| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
51 |
CVE-2008-4299 |
189 |
|
DoS |
2008-09-29 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A certain ActiveX control in the Microsoft Internet Authentication Service (IAS) Helper COM Component in iashlpr.dll allows remote attackers to cause a denial of service (browser crash) via a large integer value in the first argument to the PutProperty method. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect. |
|
52 |
CVE-2008-4298 |
399 |
|
DoS |
2008-09-27 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. |
|
53 |
CVE-2008-4297 |
264 |
|
|
2008-09-27 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request. |
|
54 |
CVE-2008-4296 |
255 |
|
|
2008-09-27 |
2018-10-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Cisco Linksys WRT350N with firmware 1.0.3.7 has "admin" as its default password for the "admin" account, which makes it easier for remote attackers to obtain access. |
|
55 |
CVE-2008-4295 |
20 |
|
DoS |
2008-09-27 |
2017-09-29 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
Microsoft Windows Mobile 6.0 on HTC Wiza 200 and HTC MDA 8125 devices does not properly handle the first attempt to establish a Bluetooth connection to a peer with a long name, which allows remote attackers to cause a denial of service (device reboot) by configuring a Bluetooth device with a long hci name and (1) connecting directly to the Windows Mobile system or (2) waiting for the Windows Mobile system to scan for nearby devices. |
|
56 |
CVE-2008-4294 |
264 |
|
|
2008-09-27 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM Tivoli Netcool/Webtop 2.1 before 2.1.0.5 preserves cached user privileges after logout, which allows physically proximate attackers to hijack a session by visiting an unattended workstation, as demonstrated by a root session that is still valid after a subsequent read-only session has begun. |
|
57 |
CVE-2008-4293 |
|
|
DoS Exec Code |
2008-09-27 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Opera before 9.52 on Windows, when registered as a protocol handler, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors in which Opera is launched by other applications. |
|
58 |
CVE-2008-4292 |
255 |
|
|
2008-09-27 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Opera before 9.52 does not check the CRL override upon encountering a certificate that lacks a CRL, which has unknown impact and attack vectors. NOTE: it is not clear whether this is a vulnerability, but the vendor included it in a security section of the advisory. |
|
59 |
CVE-2008-4247 |
352 |
|
Exec Code CSRF |
2008-09-25 |
2012-10-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. |
|
60 |
CVE-2008-4246 |
399 |
|
DoS |
2008-09-25 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Denora IRC Stats Server before 1.4.1 allows remote IRC servers to cause a denial of service (application crash) via a crafted CTCP response. |
|
61 |
CVE-2008-4245 |
264 |
|
|
2008-09-25 |
2017-09-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Admin Control Panel in Rianxosencabos CMS 0.9 does not require administrator privileges, which allows remote authenticated users to (1) change a user's privileges, (2) delete a user account, or perform unspecified other administrative actions via vectors involving an admin lista action to the default URI, possibly related to useradmin.php. |
|
62 |
CVE-2008-4244 |
287 |
|
Bypass |
2008-09-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1. |
|
63 |
CVE-2008-4243 |
22 |
|
Dir. Trav. |
2008-09-25 |
2017-09-29 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in ImageServer (aka UTImageServer) in WebAdmin before 1.7 for Epic Games Unreal Tournament 3 (UT3) 1.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. |
|
64 |
CVE-2008-4242 |
352 |
|
Exec Code CSRF |
2008-09-25 |
2017-08-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. |
|
65 |
CVE-2008-4241 |
89 |
|
Exec Code Sql |
2008-09-25 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via an SID cookie. |
|
66 |
CVE-2008-4210 |
264 |
|
+Priv +Info |
2008-09-29 |
2017-09-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O. |
|
67 |
CVE-2008-4208 |
|
|
|
2008-09-24 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in OSADS Alliance Database before 2.1 has unknown impact and attack vectors, possibly related to includes/functions.php, a different issue than CVE-2006-2874. |
|
68 |
CVE-2008-4207 |
200 |
|
+Info |
2008-09-24 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Attachmax Dolphin 2.1.0 and earlier does not properly protect info.php in the main folder, which allows remote attackers to obtain sensitive information via a direct request, which invokes the phpinfo function. NOTE: some of these details are obtained from third party information. |
|
69 |
CVE-2008-4206 |
94 |
|
Exec Code File Inclusion |
2008-09-24 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in config.php in Attachmax Dolphin 2.1.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the rel_path parameter. |
|
70 |
CVE-2008-4205 |
89 |
|
Exec Code Sql |
2008-09-24 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a Search action to index.php. NOTE: some of these details are obtained from third party information. |
|
71 |
CVE-2008-4204 |
89 |
|
Exec Code Sql |
2008-09-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System (HRS) allows remote attackers to execute arbitrary SQL commands via the city parameter. |
|
72 |
CVE-2008-4203 |
89 |
|
Exec Code Sql |
2008-09-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie. |
|
73 |
CVE-2008-4202 |
89 |
|
Exec Code Sql |
2008-09-24 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 allows remote attackers to execute arbitrary SQL commands via the idd parameter in a deadlink action. |
|
74 |
CVE-2008-4201 |
119 |
|
DoS Exec Code Overflow |
2008-09-24 |
2011-01-03 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file. |
|
75 |
CVE-2008-4200 |
20 |
|
|
2008-09-27 |
2017-08-08 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Opera before 9.52 does not ensure that the address field of a news feed represents the feed's actual URL, which allows remote attackers to change this field to display the URL of a page containing web script controlled by the attacker. |
|
76 |
CVE-2008-4199 |
200 |
|
+Info |
2008-09-27 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Opera before 9.52 does not prevent use of links from web pages to feed source files on the local disk, which might allow remote attackers to determine the validity of local filenames via vectors involving "detection of JavaScript events and appropriate manipulation." |
|
77 |
CVE-2008-4198 |
|
|
|
2008-09-27 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Opera before 9.52, when rendering an http page that has loaded an https page into a frame, displays a padlock icon and offers a security information dialog reporting a secure connection, which might allow remote attackers to trick a user into performing unsafe actions on the http page. |
|
78 |
CVE-2008-4197 |
399 |
|
Exec Code |
2008-09-27 |
2017-08-08 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Opera before 9.52 on Windows, Linux, FreeBSD, and Solaris, when processing custom shortcut and menu commands, can produce argument strings that contain uninitialized memory, which might allow user-assisted remote attackers to execute arbitrary code or conduct other attacks via vectors related to activation of a shortcut. |
|
79 |
CVE-2008-4196 |
79 |
|
XSS |
2008-09-27 |
2011-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
80 |
CVE-2008-4195 |
264 |
|
|
2008-09-27 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Opera before 9.52 does not properly restrict the ability of a framed web page to change the address associated with a different frame, which allows remote attackers to trigger the display of an arbitrary address in a frame via unspecified use of web script. |
|
81 |
CVE-2008-4194 |
399 |
|
DoS |
2008-09-24 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par allows remote attackers to cause a denial of service (daemon crash) via a long DNS reply with many entries in the answer section, related to a "dangling pointer bug." |
|
82 |
CVE-2008-4193 |
119 |
|
Exec Code Overflow |
2008-09-24 |
2017-09-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologies SecurityGateway 1.0.1 allows remote attackers to execute arbitrary code via a long username parameter. |
|
83 |
CVE-2008-4192 |
59 |
|
|
2008-09-29 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The pserver_shutdown function in fence_egenera in cman 2.20080629 and 2.20080801 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/eglog temporary file. |
|
84 |
CVE-2008-4191 |
59 |
|
|
2008-09-24 |
2017-08-08 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
extract-table.pl in Emacspeak 26 and 28 allows local users to overwrite arbitrary files via a symlink attack on the extract-table.csv temporary file. |
|
85 |
CVE-2008-4190 |
59 |
|
Exec Code |
2008-09-24 |
2019-07-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE: in many distributions and the upstream version, this tool has been disabled. |
|
86 |
CVE-2008-4188 |
94 |
|
Exec Code |
2008-09-23 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the TYPO3 Secure Directory (kw_secdir) extension before 1.0.2 allows remote attackers to execute arbitrary code via unknown vectors related to "injection of control characters." |
|
87 |
CVE-2008-4187 |
22 |
|
Dir. Trav. |
2008-09-23 |
2017-09-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in index.php in ProActive CMS allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. |
|
88 |
CVE-2008-4186 |
89 |
|
Exec Code Sql |
2008-09-23 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id_doc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
89 |
CVE-2008-4185 |
89 |
|
Exec Code Sql |
2008-09-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id parameter in a documentos action, a different vector than CVE-2008-3213. |
|
90 |
CVE-2008-4184 |
79 |
|
XSS |
2008-09-23 |
2017-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in index.php in webCMS Portal Edition allows remote attackers to inject arbitrary web script or HTML via the patron parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
91 |
CVE-2008-4183 |
200 |
|
+Info |
2008-09-23 |
2017-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IntegraMOD 1.4.x stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a backup via a direct request to a backup/backup-yyyy-dd-mm.sql filename. |
|
92 |
CVE-2008-4182 |
79 |
1
|
XSS |
2008-09-23 |
2017-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session. |
|
93 |
CVE-2008-4181 |
22 |
|
Dir. Trav. File Inclusion |
2008-09-23 |
2017-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in includes/xml.php in the Netenberg Fantastico De Luxe module before 2.10.4 r19 for cPanel, when cPanel PHP Register Globals is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) or absolute pathname in the fantasticopath parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. |
|
94 |
CVE-2008-4180 |
200 |
|
+Info |
2008-09-23 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in db.php in NooMS 1.1 allows remote attackers to conduct brute force attacks against passwords via a username in the g_dbuser parameter and a password in the g_dbpwd parameter, and possibly a "localhost" g_dbhost parameter value, related to a "Mysql Remote Brute Force Vulnerability." |
|
95 |
CVE-2008-4179 |
79 |
|
XSS |
2008-09-23 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in NooMS 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to smileys.php and the (2) q parameter to search.php. |
|
96 |
CVE-2008-4178 |
89 |
1
|
Exec Code Sql |
2008-09-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in tr.php in DownlineGoldmine Special Category Addon, Downline Builder Pro, New Addon, and Downline Goldmine Builder allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information. |
|
97 |
CVE-2008-4177 |
89 |
|
Exec Code Sql |
2008-09-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in search.php in Pre Real Estate Listings allows remote attackers to execute arbitrary SQL commands via the c parameter. |
|
98 |
CVE-2008-4176 |
89 |
|
Exec Code Sql |
2008-09-23 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in izle.asp in FoT Video scripti 1.1 beta allows remote attackers to execute arbitrary SQL commands via the oyun parameter. |
|
99 |
CVE-2008-4175 |
89 |
|
Exec Code Sql |
2008-09-23 |
2017-09-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Link Bid Script 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) ucat parameter to upgrade.php and the (2) id parameter to linkadmin/edit.php. |
|
100 |
CVE-2008-4174 |
79 |
1
|
XSS |
2008-09-23 |
2017-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dynamic MP3 Lister 2.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) currentpath, (2) invert, (3) search, and (4) sort parameters. |
