CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2010 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2000-1245 264 Bypass 2010-04-05 2010-04-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allow remote attackers to bypass intended restrictions on anonymous access via unknown vectors.
2 CVE-2003-1593 264 Bypass 2010-04-05 2010-04-06
7.5
None Remote Low Not required Partial Partial Partial
NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 does not enforce domain-name login restrictions, which allows remote attackers to bypass intended access control via an FTP connection.
3 CVE-2003-1594 264 Bypass 2010-04-05 2010-04-06
7.5
None Remote Low Not required Partial Partial Partial
NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly enforce FTPREST.TXT settings, which allows remote attackers to bypass intended access restrictions via an FTP session.
4 CVE-2003-1595 264 2010-04-05 2010-04-06
10.0
None Remote Low Not required Complete Complete Complete
NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly perform "intruder detection," which has unspecified impact and attack vectors.
5 CVE-2003-1596 264 Bypass 2010-04-05 2010-06-08
7.5
None Remote Low Not required Partial Partial Partial
NWFTPD.nlm before 5.03.12 in the FTP server in Novell NetWare does not properly restrict filesystem use by anonymous users with NFS Gateway home directories, which allows remote attackers to bypass intended access restrictions via an FTP session.
6 CVE-2005-4887 2010-04-05 2010-04-06
7.5
None Remote Low Not required Partial Partial Partial
NWFTPD.nlm before 5.06.05 in the FTP server in Novell NetWare 6.5 SP5 allows attackers to have an unspecified impact via vectors related to passwords.
7 CVE-2007-6735 264 Bypass 2010-04-05 2010-04-06
7.5
None Remote Low Not required Partial Partial Partial
NWFTPD.nlm before 5.08.06 in the FTP server in Novell NetWare does not properly handle partial matches for container names in the FTPREST.TXT file, which allows remote attackers to bypass intended access restrictions via an FTP session.
8 CVE-2009-1564 119 Exec Code Overflow 2010-04-12 2010-04-22
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 246459 on Windows, and the movie decoder in VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Windows, allows remote attackers to execute arbitrary code via an AVI file with crafted video chunks that use HexTile encoding.
9 CVE-2009-1565 119 Exec Code Overflow 2010-04-12 2010-04-22
9.3
None Remote Medium Not required Complete Complete Complete
vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 Build 246459 on Windows, and the movie decoder in VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Windows, allows remote attackers to execute arbitrary code via an AVI file with crafted HexTile-encoded video chunks that trigger heap-based buffer overflows, related to "integer truncation errors."
10 CVE-2009-2936 287 Exec Code CSRF 2010-04-05 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless."
11 CVE-2009-3732 134 Exec Code 2010-04-12 2022-06-15
10.0
None Remote Low Not required Complete Complete Complete
Format string vulnerability in vmware-vmrc.exe build 158248 in VMware Remote Console (aka VMrc) allows remote attackers to execute arbitrary code via unspecified vectors.
12 CVE-2009-4509 94 Exec Code Bypass 2010-04-13 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.
13 CVE-2009-4510 310 2010-04-13 2018-08-13
8.5
None Remote Medium ??? Complete Complete Complete
The SSH service on the TANDBERG Video Communication Server (VCS) before X5.1 uses a fixed DSA key, which makes it easier for remote attackers to conduct man-in-the-middle attacks and spoof arbitrary servers via crafted SSH packets.
14 CVE-2009-4737 119 Exec Code Overflow 2010-04-06 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in JustSystems Corporation Ichitaro 13, 2004 through 2009, Viewer 2009 19.0.1.0 and earlier, and other versions allows context-dependent attackers to execute arbitrary code via a crafted Rich Text File (RTF), related to "pvpara ffooter."
15 CVE-2009-4764 94 1 Exec Code 2010-04-05 2017-09-19
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Reader 8.x and 9.x on Windows is able to execute EXE files that are embedded in a PDF document, which makes it easier for remote attackers to trick users into executing arbitrary code via a crafted document.
16 CVE-2009-4768 94 Exec Code 2010-04-20 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in the JASS script interpreter in Warcraft III: The Frozen Throne 1.24b and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted custom map. NOTE: some of these details are obtained from third party information.
17 CVE-2009-4769 134 2 Exec Code 2010-04-20 2010-06-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote authenticated users to execute arbitrary code via format string specifiers in a PWD command to the FTP server component.
18 CVE-2009-4770 255 1 2010-04-20 2010-06-07
7.5
None Remote Low Not required Partial Partial Partial
The FTP server component in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 has a default password of pass123 for the moderator account, which makes it easier for remote attackers to obtain privileged access.
19 CVE-2009-4776 119 Overflow 2010-04-21 2010-06-07
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Hitachi Cosminexus V4 through V8, Processing Kit for XML, and Developer's Kit for Java, as used in products such as uCosminexus, Electronic Form Workflow, Groupmax, and IBM XL C/C++ Enterprise Edition 7 and 8, allows remote attackers to have an unknown impact via vectors related to the use of GIF image processing APIs by a Java application, and a different issue from CVE-2007-3794.
20 CVE-2009-4778 DoS Exec Code Mem. Corr. 2010-04-21 2010-04-22
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the PDF distiller in the Attachment Service component in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software 4.1.3 through 4.1.7 and 5.0.0, and BlackBerry Professional Software 4.1.4, allow user-assisted remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .pdf file attachment, a different vulnerability than CVE-2008-3246, CVE-2009-0176, CVE-2009-0219, CVE-2009-2643, and CVE-2009-2646.
21 CVE-2009-4779 94 1 Exec Code File Inclusion 2010-04-21 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in NukeHall 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter to (1) blocks.php, (2) messages.php, and (3) stories.php in admin/modules/.
22 CVE-2009-4781 255 1 2010-04-21 2010-04-22
7.2
None Local Low Not required Complete Complete Complete
TUKEVA Password Reminder before 1.0.0.4 uses a hard-coded password for rem.accdb, which allows local users to discover credentials via a DBI connection.
23 CVE-2009-4783 89 1 Exec Code Sql 2010-04-21 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Theeta CMS, possibly 0.01, allow remote attackers to execute arbitrary SQL commands via the start parameter to (1) forum.php and (2) thread.php in community/, and (3) blog/index.php.
24 CVE-2009-4784 89 1 Exec Code Sql 2010-04-21 2010-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Joaktree (com_joaktree) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the treeId parameter to index.php.
25 CVE-2009-4785 89 1 Exec Code Sql 2010-04-21 2010-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Quick News (com_quicknews) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a view_item action to index.php.
26 CVE-2009-4789 94 1 Exec Code File Inclusion 2010-04-21 2010-06-03
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in the MojoBlog component RC 0.15 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) wp-comments-post.php and (2) wp-trackback.php.
27 CVE-2009-4790 22 Dir. Trav. 2010-04-22 2010-06-03
9.0
None Remote Low ??? Complete Complete Complete
Multiple directory traversal vulnerabilities in Sysax Multi Server 4.5 allow remote authenticated users to read or modify arbitrary files via crafted FTP commands. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
28 CVE-2009-4791 89 1 Exec Code Sql 2010-04-22 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Family Connections (aka FCMS) before 1.8.2 allow remote attackers to execute arbitrary SQL commands via the (1) letter parameter to addressbook.php, (2) id parameter to recipes.php, (3) year parameter to register.php, (4) poll_id parameter to home.php, and (5) email parameter to lostpw.php.
29 CVE-2009-4792 89 1 Exec Code Sql 2010-04-22 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in includes/content/member_content.php in BandSite CMS 1.1.4 allows remote attackers to execute arbitrary SQL commands via the memid parameter to members.php.
30 CVE-2009-4794 89 Exec Code Sql 2010-04-22 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Community CMS 0.5 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to view.php and the (2) a parameter in an event action to calendar.php, reachable through index.php.
31 CVE-2009-4796 89 1 Exec Code Sql 2010-04-22 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the ExecuteQueries function in private/system/classes/listfactory.class.php in glFusion 1.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) order and (2) direction parameters to search.php.
32 CVE-2009-4797 89 1 Exec Code Sql 2010-04-22 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in browse.php in JobHut 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the pk parameter.
33 CVE-2009-4798 89 1 Exec Code Sql 2010-04-22 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Diskos CMS 6.x allow remote attackers to execute arbitrary SQL commands via the (1) kat parameter to side.asp, and the (2) brugerid and (3) password fields to the administration login feature.
34 CVE-2009-4801 287 1 2010-04-23 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
EZ-Blog Beta 1 does not require authentication, which allows remote attackers to create or delete arbitrary posts via requests to PHP scripts.
35 CVE-2009-4802 89 Exec Code Sql 2010-04-23 2010-04-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Flat Manager (flatmgr) extension before 1.9.16 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
36 CVE-2009-4803 89 Exec Code Sql 2010-04-23 2010-05-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Accessibility Glossary (a21glossary) extension 0.4.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
37 CVE-2009-4806 287 1 2010-04-23 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
admin/save_user.asp in Digital Interchange Document Library 1.0.1 does not require administrative authentication, which allows remote attackers to read or modify the administrator's credentials via unspecified vectors. NOTE: some of these details are obtained from third party information.
38 CVE-2009-4807 89 1 Exec Code Sql 2010-04-23 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Graugon PHP Article Publisher 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) c parameter to index.php and the (2) id parameter to view.php.
39 CVE-2009-4808 287 1 Bypass 2010-04-23 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the g_admin cookie to 1.
40 CVE-2009-4810 20 Bypass 2010-04-23 2010-04-26
7.5
None Remote Low Not required Partial Partial Partial
The Secure Remote Password (SRP) implementation in Samhain before 2.5.4 does not check for a certain zero value where required by the protocol, which allows remote attackers to bypass authentication via crafted input.
41 CVE-2009-4824 2010-04-27 2010-06-05
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Server before 2.2.3 allows attackers to have an unspecified impact via vectors related to an "image upload form."
42 CVE-2009-4830 287 Bypass 2010-04-27 2010-07-30
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attackers to bypass authentication and obtain access to an Administrator account via unknown vectors, possibly related to www/admin/install.php, www/admin/install-plugins.php, and other www/admin/ files.
43 CVE-2009-4832 264 1 +Priv 2010-04-29 2017-09-19
7.2
None Local Low Not required Complete Complete Complete
The dlpcrypt.sys kernel driver 0.1.1.27 in DESlock+ 4.0.2 allows local users to gain privileges via a crafted IOCTL 0x80012010 request to the DLPCryptCore device.
44 CVE-2010-0073 2010-04-14 2021-04-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
45 CVE-2010-0087 2010-04-01 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
46 CVE-2010-0094 2010-04-01 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized.
47 CVE-2010-0098 Bypass 2010-04-08 2010-08-31
10.0
None Remote Low Not required Complete Complete Complete
ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file formats, which allows remote attackers to bypass virus detection via a crafted archive that is compatible with standard archive utilities.
48 CVE-2010-0173 DoS Exec Code Mem. Corr. 2010-04-05 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
49 CVE-2010-0174 DoS Exec Code Mem. Corr. 2010-04-05 2018-10-30
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
50 CVE-2010-0175 399 DoS Exec Code 2010-04-05 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items.
Total number of vulnerabilities : 211   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.