LiveActive security incident?Get immediate response
CVE archive

February 2009

Browse CVE records published in February 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 392 matching CVEs · Page 1 of 8.

High · CVSS 8.8 · CISA KEV

CVE-2009-0238: Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Vi...

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

Published Feb 25, 2009 · Updated Apr 15, 2026

Medium · CVSS 6.5 · CISA KEV

CVE-2009-3960: Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle...

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

Published Feb 15, 2010 · Updated Oct 22, 2025

Unknown · CVSS Not scored

CVE-2009-4643: Stack-based buffer overflow in dsInstallerService.dll in the Juniper Installer Service, as used in Juniper...

Stack-based buffer overflow in dsInstallerService.dll in the Juniper Installer Service, as used in Juniper Odyssey Access Client 4.72.11421.0 and other products, allows remote attackers to execute arbitrary code via a long string in a malformed DSSETUPSERVICE_CMD_UNINSTALL command to the NeoterisSetupService named pipe.

Published Feb 15, 2010 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-0654: Tor 0.2.0.28, and probably 0.2.0.34 and earlier, allows remote attackers, with control of an entry router a...

Tor 0.2.0.28, and probably 0.2.0.34 and earlier, allows remote attackers, with control of an entry router and an exit router, to confirm that a sender and receiver are communicating via vectors involving (1) replaying, (2) modifying, (3) inserting, or (4) deleting a single cell, and then observing cell recognition errors at the exit router. NOTE: the vendor disputes the significance of this issue, noting that the product's design "accepted end-to-end correlation as an attack that is too expensive to solve."

Published Feb 20, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-0621: Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses default (1) usernames and (2) passwo...

Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses default (1) usernames and (2) passwords for (a) the administrator, (b) web management, and (c) device management, which makes it easier for remote attackers to perform configuration changes to the Device Manager and other components, or obtain operating-system access.

Published Feb 26, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-0525: Cross-site scripting (XSS) vulnerability in the sajax_get_common_js function in php/Sajax.php in Sajax 0.12...

Cross-site scripting (XSS) vulnerability in the sajax_get_common_js function in php/Sajax.php in Sajax 0.12 allows remote attackers to inject arbitrary web script or HTML via the URL parameter, which is not properly handled when using browsers that do not URL-encode requests, such as Internet Explorer 6. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Feb 11, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0610: Multiple static code injection vulnerabilities in post.php in Simple PHP News 1.0 final allow remote attack...

Multiple static code injection vulnerabilities in post.php in Simple PHP News 1.0 final allow remote attackers to inject arbitrary PHP code into news.txt via the (1) title or (2) date parameter, and then execute the code via a direct request to display.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Feb 17, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4016: Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd...

Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command.

Published Feb 4, 2010 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0362: filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to...

filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.

Published Feb 13, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0622: Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 760...

Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8a) allows remote authenticated users to execute arbitrary operating-system commands through a command line interface (CLI).

Published Feb 26, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0620: Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses...

Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access.

Published Feb 26, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0624: Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE Application Control Engine Module for...

Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SNMPv1 packet.

Published Feb 26, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4013: Multiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, an...

Multiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to overwrite arbitrary files or obtain sensitive information via vectors involving (1) control field names, (2) control field values, and (3) control files of patch systems.

Published Feb 2, 2010 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-0609: Sun Java System Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.0 through 6...

Sun Java System Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3, when a JDBC data source is used, does not properly handle (1) a long value in an ADD or (2) long string attributes, which allows remote attackers to cause a denial of service (JDBC backend outage) via crafted LDAP requests.

Published Feb 17, 2009 · Updated Sep 16, 2024