Unknown · CVSS Not scored
Directory traversal vulnerability in web_client_user_guide.html in Accellion Secure File Transfer Appliance before 8_0_105 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.
Published Feb 19, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in geccBBlite 0.1 allow remote attackers to inject arbitrary web script or HTML via the postatoda parameter to (1) rispondi.php and (2) scrivi.php, which is not properly handled in forum.php.
Published Feb 22, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the dhost module in Novell eDirectory 8.8 SP5 for Windows allows remote authenticated users to cause a denial of service (dhost.exe crash) and possibly execute arbitrary code via a long string to /dhost/modules?I:.
Published Feb 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command.
Published Feb 19, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Accellion Secure File Transfer Appliance before 7_0_296 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not properly handled when the administrator views audit logs.
Published Feb 19, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Integer overflow in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is present and standalone mode is disabled, allow remote attackers to cause a denial of service (application crash) by sending the MOTD command from another server in the same IRC network, possibly related to an array index error.
Published Feb 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Accellion Secure File Transfer Appliance before 8_0_105 allows remote authenticated administrators to bypass the restricted shell and execute arbitrary commands via shell metacharacters to the ping command, as demonstrated by modifying the cli program.
Published Feb 19, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the dhost module in Novell eDirectory 8.8 SP5 for Windows allows remote authenticated users to execute arbitrary code via long sadminpwd and verifypwd parameters in a submit action to /dhost/httpstk.
Published Feb 26, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, leading to processing of a video-structure pointer by the mp3 decoder, and a stack-based buffer overflow.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read.
Published Feb 10, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.
Published Feb 12, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in proxy/smhui/getuiinfo in HP System Management Homepage (SMH) before 6.0 allows remote attackers to inject arbitrary web script or HTML via the servercert parameter.
Published Feb 5, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECMT) B.05.00 on HP-UX B.11.23 (11i v2) and HP-UX B.11.31 (11i v3) allows local users to gain access to an Oracle or Sybase database via unknown vectors.
Published Feb 3, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.
Published Feb 11, 2020 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.
Published Feb 21, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.
Published Feb 3, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.
Published Feb 11, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances.
Published Feb 3, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.
Published Feb 16, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."
Published Feb 16, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.
Published Feb 2, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the console in Symantec IM Manager 8.3 and 8.4 before 8.4.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Feb 23, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.
Published Feb 16, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow.
Published Feb 16, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
IBM WebSphere Commerce 7.0 does not properly encrypt data in a database, which makes it easier for local users to obtain sensitive information by defeating cryptographic protection mechanisms.
Published Feb 5, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
IBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 does not have the intended configuration properties, which allows remote authenticated users to obtain unspecified data access via a property query.
Published Feb 4, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
IBM WebSphere Commerce 7.0 uses the same cryptographic key for session attributes and merchant data encryption, which has unspecified impact and remote attack vectors.
Published Feb 5, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.
Published Feb 21, 2010 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.
Published Feb 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia PC Suite 6.86.9.3 allows remote attackers to execute arbitrary code via a long string in a .m3u playlist file.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character.
Published Feb 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in lib/classes/message_class.php in Papoo CMS 3.6, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to read and possibly execute arbitrary files via a .. (dot dot) in the pfadhier parameter. NOTE: some of these details are obtained from third party information.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.
Published Feb 27, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Phoca Documentation (com_phocadocumentation) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action to index.php.
Published Feb 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters.
Published Feb 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
Published Feb 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in admin/index.php in PowerClan 1.14a allows remote attackers to execute arbitrary SQL commands via the loginemail parameter (aka login field). NOTE: some of these details are obtained from third party information.
Published Feb 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in SemanticScuttle before 0.91 allow remote attackers to (1) hijack the authentication of administrators via unknown vectors or (2) hijack the authentication of arbitrary users via vectors involving the profile page.
Published Feb 23, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
Published Feb 25, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726.
Published Feb 24, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter.
Published Feb 25, 2009 · Updated Aug 7, 2024