| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
251 |
CVE-2008-3952 |
89 |
|
Exec Code Sql |
2008-09-11 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in questions.php in EsFaq 2.0 allows remote attackers to execute arbitrary SQL commands via the idcat parameter. |
|
252 |
CVE-2008-3951 |
89 |
|
Exec Code Sql |
2008-09-11 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in view_ann.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the ann_id parameter. |
|
253 |
CVE-2008-3950 |
189 |
|
DoS |
2008-09-16 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Off-by-one error in the _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 and 2.0 allows remote attackers to cause a denial of service (browser crash) via a JavaScript alert call with an argument that lacks breakable characters and has a length that is a multiple of the memory page size, leading to an out-of-bounds read. |
|
254 |
CVE-2008-3949 |
94 |
|
Exec Code |
2008-09-22 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
emacs/lisp/progmodes/python.el in Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file. |
|
255 |
CVE-2008-3948 |
89 |
|
Exec Code Sql |
2008-09-05 |
2018-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in admin/users/self-2.php in XRMS allows remote attackers to execute arbitrary SQL commands and modify name and email fields via unspecified vectors. |
|
256 |
CVE-2008-3947 |
20 |
|
+Priv |
2008-09-05 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
DCL (aka the CLI) in OpenVMS Alpha 8.3 allows local users to gain privileges via a long command line. |
|
257 |
CVE-2008-3946 |
59 |
|
|
2008-09-05 |
2017-08-08 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The finger client in HP TCP/IP Services for OpenVMS 5.x allows local users to read arbitrary files via a link corresponding to a (1) .plan or (2) .project file. |
|
258 |
CVE-2008-3945 |
89 |
|
Exec Code Sql |
2008-09-05 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Words tag 1.2 allows remote attackers to execute arbitrary SQL commands via the word parameter in a claim action. |
|
259 |
CVE-2008-3944 |
89 |
|
Exec Code Sql |
2008-09-05 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in ACG-PTP 1.0.6 allows remote attackers to execute arbitrary SQL commands via the adid parameter in an adorder action. |
|
260 |
CVE-2008-3943 |
89 |
|
Exec Code Sql |
2008-09-05 |
2017-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in listtest.php in eZoneScripts Living Local 1.1 allows remote attackers to execute arbitrary SQL commands via the r parameter. |
|
261 |
CVE-2008-3942 |
89 |
1
|
Exec Code Sql |
2008-09-05 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in landsee.php in Full PHP Emlak Script allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
262 |
CVE-2008-3941 |
79 |
|
XSS |
2008-09-05 |
2009-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in BizDirectory 2.04 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter in a search action to the default URI. |
|
263 |
CVE-2008-3940 |
134 |
|
+Priv |
2008-09-05 |
2017-08-08 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Format string vulnerability in the finger client in HP TCP/IP Services for OpenVMS 5.x allows local users to gain privileges via format string specifiers in a (1) .plan or (2) .project file. |
|
264 |
CVE-2008-3939 |
22 |
|
Dir. Trav. |
2008-09-05 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the web interface in AVTECH PageR Enterprise before 5.0.7 allows remote attackers to read arbitrary files via directory traversal sequences in the URI. |
|
265 |
CVE-2008-3938 |
352 |
|
CSRF |
2008-09-05 |
2008-09-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in user_admin.php in Open Media Collectors Database (OpenDb) 1.0.6 allows remote attackers to change arbitrary passwords via an update_password action. |
|
266 |
CVE-2008-3937 |
79 |
|
XSS |
2008-09-05 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Open Media Collectors Database (OpenDb) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) user_id parameter in an edit action to user_admin.php, the (2) title parameter to listings.php, and the (3) redirect_url parameter to user_profile.php. |
|
267 |
CVE-2008-3936 |
20 |
|
DoS |
2008-09-05 |
2018-10-11 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The web interface in Dreambox DM500C allows remote attackers to cause a denial of service (application hang) via a long URI. |
|
268 |
CVE-2008-3935 |
79 |
|
XSS |
2008-09-05 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in DIC shop_v50 3.0 and earlier and shop_v52 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
269 |
CVE-2008-3934 |
20 |
|
DoS |
2008-09-04 |
2018-10-11 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. |
|
270 |
CVE-2008-3933 |
20 |
|
DoS |
2008-09-04 |
2018-10-11 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function. |
|
271 |
CVE-2008-3932 |
20 |
|
DoS |
2008-09-04 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop. |
|
272 |
CVE-2008-3931 |
59 |
|
|
2008-09-04 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
javareconf in R 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files. |
|
273 |
CVE-2008-3930 |
59 |
|
|
2008-09-04 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
migrate_aliases.sh in Citadel Server 7.37 allows local users to overwrite arbitrary files via a symlink attack on a temporary file. |
|
274 |
CVE-2008-3929 |
59 |
|
|
2008-09-04 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
gather-messages.sh in Ampache 3.4.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/filelist temporary file. |
|
275 |
CVE-2008-3928 |
59 |
|
|
2008-09-04 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
test.sh in Honeyd 1.5c might allow local users to overwrite arbitrary files via a symlink attack on a temporary file. |
|
276 |
CVE-2008-3927 |
59 |
|
|
2008-09-04 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
genmsgidx in Tiger 3.2.2 allows local users to overwrite or delete arbitrary files via a symlink attack on temporary files. |
|
277 |
CVE-2008-3926 |
22 |
|
Dir. Trav. |
2008-09-04 |
2017-09-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple directory traversal vulnerabilities in Content Management Made Easy (CMME) 1.12 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the env parameter in a weblog action to index.php, or (2) create arbitrary directories via a .. (dot dot) in the env parameter in a login action to admin.php. |
|
278 |
CVE-2008-3925 |
352 |
|
CSRF |
2008-09-04 |
2017-09-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in admin.php in Content Management Made Easy (CMME) 1.12 allows remote attackers to trigger the logout of an administrative user via a logout action. |
|
279 |
CVE-2008-3924 |
264 |
|
|
2008-09-04 |
2017-09-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The "Make a backup" functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19. |
|
280 |
CVE-2008-3923 |
79 |
|
XSS |
2008-09-04 |
2017-09-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in statistics.php in Content Management Made Easy (CMME) 1.12 allow remote attackers to inject arbitrary web script or HTML via the (1) page and (2) year parameters in an hstat_year action. |
|
281 |
CVE-2008-3922 |
94 |
1
|
Exec Code |
2008-09-04 |
2018-10-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function. |
|
282 |
CVE-2008-3921 |
79 |
|
XSS |
2008-09-04 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in AWStats Totals 1.0 through 1.14 allow remote attackers to inject arbitrary web script or HTML via the (1) month and (2) year parameter. |
|
283 |
CVE-2008-3920 |
264 |
|
|
2008-09-04 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in BitlBee before 1.2.2 allows remote attackers to "recreate" and "hijack" existing accounts via unspecified vectors. |
|
284 |
CVE-2008-3919 |
94 |
|
Exec Code |
2008-09-04 |
2017-08-08 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in multiple JustSystems Ichitaro products allows remote attackers to execute arbitrary code via a crafted JTD document, as exploited in the wild in August 2008. |
|
285 |
CVE-2008-3918 |
89 |
|
Exec Code Sql |
2008-09-04 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the field parameter in a search action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
286 |
CVE-2008-3917 |
79 |
|
XSS |
2008-09-04 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter in a search action. |
|
287 |
CVE-2008-3916 |
119 |
|
Exec Code Overflow |
2008-09-04 |
2018-10-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component. |
|
288 |
CVE-2008-3915 |
119 |
|
Overflow |
2008-09-11 |
2017-08-08 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in nfsd in the Linux kernel before 2.6.26.4, when NFSv4 is enabled, allows remote attackers to have an unknown impact via vectors related to decoding an NFSv4 acl. |
|
289 |
CVE-2008-3914 |
200 |
|
+Info |
2008-09-11 |
2020-11-05 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c. |
|
290 |
CVE-2008-3913 |
401 |
|
DoS |
2008-09-11 |
2020-11-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to "error handling logic". |
|
291 |
CVE-2008-3912 |
399 |
|
DoS |
2008-09-11 |
2020-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition. |
|
292 |
CVE-2008-3911 |
119 |
|
Overflow |
2008-09-04 |
2017-08-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from userspace, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file. |
|
293 |
CVE-2008-3910 |
189 |
|
|
2008-09-04 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
dns2tcp before 0.4.1 does not properly handle negative values in a certain length field in the input argument to the (1) dns_simple_decode or (2) dns_decode function, which allows remote attackers to overwrite a buffer and have unspecified other impact. |
|
294 |
CVE-2008-3909 |
352 |
|
CSRF |
2008-09-04 |
2011-03-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests. |
|
295 |
CVE-2008-3908 |
119 |
|
Exec Code Overflow |
2008-09-04 |
2018-10-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple buffer overflows in Princeton WordNet (wn) 3.0 allow context-dependent attackers to execute arbitrary code via (1) a long argument on the command line; a long (2) WNSEARCHDIR, (3) WNHOME, or (4) WNDBVERSION environment variable; or (5) a user-supplied dictionary (aka data file). NOTE: since WordNet itself does not run with special privileges, this issue only crosses privilege boundaries when WordNet is invoked as a third party component. |
|
296 |
CVE-2008-3907 |
20 |
|
Exec Code |
2008-09-04 |
2017-08-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL. |
|
297 |
CVE-2008-3906 |
20 |
|
Http R.Spl. |
2008-09-04 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. |
|
298 |
CVE-2008-3905 |
287 |
|
|
2008-09-04 |
2018-10-03 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. |
|
299 |
CVE-2008-3904 |
20 |
|
Exec Code |
2008-09-04 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
src/main-win.c in GPicView 0.1.9 in Lightweight X11 Desktop Environment (LXDE) allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. |
|
300 |
CVE-2008-3903 |
200 |
|
+Info |
2008-09-04 |
2017-08-08 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames. |
