LiveActive security incident?Get immediate response
CVE archive

April 2009

Browse CVE records published in April 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 435 matching CVEs · Page 3 of 9.

Unknown · CVSS Not scored

CVE-2009-1564: Heap-based buffer overflow in vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 2...

Heap-based buffer overflow in vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 246459 on Windows, and the movie decoder in VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Windows, allows remote attackers to execute arbitrary code via an AVI file with crafted video chunks that use HexTile encoding.

Published Apr 12, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1565: vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 246459 on Windows, and the movi...

vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 246459 on Windows, and the movie decoder in VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Windows, allows remote attackers to execute arbitrary code via an AVI file with crafted HexTile-encoded video chunks that trigger heap-based buffer overflows, related to "integer truncation errors."

Published Apr 12, 2010 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1338: The kill_something_info function in kernel/signal.c in the Linux kernel before 2.6.28 does not consider PID...

The kill_something_info function in kernel/signal.c in the Linux kernel before 2.6.28 does not consider PID namespaces when processing signals directed to PID -1, which allows local users to bypass the intended namespace isolation, and send arbitrary signals to all processes in all namespaces, via a kill command.

Published Apr 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1446: Unrestricted file upload vulnerability in upload.php in Elkagroup Image Gallery 1.0 allows remote authentic...

Unrestricted file upload vulnerability in upload.php in Elkagroup Image Gallery 1.0 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in gallery/pictures/. NOTE: some of these details are obtained from third party information.

Published Apr 27, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1481: SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) 3.0.6.170 allows remote attackers to...

SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) 3.0.6.170 allows remote attackers to execute arbitrary SQL commands via the cname parameter in a checkAlias action, as exploited in the wild in April 2009. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Apr 29, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1493: The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier...

The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.

Published Apr 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1430: Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Ma...

Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allow remote attackers to execute arbitrary code via (1) a crafted packet or (2) data that ostensibly arrives from the MsgSys.exe process.

Published Apr 29, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1428: Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in the Symantec Log Viewer, as used in...

Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in the Symantec Log Viewer, as used in Symantec AntiVirus (SAV) before 10.1 MR8, Symantec Endpoint Protection (SEP) 11.0 before 11.0 MR1, Norton 360 1.0, and Norton Internet Security 2005 through 2008, allow remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, related to "two parsing errors."

Published Apr 29, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1492: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier a...

The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

Published Apr 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1431: XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as...

XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary code by placing the code on a (1) share or (2) WebDAV server, and then sending the UNC share pathname to this service.

Published Apr 29, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1445: Multiple directory traversal vulnerabilities in WebPortal CMS 0.8-beta allow remote attackers to (1) read a...

Multiple directory traversal vulnerabilities in WebPortal CMS 0.8-beta allow remote attackers to (1) read arbitrary files via directory traversal sequences in the lang parameter to libraries/helpdocs/help.php and (2) include and execute arbitrary local files via directory traversal sequences in the error parameter to index.php.

Published Apr 27, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1432: Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corporate Edition 10.1 before 10.1 MR8 and 1...

Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corporate Edition 10.1 before 10.1 MR8 and 10.2 before 10.2 MR2, Symantec Client Security (SCS) before 3.1 MR8, and the Symantec Endpoint Protection Manager (SEPM) component in Symantec Endpoint Protection (SEP) before 11.0 MR2, allows remote attackers to inject arbitrary text into the login screen, and possibly conduct phishing attacks, via vectors involving a URL that is not properly handled.

Published Apr 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1417: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates...

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.

Published Apr 30, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1482: Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier a...

Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an AttachFile sub-action in the error_msg function or (2) multiple vectors related to package file errors in the upload_form function, different vectors than CVE-2009-0260.

Published Apr 29, 2009 · Updated Aug 7, 2024