18, 2008 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-3634: Apple iTunes before 8.0 on Mac OS X 10.4.11, when iTunes Music Sharing is enabled but blocked by the host-b...

Apple iTunes before 8.0 on Mac OS X 10.4.11, when iTunes Music Sharing is enabled but blocked by the host-based firewall, presents misleading information about firewall security, which might allow remote attackers to leverage an exposure that would be absent if the administrator were given better information.

Published Sep 10, 2008 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-7231: Cross-site scripting (XSS) vulnerability in Meridio Document and Records Management before 4.3 SR1 allows r...

Cross-site scripting (XSS) vulnerability in Meridio Document and Records Management before 4.3 SR1 allows remote authenticated users to inject arbitrary web script or HTML via the Title field in a (1) document (subGeneralProps:dmpvDocTitle:PROP_W_title) or (2) container (subGeneralProps:dmpvContainerTitle:PROP_W_title).

Published Sep 14, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-7243: Cross-site request forgery (CSRF) vulnerability in page 34 in MODx CMS 0.9.6.1 and 0.9.6.1p1 allows remote...

Cross-site request forgery (CSRF) vulnerability in page 34 in MODx CMS 0.9.6.1 and 0.9.6.1p1 allows remote attackers to hijack the authentication of other users for requests that modify passwords via manager/index.php. NOTE: due to the lack of details, it is not clear whether this is related to CVE-2008-5941.

Published Sep 17, 2009 · Updated Aug 7, 2024