LiveActive security incident?Get immediate response
CVE archive

December 2009

Browse CVE records published in December 2009, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 449 matching CVEs · Page 2 of 9.

Unknown · CVSS Not scored

CVE-2009-4323: The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) ex...

The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) extras, and (3) zc_install folders, and (4) install.txt, which allows remote attackers to obtain sensitive information, delete the database, and conduct other attacks via a direct request, different vulnerabilities than CVE-2009-4321 and CVE-2009-4322.

Published Dec 14, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4190: Unspecified vulnerability in the kernel in Sun OpenSolaris 2009.06 allows remote attackers to cause a denia...

Unspecified vulnerability in the kernel in Sun OpenSolaris 2009.06 allows remote attackers to cause a denial of service (panic) via unknown vectors, as demonstrated by the vd_solaris2 module in VulnDisco Pack Professional 8.12. NOTE: as of 20091203, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Published Dec 3, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4483: Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial of serv...

Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial of service (daemon crash) via unknown vectors, as demonstrated by a certain module in VulnDisco Pack Professional 7.13 through 8.11. NOTE: as of 20091229, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Published Dec 30, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-4502: The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allo...

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

Published Dec 31, 2009 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2009-2626: The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2.10, and earlier versions allows cont...

The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2.10, and earlier versions allows context-specific attackers to obtain sensitive information (memory contents) and cause a PHP crash by using the ini_set function to declare a variable, then using the ini_restore function to restore the variable.

Published Dec 1, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4232: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla!

The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Dec 8, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4350: SQL injection vulnerability in index.php in Arctic Issue Tracker 2.1.1 allows remote attackers to execute a...

SQL injection vulnerability in index.php in Arctic Issue Tracker 2.1.1 allows remote attackers to execute arbitrary SQL commands via the (1) matchings[id] or (2) matchings[title] parameters in a Login action to an unspecified program, or (3) the matchings[id] parameter in a search action to index.php, a different vector than CVE-2008-3250. NOTE: some of these details are obtained from third party information.

Published Dec 17, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4476: Stack-based buffer overflow in HAURI ViRobot Desktop 5.5 before 2009-09-28.00 allows remote attackers to ex...

Stack-based buffer overflow in HAURI ViRobot Desktop 5.5 before 2009-09-28.00 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 7.15 through 8.11. NOTE: some of these details are obtained from third party information.

Published Dec 30, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4230: Multiple stack-based buffer overflows in src/Task.cc in the FastCGI program in IIPImage Server before 0.9.8...

Multiple stack-based buffer overflows in src/Task.cc in the FastCGI program in IIPImage Server before 0.9.8 might allow remote attackers to execute arbitrary code via vectors associated with crafted arguments to the (1) RGN::run, (2) JTLS::run, or (3) SHD::run function. NOTE: some of these details are obtained from third party information.

Published Dec 8, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4189: HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote att...

HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843.

Published Dec 3, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4479: LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial of service (heap memory corruption a...

LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 7.13 through 8.11. NOTE: as of 20091229, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Published Dec 30, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4137: The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtaine...

The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.

Published Dec 24, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4127: Unspecified vulnerability in Wikipedia Toolbar extension before 0.5.9.2 for Firefox allows user-assisted re...

Unspecified vulnerability in Wikipedia Toolbar extension before 0.5.9.2 for Firefox allows user-assisted remote attackers to execute arbitrary JavaScript with Chrome privileges via vectors involving unspecified Toolbar buttons and the eval function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Dec 2, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4482: Buffer overflow in MediaServer.exe in TVersity 1.6 allows remote attackers to execute arbitrary code via un...

Buffer overflow in MediaServer.exe in TVersity 1.6 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by the vd_tversity module in VulnDisco Pack Professional 8.11. NOTE: as of 20091229, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Published Dec 30, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4302: login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP p...

login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing.

Published Dec 16, 2009 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2009-4326: The RAND scalar function in the Common Code Infrastructure component in IBM DB2 9.5 before FP5 and 9.7 befo...

The RAND scalar function in the Common Code Infrastructure component in IBM DB2 9.5 before FP5 and 9.7 before FP1, when the Database Partitioning Feature (DPF) is used, produces "repeating" return values, which might allow attackers to defeat protection mechanisms based on randomization by predicting a value.

Published Dec 16, 2009 · Updated Sep 16, 2024