| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2008-2041 |
94 |
|
|
2008-04-30 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in eGroupWare before 1.4.004 have unspecified attack vectors and "grave" impact when the web server has write access to a directory under the web document root. |
|
2 |
CVE-2008-2040 |
119 |
|
DoS Exec Code Overflow |
2008-04-30 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the HTTP::getAuthUserPass function (core/common/http.cpp) in Peercast 0.1218 and gnome-peercast allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Basic Authentication string with a long (1) username or (2) password. |
|
3 |
CVE-2008-2036 |
89 |
|
Exec Code Sql |
2008-04-30 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in dream4 Koobi Pro 6.25 allows remote attackers to execute arbitrary SQL commands via the poll_id parameter in a poll action. |
|
4 |
CVE-2008-2034 |
89 |
|
Exec Code Sql |
2008-04-30 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
5 |
CVE-2008-2023 |
89 |
|
Exec Code Sql |
2008-04-30 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to execute arbitrary SQL commands via the (1) invisible and (2) timeoffset parameters to profile/controlpanel.asp and the (3) attachmentid parameter to forums/attach-file.asp. |
|
6 |
CVE-2008-2021 |
119 |
|
Exec Code Overflow |
2008-04-30 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in Lhaplus before 1.57 allows remote attackers to execute arbitrary code via a long comment field in a ZOO archive. |
|
7 |
CVE-2008-2019 |
264 |
|
|
2008-04-30 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308. |
|
8 |
CVE-2008-2017 |
22 |
|
Dir. Trav. |
2008-04-30 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the operation parameter to the default URI under install/. |
|
9 |
CVE-2008-2016 |
94 |
|
Exec Code Dir. Trav. File Inclusion |
2008-04-30 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter to the default URI under install/. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences. |
|
10 |
CVE-2008-2015 |
22 |
|
Exec Code Dir. Trav. |
2008-04-30 |
2017-09-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the (1) CompactSave and (2) SaveSession method in one control, and the (3) saveRecordedExploreToFile method in a different control. NOTE: this can be leveraged for code execution by writing to a Startup folder. |
|
11 |
CVE-2008-2012 |
89 |
|
Exec Code Sql |
2008-04-30 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid parameter in an event action. |
|
12 |
CVE-2008-2010 |
|
|
Exec Code |
2008-04-30 |
2018-10-30 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Apple QuickTime Player on Windows XP SP2 and Vista SP1 allows remote attackers to execute arbitrary code via a crafted QuickTime media file. NOTE: as of 20080429, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. |
|
13 |
CVE-2008-2008 |
119 |
|
DoS Exec Code Overflow |
2008-04-29 |
2018-10-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the Display Names message feature in Cerulean Studios Trillian Basic and Pro 3.1.9.0 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long nickname in an MSN protocol message. |
|
14 |
CVE-2008-2003 |
264 |
|
DoS Exec Code |
2008-04-28 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
BadBlue 2.72 Personal Edition stores multiple programs in the web document root with insufficient access control, which allows remote attackers to (1) cause a denial of service via multiple invocations of uninst.exe, and have an unknown impact via (2) badblue.exe and (3) dyndns.exe. NOTE: this can be leveraged for arbitrary remote code execution in conjunction with CVE-2007-6378. |
|
15 |
CVE-2008-2002 |
352 |
|
DoS CSRF |
2008-04-28 |
2018-10-11 |
7.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Complete |
|
Multiple cross-site request forgery (CSRF) vulnerabilities on Motorola Surfboard with software SB5100-2.3.3.0-SCM00-NOSH allow remote attackers to (1) cause a denial of service (device reboot) via the "Restart Cable Modem" value in the BUTTON_INPUT parameter to configdata.html, and (2) cause a denial of service (hard reset) via the "Reset All Defaults" value in the BUTTON_INPUT parameter to configdata.html. |
|
16 |
CVE-2008-1998 |
264 |
|
|
2008-04-28 |
2018-10-31 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter. |
|
17 |
CVE-2008-1997 |
94 |
|
Exec Code |
2008-04-28 |
2018-10-11 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unknown vectors. NOTE: the ADMIN_SP_C issue is already covered by CVE-2008-0699. |
|
18 |
CVE-2008-1995 |
264 |
|
Bypass |
2008-04-28 |
2011-03-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Sun Java System Directory Proxy Server 6.0, 6.1, and 6.2 classifies a connection using the "bind-dn" criteria, which can cause an incorrect application of policy and allows remote attackers to bypass intended access restrictions for the server. |
|
19 |
CVE-2008-1994 |
119 |
|
Exec Code Overflow |
2008-04-27 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple stack-based buffer overflows in (a) acon.c, (b) menu.c, and (c) child.c in Acon 1.0.5-5 through 1.0.5-7 allow local users to execute arbitrary code via (1) a long HOME environment variable or (2) a large number of terminal columns. |
|
20 |
CVE-2008-1993 |
264 |
|
|
2008-04-27 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, which allows remote attackers to upload arbitrary files. |
|
21 |
CVE-2008-1992 |
264 |
|
Bypass |
2008-04-27 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mail_aspemail.asp, (2) default_mail_cdosys.asp or (3) default_mail_jmail.asp, which allows remote attackers to bypass restrictions and relay email messages with modified From, FromName, and To fields. |
|
22 |
CVE-2008-1990 |
89 |
|
Exec Code Sql |
2008-04-27 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) cID parameter to default.asp and the (2) username parameter to main_login2.asp. |
|
23 |
CVE-2008-1989 |
94 |
|
Exec Code File Inclusion |
2008-04-27 |
2017-09-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
PHP remote file inclusion vulnerability in 123flashchat.php in the 123 Flash Chat 6.8.0 module for e107, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the e107path parameter. |
|
24 |
CVE-2008-1988 |
20 |
|
|
2008-04-27 |
2017-08-08 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Unrestricted file upload vulnerability in the file_upload function in core/misc.class.php in EncapsGallery 2.0.2 allows remote authenticated administrators to upload and execute arbitrary PHP files by uploading a file with an executable extension, then accessing it via a direct request to the file in the rwx_gallery directory. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
25 |
CVE-2008-1984 |
399 |
|
DoS |
2008-04-27 |
2021-04-09 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The eTrust Common Services (Transport) Daemon (eCSqdmn) in CA Secure Content Manager 8.0.28000.511 and earlier allows remote attackers to cause a denial of service (crash or CPU consumption) via a malformed packet to TCP port 1882. |
|
26 |
CVE-2008-1982 |
89 |
|
Exec Code Sql |
2008-04-27 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. |
|
27 |
CVE-2008-1975 |
89 |
|
Exec Code Sql |
2008-04-27 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in E-RESERV 2.1 allows remote attackers to execute arbitrary SQL commands via the ID_loc parameter. |
|
28 |
CVE-2008-1973 |
119 |
|
DoS Exec Code Overflow |
2008-04-27 |
2017-09-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in SubEdit Player build 4056 and 4066 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long subtitle file. |
|
29 |
CVE-2008-1971 |
287 |
|
+Priv |
2008-04-27 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php. |
|
30 |
CVE-2008-1965 |
94 |
|
Exec Code |
2008-04-25 |
2018-10-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony and possibly other products, allows remote attackers to execute arbitrary code by injecting a -launcher option via a cai: URI, as demonstrated by a reference to a UNC share pathname. |
|
31 |
CVE-2008-1964 |
119 |
|
Overflow |
2008-04-25 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length. |
|
32 |
CVE-2008-1963 |
94 |
|
Exec Code File Inclusion |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in includes/functions.php in Quate Grape Web Statistics 0.2a allows remote attackers to execute arbitrary PHP code via a URL in the location parameter. |
|
33 |
CVE-2008-1961 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action. |
|
34 |
CVE-2008-1959 |
119 |
|
DoS Exec Code Overflow |
2008-04-25 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message. NOTE: some of these details are obtained from third party information. |
|
35 |
CVE-2008-1957 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in news.php in Tr Script News 2.1 allows remote attackers to execute arbitrary SQL commands via the nb parameter in voir mode. |
|
36 |
CVE-2008-1954 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter. |
|
37 |
CVE-2008-1939 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920. |
|
38 |
CVE-2008-1936 |
89 |
|
Exec Code Sql |
2008-04-25 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Classifieds Caffe allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an add action. NOTE: this issue might be site-specific. |
|
39 |
CVE-2008-1935 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the idFiliale parameter. |
|
40 |
CVE-2008-1934 |
89 |
|
Exec Code Sql |
2008-04-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in commentaires.php in Crazy Goomba 1.2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
41 |
CVE-2008-1930 |
287 |
|
|
2008-04-28 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013. |
|
42 |
CVE-2008-1926 |
94 |
|
|
2008-04-24 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." |
|
43 |
CVE-2008-1923 |
16 |
|
DoS |
2008-04-23 |
2017-08-08 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message. |
|
44 |
CVE-2008-1921 |
89 |
|
Exec Code Sql |
2008-04-23 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter. |
|
45 |
CVE-2008-1920 |
119 |
|
DoS Exec Code Overflow |
2008-04-23 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the boxelyRenderer module in the Personal Status Manager feature in ICQ 6.0 build 6043 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted personal status message. |
|
46 |
CVE-2008-1919 |
89 |
|
Exec Code Sql |
2008-04-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter. |
|
47 |
CVE-2008-1915 |
89 |
|
Exec Code Sql |
2008-04-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in view.asp in DevWorx BlogWorx 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
48 |
CVE-2008-1914 |
119 |
|
Exec Code Overflow |
2008-04-22 |
2018-10-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080. NOTE: some of these details are obtained from third party information. |
|
49 |
CVE-2008-1913 |
89 |
|
Exec Code Sql |
2008-04-22 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action. |
|
50 |
CVE-2008-1912 |
119 |
|
DoS Exec Code Overflow |
2008-04-22 |
2018-10-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in DivX Player 6.7 build 6.7.0.22 and earlier allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long subtitle in a .SRT file. |
