Unknown · CVSS Not scored
Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks.
Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.
Published Jun 9, 2026 · Updated Jun 9, 2026
Unknown · CVSS Not scored
stardict 3.0.1, when Enable Net Dict is configured, sends the contents of the clipboard to a dictionary server, which allows remote attackers to obtain sensitive information by sniffing the network.
Published Jun 30, 2009 · Updated Nov 4, 2025
High · CVSS 7.8 · CISA KEV
Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."
Published Jun 10, 2009 · Updated Oct 22, 2025
High · CVSS 7.8 · CISA KEV
Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, and Office 2004 and 2008 for Mac; Excel in 2007 Microsoft Office System SP1 and SP2; Open XML File Format Converter for Mac; Microsoft Office Excel Viewer 2003 SP3; Microsoft Office Excel Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allow remote attackers to execute arbitrary code via a crafted Excel file with a malformed record object, aka "Object Record Corruption Vulnerability."
Published Jun 10, 2009 · Updated Oct 22, 2025
High · CVSS 7.8 · CISA KEV
The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Desktop Vulnerability."
Published Jun 10, 2009 · Updated Oct 22, 2025
Critical · CVSS 9.8
cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.
Published Jun 22, 2009 · Updated Jan 21, 2025
High · CVSS 8.8
Microsoft Internet Explorer 8 for Windows XP SP2 and SP3; 8 for Server 2003 SP2; 8 for Vista Gold, SP1, and SP2; and 8 for Server 2008 SP2 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code via "malformed row property references" that trigger an access of an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Objects Memory Corruption Vulnerability" or "HTML Object Memory Corruption Vulnerability."
Published Jun 10, 2009 · Updated Jan 21, 2025
Critical · CVSS 9.8
_functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, execute arbitrary PHP code, or read arbitrary files via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500.
Published Jun 5, 2009 · Updated Jan 21, 2025
Unknown · CVSS Not scored
The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.
Published Jun 25, 2009 · Updated Oct 21, 2024
High · CVSS 8.1
Microsoft Internet Explorer 7 for Windows XP SP2 and SP3; 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by calling the setCapture method on a collection of crafted objects, aka "Uninitialized Memory Corruption Vulnerability."
Published Jun 10, 2009 · Updated Oct 21, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.
Published Jun 22, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to cause a denial of service (device reset) via a crafted ICMP echo request, which triggers an assertion error related to a "logic issue."
Published Jun 19, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, does not properly restrict access when displaying node titles, which has unknown impact and attack vectors.
Published Jun 16, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in Skip 1.0.2 and earlier, and 1.1RC2 and earlier 1.1RC versions, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published Jun 4, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names.
Published Jun 16, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Insecure method vulnerability in the PDFVIEWER.PDFViewerCtrl.1 ActiveX control (pdfviewer.ocx) in Edraw PDF Viewer Component before 3.2.0.126 allows remote attackers to create and overwrite arbitrary files via a URL argument to the FtpConnect argument and a target filename argument to the FtpDownloadFile method. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Published Jun 22, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allow remote attackers to cause a denial of service (traceback) via malformed TCP packets, aka Bug ID CSCsm84110.
Published Jun 29, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote authenticated users to cause a denial of service (console hang) via a login action during failover replication, aka Bug ID CSCsq80095.
Published Jun 29, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device crash) via vectors involving SSL VPN and PPPoE transactions, aka Bug ID CSCsm77958.
Published Jun 29, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 25, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in global.php in 4images before 1.7.7, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the l parameter.
Published Jun 19, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Let's PHP! Tree BBS 2004/11/23 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 26, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in close_bug.php in Elvin before 1.2.1 allows remote attackers to execute arbitrary SQL commands via the title (aka subject) field.
Published Jun 19, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.
Published Jun 19, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Opera, possibly before 9.25, uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.
Published Jun 15, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Monitor_Bandwidth function in PRTG Traffic Grapher 6.2.2.977 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 1, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple memory leaks in the (1) IP and (2) IPv6 multicast implementation in the kernel in Sun Solaris 10, and OpenSolaris snv_67 through snv_93, allow local users to cause a denial of service (memory consumption) via vectors related to the association of (a) DL_ENABMULTI_REQ and (b) DL_DISABMULTI_REQ messages with ARP messages.
Published Jun 24, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries.
Published Jun 16, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in PHP-I-BOARD 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 26, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Microsoft Internet Explorer before 8 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.
Published Jun 15, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SerendipityNZ (aka SimpleBoxes) Serene Bach 2.20R and earlier, and 3.00 beta023 and earlier 3.x versions, uses a predictable session id, which makes it easier for remote attackers to hijack sessions via a modified id.
Published Jun 22, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in MT312 REP-BBS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) model.php and (2) config.php with timestamps before 20090521.
Published Jun 2, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in include.php in phpBugTracker 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Jun 1, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in insidepage.php in Creative Web Solutions Multi-Level CMS 1.21 allows remote attackers to execute arbitrary SQL commands via the catid parameter. NOTE: some of these details are obtained from third party information.
Published Jun 16, 2009 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device reload) via unknown network traffic, as demonstrated by a "connection stress test," aka Bug ID CSCsq68451.
Published Jun 29, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
delete_bug.php in Elvin before 1.2.1 does not require administrative privileges, which allows remote authenticated users to bypass intended access restrictions and delete arbitrary bugs.
Published Jun 19, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in the decoder_create function in the initialization functionality in xvidcore/src/decoder.c in Xvid before 1.2.2, as used by Windows Media Player and other applications, allows remote attackers to execute arbitrary code via vectors involving the DirectShow (aka DShow) frontend and improper handling of the XVID_ERR_MEMORY return code during processing of a crafted movie file. NOTE: some of these details are obtained from third party information.
Published Jun 2, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Memory leak on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (memory consumption) via Subject Alternative Name fields in an X.509 certificate, aka Bug ID CSCsq17879.
Published Jun 29, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple heap-based buffer overflows in xvidcore/src/decoder.c in the xvidcore library in Xvid before 1.2.2, as used by Windows Media Player and other applications, allow remote attackers to execute arbitrary code by providing a crafted macroblock (aka MBlock) number in a video stream in a crafted movie file that triggers heap memory corruption, related to a "missing resync marker range check" and the (1) decoder_iframe, (2) decoder_pframe, and (3) decoder_bframe functions.
Published Jun 2, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The IPv6 implementation on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) exposes IP services on the "far side of the box," which might allow remote attackers to bypass intended access restrictions via IPv6 packets, aka Bug ID CSCso58622.
Published Jun 29, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit Reader 3.0 before Build 1817 does not properly handle a negative value for the stream offset in a JPEG2000 (aka JPX) stream, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted PDF file that triggers an out-of-bounds read.
Published Jun 23, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device reload) via a high volume of SIP traffic, aka Bug ID CSCsr65901.
Published Jun 29, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2.x before 6.x-2.2, and 6.x-3.x before 6.x-3.0, a module for Drupal, allows remote authenticated users, with create quizzes or quiz questions access, to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 5, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows attackers to discover a (1) username or (2) password via unspecified vectors.
Published Jun 25, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit Reader 3.0 before Build 1817 does not properly handle a fatal error during decoding of a JPEG2000 (aka JPX) header, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted PDF file that triggers an invalid memory access.
Published Jun 23, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view name parameter in the define custom views feature. NOTE: vector 2 is only exploitable by users with administer views permissions.
Published Jun 16, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote authenticated users to cause a denial of service (traceback) by establishing many IPsec L2L tunnels from remote peer IP addresses, aka Bug ID CSCso15583.
Published Jun 29, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published Jun 22, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in AD2000 free-sw leger (aka Web Conference Room Free) 1.6.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jun 27, 2009 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to have an unspecified impact via long IKE attributes, aka Bug ID CSCsu43121.
Published Jun 29, 2010 · Updated Sep 16, 2024