CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2008-4173 89 Exec Code Sql 2008-09-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ProArcadeScript 1.3 allows remote attackers to execute arbitrary SQL commands via the random parameter to the default URI.
102 CVE-2008-4172 89 1 Exec Code Sql 2008-09-22 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in page.php in Cars & Vehicle (aka Cars-Vehicle Script) allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.
103 CVE-2008-4171 89 Exec Code Sql 2008-09-22 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in xmlout.php in Invision Power Board (IP.Board or IPB) 2.2.x and 2.3.x allows remote attackers to execute arbitrary SQL commands via the name parameter.
104 CVE-2008-4170 200 +Info 2008-09-22 2018-10-11
5.0
None Remote Low Not required Partial None None
create_account.php in osCommerce 2.2 RC 2a allows remote attackers to obtain sensitive information via an invalid dob parameter, which reveals the installation path in an error message.
105 CVE-2008-4169 89 Exec Code Sql 2008-09-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in detaillist.php in iScripts EasyIndex, possibly 1.0, allows remote attackers to execute arbitrary SQL commands via the produid parameter.
106 CVE-2008-4168 79 XSS 2008-09-22 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in verify_login.jsp in Pro2col Stingray FTS allows remote attackers to inject arbitrary web script or HTML via the form_username parameter (aka user name field).
107 CVE-2008-4167 287 2008-09-22 2017-09-29
6.4
None Remote Low Not required None Partial Partial
useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not require administrative authentication, which allows remote attackers to (1) add or (2) remove an Administrator account.
108 CVE-2008-4166 189 DoS Overflow 2008-09-22 2018-10-11
4.3
None Remote Medium Not required None None Partial
Integer overflow in the JavaScript engine in Avant Browser 11.7 Build 9 and earlier allows remote attackers to cause a denial of service (application crash) by attempting to URL encode a string containing many instances of an invalid character.
109 CVE-2008-4165 310 2008-09-22 2017-08-08
4.0
None Remote Low ??? Partial None None
admin/user/create_user.php in Kolab Groupware Server 1.0.0 places a user password in an HTTP GET request, which allows local administrators, and possibly remote attackers, to obtain cleartext passwords by reading the ssl_access_log file or the referer string.
110 CVE-2008-4164 200 +Info 2008-09-22 2017-09-29
2.6
None Remote High Not required Partial None None
cron.php in MemHT Portal 3.9.0 and earlier allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
111 CVE-2008-4163 20 DoS 2008-09-22 2017-08-08
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in ISC BIND 9.3.5-P2-W1, 9.4.2-P2-W1, and 9.5.0-P2-W1 on Windows allows remote attackers to cause a denial of service (UDP client handler termination) via unknown vectors.
112 CVE-2008-4162 59 2008-09-22 2018-10-11
4.3
None Remote Medium Not required None Partial None
Open redirect vulnerability in admin/auth.php in NooMS 1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the g_site_url parameter.
113 CVE-2008-4161 89 Exec Code Sql 2008-09-22 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in search_inv.php in Assetman 2.5b allows remote attackers to execute arbitrary SQL commands and conduct session fixation attacks via a combination of crafted order and order_by parameters in a search_all action.
114 CVE-2008-4160 399 DoS 2008-09-22 2017-09-29
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in the UFS module in Sun Solaris 8 through 10 and OpenSolaris allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via unknown vectors related to the Solaris Access Control List (ACL) implementation.
115 CVE-2008-4159 89 Exec Code Sql 2008-09-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Jaw Portal and Zanfi CMS lite and allows remote attackers to execute arbitrary SQL commands via the page (pageid) parameter.
116 CVE-2008-4158 22 Dir. Trav. 2008-09-22 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in index.php in Zanfi CMS lite 1.2 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) flag and (2) inc parameters.
117 CVE-2008-4157 89 1 Exec Code Sql 2008-09-22 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2007-3610. NOTE: it was later reported that 1.2.3 is also affected.
118 CVE-2008-4156 89 Exec Code Sql 2008-09-19 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in print.php in CustomCms (CCMS) Gaming Portal 4.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
119 CVE-2008-4155 22 Dir. Trav. 2008-09-19 2017-09-29
7.8
None Remote Low Not required Complete None None
Multiple directory traversal vulnerabilities in EasySite 2.3 allow remote attackers to read arbitrary files or list directories via a .. (dot dot) in the (1) module or (2) action parameter in (a) www/index.php; the (3) module, (4) ss_module, or (5) ss_action parameter in (b) modules/Module/index.php or (c) modules/Themes/index.php; or the (6) module parameter in (d) inc/vmenu.php.
120 CVE-2008-4154 89 Exec Code Sql 2008-09-19 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in living-e webEdition CMS allows remote attackers to execute arbitrary SQL commands via the we_objectID parameter.
121 CVE-2008-4153 264 +Info 2008-09-24 2017-08-08
5.0
None Remote Low Not required Partial None None
The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information.
122 CVE-2008-4152 79 XSS 2008-09-24 2017-08-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.
123 CVE-2008-4151 22 Dir. Trav. 2008-09-24 2018-10-11
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in collect.php in CYASK 3.x allows remote attackers to read arbitrary files via a .. (dot dot) in the neturl parameter.
124 CVE-2008-4150 89 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in picture_category.php in Diesel Joke Site allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2006-3763.
125 CVE-2008-4149 79 XSS 2008-09-24 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.
126 CVE-2008-4148 89 Exec Code Sql 2008-09-24 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.
127 CVE-2008-4147 79 XSS 2008-09-24 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.
128 CVE-2008-4146 287 2008-09-24 2017-09-29
5.0
None Remote Low Not required None Partial None
Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field.
129 CVE-2008-4145 89 Exec Code Sql 2008-09-24 2017-09-29
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in user_read_links.php in Addalink 1.0 beta 4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
130 CVE-2008-4144 89 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in ACG-ScriptShop E-Gold Script Shop allows remote attackers to execute arbitrary SQL commands via the cid parameter in a showcat action.
131 CVE-2008-4143 89 Exec Code Sql 2008-09-24 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in category_search.php in RazorCommerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the id parameter.
132 CVE-2008-4142 89 1 Exec Code Sql 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in article.php in E-Php CMS allows remote attackers to execute arbitrary SQL commands via the es_id parameter.
133 CVE-2008-4141 94 1 Exec Code File Inclusion 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in x10Media x10 Automatic MP3 Script 1.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the web_root parameter to (1) includes/function_core.php and (2) templates/layout_lyrics.php.
134 CVE-2008-4140 79 XSS 2008-09-24 2018-10-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
135 CVE-2008-4139 79 XSS 2008-09-24 2018-10-11
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
136 CVE-2008-4138 94 Exec Code File Inclusion 2008-09-24 2017-09-29
10.0
None Remote Low Not required Complete Complete Complete
PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin_twindow/twindow_notice.php in TECHNOTE 7 allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter.
137 CVE-2008-4137 20 Exec Code File Inclusion 2008-09-24 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in footer.php in PHP-Crawler 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the footer_file parameter.
138 CVE-2008-4136 20 DoS 2008-09-24 2017-09-29
5.0
None Remote Low Not required None None Partial
Michael Roth Software Personal FTP Server (PFT) 6.0f allows remote attackers to cause a denial of service (service crash) via multiple RETR commands, possibly involving long filenames.
139 CVE-2008-4135 399 DoS 2008-09-19 2017-09-29
7.8
None Remote Low Not required None None Complete
Symbian OS S60 3rd edition on the Nokia E90 Communicator 07.40.1.2 Ra-6 and Nseries N82 allows remote attackers to cause a denial of service (device crash) via multiple deauthentication (DeAuth) frames.
140 CVE-2008-4134 94 Exec Code File Inclusion 2008-09-19 2017-09-29
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in manager/static/view.php in phpRealty 0.03 and earlier, and possibly other versions before 0.05, allows remote attackers to execute arbitrary PHP code via a URL in the INC parameter.
141 CVE-2008-4133 20 Bypass 2008-09-19 2018-10-11
4.3
None Remote Medium Not required None Partial None
The web proxy service on the D-Link DIR-100 with firmware 1.12 and earlier does not properly filter web requests with large URLs, which allows remote attackers to bypass web restriction filters.
142 CVE-2008-4132 119 Exec Code Overflow 2008-09-19 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the VSFlexGrid.VSFlexGridL ActiveX control in ComponentOne VSFlexGrid 7.0.1.151 and 8.0.20072.239 allows remote attackers to execute arbitrary code via a long first argument to the Archive method. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
143 CVE-2008-4131 264 +Priv 2008-09-19 2017-09-29
7.2
None Local Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow local users to gain privileges via vectors related to handling of tags with (1) the -t option and (2) the :tag command in the (a) vi, (b) ex, (c) vedit, (d) view, and (e) edit programs.
144 CVE-2008-4130 79 XSS 2008-09-18 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page."
145 CVE-2008-4129 22 Dir. Trav. 2008-09-18 2017-08-08
4.0
None Remote Low ??? Partial None None
Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.
146 CVE-2008-4128 352 Exec Code CSRF 2008-09-18 2022-05-23
9.3
None Remote Medium Not required Complete Complete Complete
Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.
147 CVE-2008-4127 399 DoS 2008-09-18 2021-07-23
4.3
None Remote Medium Not required None None Partial
Mshtml.dll in Microsoft Internet Explorer 7 Gold 7.0.5730 and 8 Beta 8.0.6001 on Windows XP SP2 allows remote attackers to cause a denial of service (failure of subsequent image rendering) via a crafted PNG file, related to an infinite loop in the CDwnTaskExec::ThreadExec function.
148 CVE-2008-4126 16 2008-09-18 2008-09-19
6.4
None Remote Low Not required None Partial Partial
PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not use random source ports for DNS requests and does not use random transaction IDs for DNS retries, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4099.
149 CVE-2008-4125 200 +Info 2008-09-18 2017-08-08
5.0
None Remote Low Not required Partial None None
The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-application attack against WordPress, a different vulnerability than CVE-2006-0632.
150 CVE-2008-4120 79 XSS 2008-09-29 2018-10-11
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.804 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) pass parameter to login.php, or the (3) name parameter to contact.php.
Total number of vulnerabilities : 449   Page : 1 2 3 (This Page)4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.