LiveActive security incident?Get immediate response
CVE archive

October 2009

Browse CVE records published in October 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 374 matching CVEs · Page 3 of 8.

Unknown · CVSS Not scored

CVE-2009-3755: Multiple cross-site scripting (XSS) vulnerabilities in phpBMS 0.96 allow remote attackers to inject arbitra...

Multiple cross-site scripting (XSS) vulnerabilities in phpBMS 0.96 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php and (2) modules\base\myaccount.php; and the PATH_INFO to (3) modules_view.php, (4) tabledefs_options.php, and (5) adminsettings.php in phpbms\modules\base\.

Published Oct 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3707: VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Authorization Service in VMware Workstat...

VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Authorization Service in VMware Workstation 7.0 before 7.0.1 build 227600 and 6.5.x before 6.5.4 build 246459, VMware Player 3.0 before 3.0.1 build 227600 and 2.5.x before 2.5.4 build 246459, VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459, and VMware Server 2.x allows remote attackers to cause a denial of service (process crash) via a \x25\xFF sequence in the USER and PASS commands, related to a "format string DoS" issue. NOTE: some of these details are obtained from third party information.

Published Oct 16, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3695: Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 a...

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

Published Oct 13, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3757: Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix...

Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. NOTE: some of these details are obtained from third party information.

Published Oct 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3730: Multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help feature (aka the Web Client Help sys...

Multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help feature (aka the Web Client Help system) in IBM Rational RequisitePro 7.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the operation parameter to ReqWebHelp/advanced/workingSet.jsp, or the (2) searchWord, (3) maxHits, (4) scopedSearch, or (5) scope parameter to ReqWebHelp/basic/searchView.jsp.

Published Oct 20, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3760: Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource...

Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. NOTE: some of these details are obtained from third party information.

Published Oct 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3759: Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in...

Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information.

Published Oct 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3767: libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does...

libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published Oct 23, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3790: Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3.5 allows remote attackers to cause a...

Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3.5 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted FormMax import (.aim) file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 26, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3691: Multiple integer overflows in setnet32.exe 3.50.0.13752 in IBM Informix Client SDK 3.0 and 3.50 and Informi...

Multiple integer overflows in setnet32.exe 3.50.0.13752 in IBM Informix Client SDK 3.0 and 3.50 and Informix Connect Runtime 3.x allow remote attackers to execute arbitrary code via a .nfx file with a crafted (1) HostSize, and possibly (2) ProtoSize and (3) ServerSize, field that triggers a stack-based buffer overflow involving a crafted HostList field. NOTE: some of these details are obtained from third party information.

Published Oct 13, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3748: Multiple cross-site scripting (XSS) vulnerabilities in the Web Administrator in Websense Personal Email Man...

Multiple cross-site scripting (XSS) vulnerabilities in the Web Administrator in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allow remote attackers to inject arbitrary web script or HTML via the (1) FileName, (2) IsolatedMessageID, (3) ServerName, (4) Dictionary, (5) Scoring, and (6) MessagePart parameters to web/msgList/viewmsg/actions/msgAnalyse.asp; the (7) Queue, (8) FileName, (9) IsolatedMessageID, and (10) ServerName parameters to actions/msgForwardToRiskFilter.asp and viewHeaders.asp in web/msgList/viewmsg/; and (11) the subject in an e-mail message that is held in a Queue.

Published Oct 22, 2009 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2009-3660: PHP remote file inclusion vulnerability in libraries/database.php in Efront 3.5.4 and earlier, when registe...

PHP remote file inclusion vulnerability in libraries/database.php in Efront 3.5.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.

Published Oct 11, 2009 · Updated Aug 7, 2024