Unknown · CVSS Not scored
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors.
Published Sep 13, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple buffer overflows in the Jura Internet Connection Kit for the Jura Impressa F90 coffee maker allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors related to improper use of the gets and sprintf functions.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
WS-Proxy in Eye-Fi 1.1.2 allows remote attackers to cause a denial of service (crash) via an empty query string to port 59278 and other unspecified vectors.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Lightweight news portal (LNP) 1.0b allow remote attackers to inject arbitrary web script or HTML via the (1) photo parameter to show_photo.php, (2) potd parameter to show_potd.php, or (3) the Current question field in a vote action to admin.php.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
OTManager CMS 2.4 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN_Hora, ADMIN_Logado, and ADMIN_Nome cookies to certain values, as reachable in Admin/index.php.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Insecure method vulnerability in the UUSee UUUpgrade ActiveX control (UUUpgrade.ocx 3.0.2.12) allows remote attackers to force the download and overwrite of arbitrary files via crafted arguments to the Update method, as exploited in the wild in June 2009.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The Jura Internet Connection Kit for the Jura Impressa F90 coffee maker does not properly restrict access to privileged functions, which allows remote attackers to cause a denial of service (physical damage), modify coffee settings, and possibly execute code via a crafted request. NOTE: this issue is being included in CVE because the denial of service may include financial loss or water damage.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in Hero Super Player 3000 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in a .M3U file. NOTE: this might be related to CVE-2008-4504.
Published Sep 4, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Docebo 3.5.0.3 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php, or (4) menu/menu_over.php in doceboCore/; or (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php, or (8) class/class.admin_menu_cms.php in doceboCms/; which reveals the installation path in an error message.
Published Sep 2, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in the listing module in Netwide Assembler (NASM) before 2.03.01 has unknown impact and attack vectors, a different vulnerability than CVE-2008-2719.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in NextGEN Gallery 0.96 and earlier plugin for Wordpress allows remote attackers to inject arbitrary web script or HTML via the picture description field in a page edit action.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in mods/Integrated/index.php in SineCMS 2.3.5 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the sine[config][index_main] parameter.
Published Sep 4, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in Facil CMS 0.1RC allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) change_lang parameter to index.php or (2) modload parameter to modules.php.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in Live 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to hijack the authentication of unspecified privileged users for requests that can be leveraged to execute arbitrary PHP code.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
phpBB 2.0.23 includes the session ID in a request to modcp.php when the moderator or administrator closes a thread, which allows remote attackers to hijack the session via a post in the thread containing a URL to a remotely hosted image, which might include the session ID in the Referer header.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Lightweight news portal (LNP) 1.0b does not properly restrict access to administrator functionality, which allows remote attackers to gain administrator privileges via direct requests to admin.php with the (1) potd_delete, (2) potd, (3) vote_update, (4) vote, or (5) modifynews actions.
Published Sep 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in Specimen Image Database (SID), when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) client.php or (2) taxonservice.php.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in index.php in CoronaMatrix phpAddressBook 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) parameters.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Numara FootPrints 7.5a through 7.5a1 and 8.0 through 8.0a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) transcriptFile parameter to MRcgi/MRchat.pl or (2) LOADFILE parameter to MRcgi/MRABLoad2.pl. NOTE: some of these details are obtained from third party information.
Published Sep 2, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The Manager in Eye-Fi 1.1.2 generates predictable snonce values based on the time of day, which allows remote attackers to bypass authentication and upload arbitrary images by guessing the snonce.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
NetRisk 1.9.7 does not properly restrict access to admin/change_submit.php, which allows remote attackers to change the password of arbitrary users via a direct request.
Published Sep 2, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org EasyImageCatalogue 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search and (2) d index.php parameters to index.php, (3) dir parameter to thumber.php, and the d parameter to (4) describe.php and (5) addcomment.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows remote attackers to bypass authorization and gain administrator privileges by setting the _groups[] parameter to 2, as demonstrated via backup.php.
Published Sep 2, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in setup.php in @lex Poll 2.1 allows remote attackers to inject arbitrary web script or HTML via the language_setup parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in @lex Guestbook 4.0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) language_setup parameter to setup.php or (2) test parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: a third party has been reported that the test parameter is not used in @lex Guestbook.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
toolbaru.dll in ICQ Toolbar (ICQToolbar) 2.3 allows remote attackers to cause a denial of service (toolbar crash) via a long argument to the (1) RequestURL, (2) GetPropertyById, or (3) SetPropertyById method, different vectors than CVE-2008-7135.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
toolbaru.dll in ICQ Toolbar (ICQToolbar) 2.3 allows remote attackers to cause a denial of service (toolbar crash) via a long argument to the IsChecked method, a different vector than CVE-2008-7136.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) ACE, (2) ARJ, (3) BZ2, (4) CAB, (5) GZ, (6) LHA, (7) RAR, (8) TAR, or (9) ZIP files, as demonstrated by the OUSPG PROTOS GENOME test suite for Archive Formats.
Published Sep 1, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CMS allows remote attackers to execute arbitrary SQL commands via the (1) id parameter in the "page" page and (2) txtSearch parameter in the "Search" page.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum (aka PHP Forum or pForum) 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in search.php in Siteman 1.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The Virtual Token driver (vdlptokn.sys) 1.0.2.43 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) via a crafted IOCTL request to \Device\DLPTokenWalter0.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in link.php in Linkarity allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: although one component of Linkarity is distributable PHP code, this issue might be site-specific. If so, it should not be included in CVE.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in class/theme.class.php in SPAW Editor PHP Edition before 2.0.8.1 has unknown impact and attack vectors, probably related to directory traversal sequences in the theme name.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the products module in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in the image upload component in Camera Life 2.6.2b4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in a user directory under images/photos/upload.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
DLMFENC.sys 1.0.0.28 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) or potentially execute arbitrary code via a certain DLMFENC_IOCTL request to \\.\DLKPFSD_Device that overwrites a pointer, probably related to use of the ProbeForRead function when ProbeForWrite was intended.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in PowerPortal 2.0.13 allows remote attackers to list and possibly read arbitrary files via a .. (dot dot) in the path parameter to the default URI.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module; (3) the fid parameter to index.php in a ShowForum action to the Forum module; (4) the tid parameter to index.php in a ShowTopic action to the Forum module; (5) the uname parameter to index.php in a UserInfo action to the Account module; or (6) the module parameter to index.php, probably related to the TopSites module.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCom 0.2 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a viewprofile action to index.php.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
gdiplus.dll in GDI+ in Microsoft Windows XP SP3 does not properly handle crafted .ico files, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a certain crash.ico file on a web site, and allows user-assisted attackers to cause a denial of service (divide-by-zero error and persistent application crash) via this crash.ico file on the desktop, a different vulnerability than CVE-2007-2237.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page."
Published Sep 18, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
add.php in MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication and gain administrative access by setting a cookie with admin=yes and login=admin.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in index.php in phpSmartCom 0.2 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the p parameter.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in library/pagefunctions.inc.php in phpOCS 0.1 beta3 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to index.php.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
NuMedia Soft NMS DVD Burning SDK Activex NMSDVDX.DVDEngineX.1 ActiveX control (NMSDVDX.dll) 1.013C and earlier, as used in CDBurnerXP 4.2.1.976, BurnAware 2.1.3, Blaze Media Pro 8.02 Special Edition, and possibly other products, allows remote attackers to overwrite and create arbitrary files via calls to the EnableLog and LogMessage methods. NOTE: this issue might only be exploitable in limited environments or non-default browser settings. NOTE: some of these details are obtained from third party information. NOTE: this can be leveraged for remote code execution by accessing files using hcp:// URLs.
Published Sep 30, 2008 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Observer 0.3.2.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the query parameter to (1) whois.php or (2) netcmd.php.
Published Sep 29, 2008 · Updated Aug 7, 2024