LiveActive security incident?Get immediate response
CVE archive

December 2009

Browse CVE records published in December 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 449 matching CVEs · Page 1 of 9.

High · CVSS 7.8 · CISA KEV

CVE-2009-4324: Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acroba...

Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

Published Dec 15, 2009 · Updated Oct 22, 2025

Unknown · CVSS Not scored

CVE-2009-2631: Clientless SSL VPN products break web browser domain-based security models

Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design

Published Dec 4, 2009 · Updated Jun 16, 2025

High · CVSS 8.1

CVE-2009-3671: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to...

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3674.

Published Dec 9, 2009 · Updated Oct 21, 2024

Unknown · CVSS Not scored

CVE-2009-1797: Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American...

Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to hijack the authentication of (1) administrator or (2) device users for requests that create new administrative users or have unspecified other impact.

Published Dec 28, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-1798: Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power...

Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406.

Published Dec 28, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4374: Directory traversal vulnerability in repository/repository_attachment.php in AlienVault Open Source Securit...

Directory traversal vulnerability in repository/repository_attachment.php in AlienVault Open Source Security Information Management (OSSIM) 2.1.5, and possibly other versions before 2.1.5-4, allows remote attackers to upload files into arbitrary directories via a .. (dot dot) in the id_document parameter.

Published Dec 21, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4191: Unspecified vulnerability in the kernel in Sun Solaris 10 and OpenSolaris 2009.06 on the x86-64 platform al...

Unspecified vulnerability in the kernel in Sun Solaris 10 and OpenSolaris 2009.06 on the x86-64 platform allows local users to gain privileges via unknown vectors, as demonstrated by the vd_sol_local module in VulnDisco Pack Professional 8.12. NOTE: as of 20091203, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Published Dec 3, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4363: Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware befo...

Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."

Published Dec 21, 2009 · Updated Sep 17, 2024