LiveActive security incident?Get immediate response
CVE archive

November 2008

Browse CVE records published in November 2008, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 438 matching CVEs · Page 3 of 9.

Unknown · CVSS Not scored

CVE-2008-5201: Directory traversal vulnerability in index.php in OTManager CMS 24a allows remote attackers to include and...

Directory traversal vulnerability in index.php in OTManager CMS 24a allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conteudo parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.

Published Nov 21, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5204: Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, when register_globals is enabled, all...

Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the lang parameter to (1) agb.php, (2) angemeldet.php, (3) anmelden.php, (4) charts.php, (5) external_vote.php, (6) guestbook.php, (7) impressum.php, (8) index.php, (9) rss-reader.php, (10) statistic.php, (11) teilnehmer.php, (12) topsites.php, (13) votecode.php, (14) voting.php, and (15) winner.php.

Published Nov 21, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5210: Multiple PHP remote file inclusion vulnerabilities in PhpBlock A8.5 allow remote attackers to execute arbit...

Multiple PHP remote file inclusion vulnerabilities in PhpBlock A8.5 allow remote attackers to execute arbitrary PHP code via a URL in the PATH_TO_CODE parameter to (1) script/init/createallimagecache.php, (2) allincludefortick.php and (3) test.php in script/tick/, and (4) modules/dungeon/tick/allincludefortick.php, different vectors than CVE-2008-1776.

Published Nov 24, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5038: Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 bef...

Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of service and possibly execute arbitrary code via a sequence of "Get NCP Extension Information By Name" requests that cause one thread to operate on memory after it has been freed in another thread, which triggers memory corruption, aka Novell Bug 373852.

Published Nov 12, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5032: Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted atta...

Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036.

Published Nov 10, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5031: Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to hav...

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.

Published Nov 10, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5186: The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allo...

The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path

Published Nov 21, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5036: Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attac...

Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.

Published Nov 10, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5113: WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it eas...

WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection.

Published Nov 17, 2008 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2008-5161: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5....

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

Published Nov 19, 2008 · Updated Aug 7, 2024