LiveActive security incident?Get immediate response
CVE archive

October 2008

Browse CVE records published in October 2008, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 542 matching CVEs · Page 1 of 11.

Critical · CVSS 9.8 · CISA KEV

CVE-2008-4250: The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and S...

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Published Oct 23, 2008 · Updated May 20, 2026

Medium · CVSS 6.5

CVE-2008-3474: Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of we...

Microsoft Internet Explorer 6 and 7 does not properly determine the domain or security zone of origin of web script, which allows remote attackers to bypass the intended cross-domain security policy and obtain sensitive information via a crafted HTML document, aka "Cross-Domain Information Disclosure Vulnerability."

Published Oct 15, 2008 · Updated Jan 17, 2025

High · CVSS 8.4

CVE-2008-4036: Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold...

Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that triggers an erroneous decrement of a variable, related to validation of parameters for Virtual Address Descriptors (VADs) and a "memory allocation mapping error," aka "Virtual Address Descriptor Elevation of Privilege Vulnerability."

Published Oct 15, 2008 · Updated Oct 15, 2024

Unknown · CVSS Not scored

CVE-2008-4724: Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to i...

Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 23, 2008 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-4404: The IPv6 Neighbor Discovery Protocol (NDP) implementation on IBM zSeries servers does not validate the orig...

The IPv6 Neighbor Discovery Protocol (NDP) implementation on IBM zSeries servers does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB), a related issue to CVE-2008-2476.

Published Oct 3, 2008 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2008-4723: Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 3.0.1 through 3.0.3 allow remote att...

Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 3.0.1 through 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 23, 2008 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-3685: Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentu...

Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to upload arbitrary files, and execute arbitrary code, via directory traversal sequences in requests to TCP port 2606.

Published Oct 22, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2008-4864: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-d...

Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4865: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary progra...

Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4875: Directory traversal vulnerability in the web server in Philips Electronics VOIP841 DECT Phone with firmware...

Directory traversal vulnerability in the web server in Philips Electronics VOIP841 DECT Phone with firmware 1.0.4.50 and 1.0.4.80 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a GET request. NOTE: this can be leveraged with CVE-2008-4874 for unauthenticated access to sensitive files such as (1) save.dat and (2) apply.log, which can contain other credentials such as the Skype username and password.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4806: Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to...

Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via the sortField parameter to unspecified components. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4805: Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote...

Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the community title, (2) API input, and vectors related to the (3) Homepage, (4) Blogs, (5) Profiles, (6) Dogear, (7) Activities, and (8) Global Search components. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4810: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows rem...

The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions.

Published Oct 31, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-4800: The DebugDiag ActiveX control in CrashHangExt.dll, possibly 1.0, in Microsoft Debug Diagnostic Tool allows...

The DebugDiag ActiveX control in CrashHangExt.dll, possibly 1.0, in Microsoft Debug Diagnostic Tool allows remote attackers to cause a denial of service (NULL pointer dereference and Internet Explorer 6.0 crash) via a large negative integer argument to the GetEntryPointForThread method. NOTE: this issue might only be exploitable in limited environments or non-default browser settings.

Published Oct 30, 2008 · Updated Aug 7, 2024