LiveActive security incident?Get immediate response
CVE archive

May 2009

Browse CVE records published in May 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 378 matching CVEs · Page 4 of 8.

Unknown · CVSS Not scored

CVE-2009-1743: Directory traversal vulnerability in InstallHFZ.exe 6.5.201.0 in Pinnacle Hollywood Effects 6, a module in...

Directory traversal vulnerability in InstallHFZ.exe 6.5.201.0 in Pinnacle Hollywood Effects 6, a module in Pinnacle Systems Pinnacle Studio 12, allows remote attackers to create and overwrite arbitrary files via a filename containing a ..\ (dot dot backslash) sequence in a Hollywood FX Compressed Archive (.hfz) file. NOTE: this can be leveraged for code execution by decompressing a file to a Startup folder. NOTE: some of these details are obtained from third party information.

Published May 21, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1740: Multiple heap-based buffer overflows in the D-Link MPEG4 Viewer ActiveX Control (csviewer.ocx) 2.11.918.200...

Multiple heap-based buffer overflows in the D-Link MPEG4 Viewer ActiveX Control (csviewer.ocx) 2.11.918.2006 allow remote attackers to execute arbitrary code via a long argument to the (1) SetFilePath and (2) SetClientCookie methods. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published May 20, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1742: code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for remote attackers to conduct SQL injecti...

code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for remote attackers to conduct SQL injection attacks via crafted keyword sequences that are removed from a filter in the id parameter in a banner action, as demonstrated via the "UNIunionON" string, which is collapsed into "UNION" by the filter_sql function.

Published May 20, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1677: Multiple static code injection vulnerabilities in the saveFeed function in rss/feedcreator.class.php in Bit...

Multiple static code injection vulnerabilities in the saveFeed function in rss/feedcreator.class.php in Bitweaver 2.6 and earlier allow (1) remote authenticated users to inject arbitrary PHP code into files by placing PHP sequences into the account's "display name" setting and then invoking boards/boards_rss.php, and might allow (2) remote attackers to inject arbitrary PHP code into files via the HTTP Host header in a request to boards/boards_rss.php.

Published May 18, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1642: Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to...

Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file. NOTE: the latter was also subsequently reported in "prior to 3.1.3.7."

Published May 15, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1672: The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Sun Java SE Runtime Environment (aka JR...

The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Sun Java SE Runtime Environment (aka JRE) 6 Update 13 allows remote attackers to (1) execute arbitrary code via a .jnlp URL in the argument to the launch method, and might allow remote attackers to launch JRE installation processes via the (2) installLatestJRE or (3) installJRE method.

Published May 18, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1729: Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Communications Express 6 2005Q4 (aka...

Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Communications Express 6 2005Q4 (aka 6.2) and 6.3 allow remote attackers to inject arbitrary web script or HTML via (1) the abperson_displayName parameter to uwc/abs/search.xml in the Add Contact implementation in the Personal Address Book component or (2) the temporaryCalendars parameter to uwc/base/UWCMain.

Published May 21, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-1598: Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit eleme...

Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI. NOTE: the researcher reports that Adobe's position is "a PDF file is active content."

Published May 11, 2009 · Updated Aug 7, 2024