LiveActive security incident?Get immediate response
CVE archive

February 2009

Browse CVE records published in February 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 392 matching CVEs · Page 2 of 8.

Unknown · CVSS Not scored

CVE-2009-4648: Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive comm...

Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command.

Published Feb 19, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4634: Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly...

Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream.

Published Feb 10, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4652: The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SS...

The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is present and standalone mode is disabled, allow remote attackers to cause a denial of service (application crash) by sending the MOTD command from another server in the same IRC network, possibly related to an array index error.

Published Feb 26, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4635: FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a c...

FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, leading to processing of a video-structure pointer by the mp3 decoder, and a stack-based buffer overflow.

Published Feb 10, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3988: Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly r...

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.

Published Feb 21, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3989: Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block acces...

Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.

Published Feb 3, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3735: The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 i...

The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.

Published Feb 11, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3035: The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that...

The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.

Published Feb 2, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-2950: Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode...

Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.

Published Feb 16, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1571: Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5...

Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.

Published Feb 21, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-0744: Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer derefer...

Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character.

Published Feb 27, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-0735: Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals...

Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the pfadhier parameter. NOTE: some of these details are obtained from third party information.

Published Feb 25, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-0747: The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6...

The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.

Published Feb 27, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-0730: Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!,...

Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726.

Published Feb 24, 2009 · Updated Aug 7, 2024