LiveActive security incident?Get immediate response
CVE archive

April 2009

Browse CVE records published in April 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 435 matching CVEs · Page 2 of 9.

Unknown · CVSS Not scored

CVE-2009-4793: Unrestricted file upload vulnerability in adminpanel/scripts/addphotos.php in BandSite CMS 1.1.4 allows rem...

Unrestricted file upload vulnerability in adminpanel/scripts/addphotos.php in BandSite CMS 1.1.4 allows remote authenticated administrators to execute arbitrary PHP code by uploading a file with an executable extension via an addphotos action to adminpanel/index.php, and then accessing the file via a direct request with an images/gallery/ directory name. NOTE: some of these details are obtained from third party information.

Published Apr 22, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4811: VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Authorization Service in VMware Workstat...

VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Authorization Service in VMware Workstation 7.0 before 7.0.1 build 227600 and 6.5.x before 6.5.4 build 246459, VMware Player 3.0 before 3.0.1 build 227600 and 2.5.x before 2.5.4 build 246459, VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459, and VMware Server 2.x allows remote attackers to cause a denial of service (process crash) via a \x25\x90 sequence in the USER and PASS commands, a related issue to CVE-2009-3707. NOTE: some of these details are obtained from third party information.

Published Apr 27, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4791: Multiple SQL injection vulnerabilities in Family Connections (aka FCMS) before 1.8.2 allow remote attackers...

Multiple SQL injection vulnerabilities in Family Connections (aka FCMS) before 1.8.2 allow remote attackers to execute arbitrary SQL commands via the (1) letter parameter to addressbook.php, (2) id parameter to recipes.php, (3) year parameter to register.php, (4) poll_id parameter to home.php, and (5) email parameter to lostpw.php.

Published Apr 22, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4782: Multiple cross-site scripting (XSS) vulnerabilities in Theeta CMS, possibly 0.01, allow remote attackers to...

Multiple cross-site scripting (XSS) vulnerabilities in Theeta CMS, possibly 0.01, allow remote attackers to inject arbitrary web script or HTML via the (1) start, (2) forum, and (3) cat parameters to community/thread.php; (4) start and (5) cat parameters to community/forum.php; and (6) start parameter to blog/index.php.

Published Apr 21, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4777: Unspecified vulnerability in multiple versions of Hitachi JP1/Automatic Job Management System 2 - View, JP1...

Unspecified vulnerability in multiple versions of Hitachi JP1/Automatic Job Management System 2 - View, JP1/Integrated Management - View, and JP1/Cm2/SNMP System Observer, allows remote attackers to cause a denial of service ("abnormal" termination) via vectors related to the display of an "invalid GIF file."

Published Apr 21, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-4509: The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictabl...

The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.

Published Apr 13, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the revers...

The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.

Published Apr 5, 2010 · Updated Aug 7, 2024