CVE-2009-5046: JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
Published Nov 6, 2019 · Updated Aug 7, 2024
Browse CVE records published in November 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.
Showing 50 of 324 matching CVEs · Page 2 of 7.
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
Published Nov 6, 2019 · Updated Aug 7, 2024
Dump Servlet information leak in jetty before 6.1.22.
Published Nov 6, 2019 · Updated Aug 7, 2024
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
Published Nov 6, 2019 · Updated Aug 7, 2024
Stack-based buffer overflow in Namazu before 2.0.20 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted request containing an empty uri field.
Published Nov 30, 2011 · Updated Aug 7, 2024
qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use .
Published Nov 9, 2019 · Updated Aug 7, 2024
kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other versions before 9.0.0.736, does not properly validate input to IOCTL 0x0022c008, which allows local users to cause a denial of service (system crash) via IOCTL requests using crafted kernel addresses that trigger memory corruption, possibly related to klavemu.kdl.
Published Nov 30, 2009 · Updated Aug 7, 2024
Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Nov 25, 2009 · Updated Aug 7, 2024
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
Published Nov 27, 2009 · Updated Aug 7, 2024
PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_id.php in PHP Traverser 0.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[BASE] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Nov 27, 2009 · Updated Aug 7, 2024
Stack-based buffer overflow in the MplayInputFile function in Serenity Audio Player 3.2.3 and earlier allows remote attackers to execute arbitrary code via a long URL in an M3U file. NOTE: some of these details are obtained from third party information.
Published Nov 28, 2009 · Updated Aug 7, 2024
telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php.
Published Nov 27, 2009 · Updated Aug 7, 2024
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) submitnews.php, (2) usersettings.php; and (3) newpost.php, (4) banlist.php, (5) banner.php, (6) cpage.php, (7) download.php, (8) users_extended.php, (9) frontpage.php, (10) links.php, and (11) mailout.php in e107_admin/. NOTE: this may overlap CVE-2004-2040 and CVE-2006-4794, but there are insufficient details to be certain.
Published Nov 27, 2009 · Updated Aug 7, 2024
Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via DOM event handlers such as onload.
Published Nov 28, 2009 · Updated Aug 7, 2024
Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.
Published Nov 27, 2009 · Updated Aug 7, 2024
Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the (1) category and (2) Icon URL fields; or (3) inject arbitrary PHP code into data/ipban.php via the add_ip parameter.
Published Nov 30, 2009 · Updated Aug 7, 2024
Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remote attackers to execute arbitrary code via a crafted .ibkey file containing a long string.
Published Nov 28, 2009 · Updated Aug 7, 2024
Multiple cross-site scripting (XSS) vulnerabilities in comments.php in Simplog 0.9.3.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cname (Name) or (2) email parameters.
Published Nov 27, 2009 · Updated Aug 7, 2024
XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to cause a denial of service (crash) by uploading or creating a large number of files or directories, then performing a LIST command.
Published Nov 28, 2009 · Updated Aug 7, 2024
Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not properly filtered before display in a custom results page.
Published Nov 28, 2009 · Updated Aug 7, 2024
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
Published Nov 30, 2009 · Updated Aug 7, 2024
Unrestricted file upload vulnerability in admintools/editpage-2.php in Agoko CMS 0.4 and earlier allows remote attackers to inject and execute arbitrary PHP code via the filename and text parameters.
Published Nov 28, 2009 · Updated Aug 7, 2024
Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
Published Nov 28, 2009 · Updated Aug 7, 2024
Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 and earlier allow remote attackers to read arbitrary files via directory traversal sequences in the css parameter to (1) getjs.php and (2) getcsslocal.php; and include and execute arbitrary local files via the (3) group parameter to upload.php.
Published Nov 27, 2009 · Updated Aug 7, 2024
SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information.
Published Nov 28, 2009 · Updated Aug 7, 2024
CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via certain byte sequences at the end of a URL. NOTE: some of these details are obtained from third party information.
Published Nov 27, 2009 · Updated Aug 7, 2024
Unrestricted file upload vulnerability in ajax/addComment.php in telepark.wiki 2.4.23 and earlier script allows remote attackers to execute arbitrary code by uploading a file with a name containing a NULL byte.
Published Nov 27, 2009 · Updated Aug 7, 2024
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.
Published Nov 28, 2009 · Updated Aug 7, 2024
Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in the Options module. NOTE: vector 3 can be leveraged for code execution by using a .. to include and execute arbitrary local files.
Published Nov 30, 2009 · Updated Aug 7, 2024
RADIO istek scripti 2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user credentials via a direct request for estafresgaftesantusyan.inc.
Published Nov 28, 2009 · Updated Aug 7, 2024
Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
Published Nov 28, 2009 · Updated Aug 7, 2024
myPhile 1.2.1 allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.
Published Nov 27, 2009 · Updated Aug 7, 2024
Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field.
Published Nov 30, 2009 · Updated Aug 7, 2024
comments.php in Simplog 0.9.3.2, and possibly earlier, does not properly restrict access, which allows remote attackers to edit or delete comments via the (1) edit or (2) del action.
Published Nov 27, 2009 · Updated Aug 7, 2024
Cross-site scripting (XSS) vulnerability in index.php in telepark.wiki 2.4.23 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Published Nov 27, 2009 · Updated Aug 7, 2024
Untrusted search path vulnerability in dstat before r3199 allows local users to gain privileges via a Trojan horse Python module in the current working directory, a different vulnerability than CVE-2009-3894.
Published Nov 27, 2009 · Updated Aug 7, 2024
Unspecified vulnerability in the timeout mechanism in sshd in Sun Solaris 10, and OpenSolaris snv_99 through snv_123, allows remote attackers to cause a denial of service (daemon outage) via unknown vectors that trigger a "dangling sshd authentication thread."
Published Nov 25, 2009 · Updated Aug 7, 2024
The XSS Filter in Microsoft Internet Explorer 8 allows remote attackers to leverage the "response-changing mechanism" to conduct cross-site scripting (XSS) attacks against web sites that have no inherent XSS vulnerabilities, related to the details of output encoding and improper modification of an HTML attribute, aka "XSS Filter Script Handling Vulnerability."
Published Nov 25, 2009 · Updated Aug 7, 2024
PHP remote file inclusion vulnerability in forums/Forum_Include/index.php in Outreach Project Tool (OPT) 1.2.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CRM_path parameter.
Published Nov 27, 2009 · Updated Aug 7, 2024
infoRSS 1.1.4.2 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
Published Nov 28, 2009 · Updated Aug 7, 2024
TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (crash) by sending an APPE (append) command immediately followed by a DELE (delete) command without sending file data in between these two commands.
Published Nov 28, 2009 · Updated Aug 7, 2024
SQL injection vulnerability in the search feature in e107 0.7.16 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published Nov 27, 2009 · Updated Aug 7, 2024
Opera before 10.10, when exception stacktraces are enabled, places scripting error messages from a web site into variables that can be read by a different web site, which allows remote attackers to obtain sensitive information or conduct cross-site scripting (XSS) attacks via unspecified vectors.
Published Nov 24, 2009 · Updated Aug 7, 2024
The printing functionality in Microsoft Internet Explorer 8 allows remote attackers to discover a local pathname, and possibly a local username, by reading the dc:title element of a PDF document that was generated from a local web page.
Published Nov 24, 2009 · Updated Aug 7, 2024
Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors.
Published Nov 25, 2009 · Updated Aug 7, 2024
Unspecified vulnerability in Opera before 10.10 has unknown impact and attack vectors, related to a "moderately severe issue."
Published Nov 24, 2009 · Updated Aug 7, 2024
Cross-site scripting (XSS) vulnerability in the settings page in the Strongarm module 6.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the value field when viewing overridden variables.
Published Nov 24, 2009 · Updated Aug 7, 2024
SQL injection vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an item action to index.php.
Published Nov 24, 2009 · Updated Aug 7, 2024
SQL injection vulnerability in rating.php in New 5 star Rating 1.0 allows remote attackers to execute arbitrary SQL commands via the det parameter.
Published Nov 18, 2009 · Updated Aug 7, 2024
SQL injection vulnerability in allauctions.php in Telebid Auction Script allows remote attackers to execute arbitrary SQL commands via the aid parameter.
Published Nov 24, 2009 · Updated Aug 7, 2024
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists.
Published Nov 24, 2009 · Updated Aug 7, 2024