Critical · CVSS 9.8
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
Published Apr 1, 2010 · Updated Oct 22, 2025
Medium · CVSS 5.3 · CISA KEV
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
Published Apr 28, 2010 · Updated Oct 22, 2025
High · CVSS 7.5 · CISA KEV
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
Published Apr 28, 2010 · Updated Oct 22, 2025
Medium · CVSS 5.5
The kernel in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly translate a registry key's virtual path to its real path, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Virtual Path Parsing Vulnerability."
Published Apr 14, 2010 · Updated Jan 21, 2025
Unknown · CVSS Not scored
The kernel in Microsoft Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, does not properly handle unspecified exceptions, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Exception Handler Vulnerability."
Published Apr 14, 2010 · Updated Oct 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in _invoice.asp in CactuShop before 6.155 allow remote attackers to inject arbitrary web script or HTML via the (1) billing address or (2) shipping address.
Published Apr 22, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to inject arbitrary web script or HTML via the client's DNS hostname (aka the REMOTE_HOST variable), related to the CookielessGenerateFilename and CookielessReadFile functions.
Published Apr 28, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
micro_httpd on the RCA DCM425 cable modem allows remote attackers to cause a denial of service (device reboot) via a long string to TCP port 80.
Published Apr 26, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaration in conjunction with an entity reference, related to an "XML injection" issue.
Published Apr 27, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML via (1) strings used in block translation or (2) the untranslated input.
Published Apr 26, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via unspecified vectors.
Published Apr 20, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Reference ID 66316.
Published Apr 13, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."
Published Apr 28, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information.
Published Apr 1, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via unspecified vectors.
Published Apr 27, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
F-Secure Internet Security 2010 and earlier; Anti-Virus for Microsoft Exchange 9 and earlier, and for MIMEsweeper 5.61 and earlier; Internet Gatekeeper for Windows 6.61 and earlier, and for Linux 4.02 and earlier; Anti-Virus 2010 and earlier; Home Server Security 2009; Protection Service for Consumers 9 and earlier, for Business - Workstation security 9 and earlier, for Business - Server Security 8 and earlier, and for E-mail and Server security 9 and earlier; Mac Protection build 8060 and earlier; Client Security 9 and earlier; and various Anti-Virus products for Windows, Linux, and Citrix; does not properly detect malware in crafted (1) 7Z, (2) GZIP, (3) CAB, or (4) RAR archives, which makes it easier for remote attackers to avoid detection.
Published Apr 15, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in lib/includes/auth.inc.php in the WPtouch plugin 1.9.19.4 and 1.9.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wptouch_settings parameter to include/adsense-new.php. NOTE: some of these details are obtained from third party information.
Published Apr 7, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple stack-based buffer overflows in Tembria Server Monitor before 5.6.1 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted (1) GET, (2) PUT, or (3) HEAD request, as demonstrated by a malformed GET request containing a long PATH_INFO to index.asp.
Published Apr 14, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory, a different vulnerability than CVE-2010-0993.
Published Apr 9, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Own Term module 6.x-1.0 for Drupal allows remote authenticated users, with "create additional terms" privileges, to inject arbitrary web script or HTML via the term description field in a term listing page.
Published Apr 13, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via unspecified vectors.
Published Apr 13, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to execute arbitrary code via unknown vectors, aka Reference ID 69773.
Published Apr 13, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in HP System Insight Manager before 6.0 allows remote authenticated users to gain privileges via unknown vectors.
Published Apr 28, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable.
Published Apr 20, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in HP Insight Control for Linux (aka IC-Linux or ICE-LX) 2.11 and earlier allows local users to gain privileges via unknown vectors.
Published Apr 1, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV-ITDS-IF0005) allows remote authenticated users to cause a denial of service (daemon crash or hang) via a paged search, as demonstrated by a certain idsldapsearch command, related to an improper ibm-slapdIdleTimeOut configuration setting.
Published Apr 21, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to inject arbitrary web script or HTML via the userid parameter in a modboard action, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Apr 9, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) component before 3.2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a speakerpopup action to index.php. NOTE: some of these details are obtained from third party information.
Published Apr 27, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Published Apr 28, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in RealNetworks Helix Server 12.x, 13.x, and 14.x before 14.2, and Helix Mobile Server 12.x, 13.x, and 14.x before 14.2, allows remote attackers to execute arbitrary code via a long string in an RTSP request.
Published Apr 1, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in view.php in Pulse CMS 1.2.2 allows remote attackers to read arbitrary files via directory traversal sequences in the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Apr 6, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in the NTLM authentication functionality in RealNetworks Helix Server and Helix Mobile Server 11.x, 12.x, and 13.x allows remote attackers to have an unspecified impact via invalid base64-encoded data.
Published Apr 20, 2010 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Use-after-free vulnerability in the proxy-server implementation in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.65 (aka 6.0.0.8-TIV-ITDS-IF0007) and 6.3 before 6.3.0.1 (aka 6.3.0.0-TIV-ITDS-IF0001) allows remote authenticated users to cause a denial of service (daemon crash) via a paged search that is interrupted by an LDAP Unbind operation.
Published Apr 21, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation.
Published Apr 20, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in detailad.asp in Pre Classified Listings ASP allows remote attackers to execute arbitrary SQL commands via the siteid parameter.
Published Apr 13, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the RokModule (com_rokmodule) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the module parameter to index.php. NOTE: some of these details are obtained from third party information.
Published Apr 19, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Emweb Wt before 3.1.1 does not validate the UTF-8 encoding of (1) form values and (2) JSignal arguments, which has unspecified impact and remote attack vectors.
Published Apr 6, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in signup.asp in Pre Classified Listings ASP allows remote attackers to inject arbitrary web script or HTML via the address parameter.
Published Apr 13, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.
Published Apr 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a username.
Published Apr 7, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV-ITDS-IF0005) allows remote authenticated users to cause a denial of service (daemon hang) via a paged search that triggers improper mutex processing.
Published Apr 21, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors.
Published Apr 26, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Integer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via a request with a crafted payload length.
Published Apr 20, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.62 (aka 6.0.0.8-TIV-ITDS-IF0004) on Linux, Solaris, and Windows allows remote authenticated users to cause a denial of service (ABEND) via a malformed LDAP extended operation that triggers certain comparisons involving the NULL operation OID.
Published Apr 21, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Format string vulnerability in RealNetworks Helix Server 12.x, 13.x, and 14.x before 14.2, and Helix Mobile Server 12.x, 13.x, and 14.x before 14.2, allows remote attackers to execute arbitrary code via vectors related to the x-wap-profile HTTP header.
Published Apr 1, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in bluegate_seo.inc.php in the Direct URL module for xt:Commerce, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the coID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Apr 13, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in JustSystems Ichitaro and Ichitaro Government 2006 through 2010 allows user-assisted remote attackers to execute arbitrary code via a crafted font file.
Published Apr 15, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in admin/admin_login.php in Uiga Fan Club, as downloaded on 20100310, allow remote attackers to inject arbitrary web script or HTML via the (1) admin_name and (2) admin_password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Apr 13, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in DFD Cart 1.198, 1.197, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) category and (2) list_quantity parameters to index.php, and the (3) category parameter to your.order.php.
Published Apr 26, 2010 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in BBSXP 2008 SP2 allow remote attackers to inject arbitrary web script or HTML via the URI in a request to (1) AddPost.asp, (2) AddTopic.asp, (3) Admin_Default.asp, (4) Bank.asp, (5) Manage.asp, and (6) ShowPost.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published Apr 6, 2010 · Updated Sep 16, 2024