Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in search.php in VidSharePro allows remote attackers to inject arbitrary web script or HTML via the searchtxt parameter. NOTE: some of these details are obtained from third party information.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in InstallHFZ.exe 6.5.201.0 in Pinnacle Hollywood Effects 6, a module in Pinnacle Systems Pinnacle Studio 12, allows remote attackers to create and overwrite arbitrary files via a filename containing a ..\ (dot dot backslash) sequence in a Hollywood FX Compressed Archive (.hfz) file. NOTE: this can be leveraged for code execution by decompressing a file to a Startup folder. NOTE: some of these details are obtained from third party information.
Published May 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
PAD Site Scripts 3.6 allows remote attackers to bypass authentication and gain privileges as other users, including administrative privileges, by setting the authuser cookie parameter to a valid username.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple heap-based buffer overflows in the D-Link MPEG4 Viewer ActiveX Control (csviewer.ocx) 2.11.918.2006 allow remote attackers to execute arbitrary code via a long argument to the (1) SetFilePath and (2) SetClientCookie methods. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with administrator feed permissions to inject arbitrary web script or HTML via unspecified vectors in "aggregator items."
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the GridSupport (GS) Ticket System (com_gsticketsystem) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewCategory action to index.php.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for remote attackers to conduct SQL injection attacks via crafted keyword sequences that are removed from a filter in the id parameter in a banner action, as demonstrated via the "UNIunionON" string, which is collapsed into "UNION" by the filter_sql function.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in login.php in DM FileManager 3.9.2, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in admin/usermanager in IPplan 4.91a allows remote attackers to inject arbitrary web script or HTML via the grp parameter.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in questiondetail.php in Easy Scripts Answer and Question Script allows remote attackers to inject arbitrary web script or HTML via the questionid parameter.
Published May 16, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in bom.php in MyPic 2.1 allows remote attackers to list files in arbitrary directories via a .. (dot dot) in the dir parameter.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows remote attackers to hijack the authentication of administrators for requests that (1) change the password, (2) add users, or (3) delete users via unknown vectors.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
admin/adminaddeditdetails.php in Business Community Script does not properly restrict access, which allows remote attackers to gain privileges and add administrators via a direct request.
Published May 16, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows remote attackers to execute arbitrary code via a long entry in a .m3u file, a different vector than CVE-2009-5137.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple static code injection vulnerabilities in the saveFeed function in rss/feedcreator.class.php in Bitweaver 2.6 and earlier allow (1) remote authenticated users to inject arbitrary PHP code into files by placing PHP sequences into the account's "display name" setting and then invoking boards/boards_rss.php, and might allow (2) remote attackers to inject arbitrary PHP code into files via the HTTP Host header in a request to boards/boards_rss.php.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 227 reply to a PASV command.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The smarty_function_math function in libs/plugins/function.math.php in Smarty 2.6.22 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. NOTE: some of these details are obtained from third party information.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in NetMechanica NetDecision TFTP Server 4.2 allow remote attackers to read or modify arbitrary files via directory traversal sequences in the (1) GET or (2) PUT command.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in the Starrating plugin before 0.7.7 for b2evolution allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in admin/member_details.php in 2daybiz Business Community Script allows remote attackers to execute arbitrary SQL commands via the mid parameter.
Published May 16, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
TYPSoft FTP Server 1.11 allows remote attackers to cause a denial of service (CPU consumption) by sending an ABOR (abort) command without an active file transfer.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Sorinara Soritong MP3 Player 1.0 allows remote attackers to execute arbitrary code via a crafted .m3u file.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file. NOTE: the latter was also subsequently reported in "prior to 3.1.3.7."
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the saveFeed function in rss/feedcreator.class.php in Bitweaver 2.6 and earlier allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the version parameter to boards/boards_rss.php.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long banner. NOTE: this might overlap CVE-2003-1368.
Published May 8, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Sun Java SE Runtime Environment (aka JRE) 6 Update 13 allows remote attackers to (1) execute arbitrary code via a .jnlp URL in the argument to the launch method, and might allow remote attackers to launch JRE installation processes via the (2) installLatestJRE or (3) installJRE method.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in myaccount.php in Easy Scripts Answer and Question Script allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the uploads/[username] directory.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Communications Express 6 2005Q4 (aka 6.2) and 6.3 allow remote attackers to inject arbitrary web script or HTML via (1) the abperson_displayName parameter to uwc/abs/search.xml in the Add Contact implementation in the Personal Address Book component or (2) the temporaryCalendars parameter to uwc/base/UWCMain.
Published May 21, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in admin/login.php in Wright Way Services Recipe Script 5 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) Password fields, as reachable from admin/index.php.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
The kernel in Sun Solaris 9 allows local users to cause a denial of service (panic) by calling fstat with a first argument of AT_FDCWD.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
myaccount.php in Easy Scripts Answer and Question Script allows remote attackers to remove arbitrary user accounts via a modified userid parameter without specifying any additional fields.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Xerox WorkCentre and WorkCentre Pro 232, 238, 245, 255, 265, 275; and WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, 5687, 7655, 7656, and 7675 allows remote attackers to execute arbitrary commands via unknown attack vectors, aka "command injection vulnerability."
Published May 16, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Sorinara Streaming Audio Player 0.9 allows remote attackers to execute arbitrary code via a crafted .pla file.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in panel/index.php in MLFFAT 2.1 allows remote attackers to execute arbitrary SQL commands via a base64-encoded supervisor cookie.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in admin/utopic.php in uTopic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the rating parameter to index.php.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in listing_video.php in VidSharePro allows remote attackers to execute arbitrary SQL commands via the catid parameter.
Published May 20, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in admin/admin.php in Realty Webware Technologies Realty Web-Base 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user (username) and (2) password parameters. NOTE: some of these details are obtained from third party information.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple buffer overflows in the Internet Agent (aka GWIA) component in Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2 allow remote attackers to execute arbitrary code via (1) a crafted e-mail address in an SMTP session or (2) an SMTP command.
Published May 26, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allows remote attackers to execute arbitrary code via a long rtsp URL in a .ram file.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI. NOTE: the researcher reports that Adobe's position is "a PDF file is active content."
Published May 11, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Microchip MPLAB IDE 8.30 allows user-assisted remote attackers to execute arbitrary code via a long .cof pathname in a [TOOL_SETTINGS] section in a .mcp file, possibly a related issue to CVE-2009-1608.
Published May 18, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in arch.php in beLive 0.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the arch parameter.
Published May 16, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in URUWorks ViPlay3 3.0 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long file entry in a .vpl file.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in admin/uploadimage.php in eLitius 1.0 allows remote attackers to bypass intended access restrictions and upload and execute arbitrary files via an avatar file with an accepted Content-Type such as image/gif, then requesting the file in admin/banners/.
Published May 17, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Multiple stack-based buffer overflows in Mini-stream Easy RM-MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.
Published May 15, 2009 · Updated Aug 7, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery for Macintosh 4.04 allows user-assisted attackers to execute arbitrary code via a crafted .AMHH file.
Published May 15, 2009 · Updated Aug 7, 2024