The Relational Data Services component in IBM DB2 9.5 before FP5 allows attackers to obtain the password argument from the SET ENCRYPTION PASSWORD statement via vectors involving the GET SNAPSHOT FOR DYNAMIC SQL command.
Max CVSS
7.5
EPSS Score
0.53%
Published
2009-12-16
Updated
2010-06-29
The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.
Max CVSS
7.8
EPSS Score
0.57%
Published
2009-12-17
Updated
2017-09-19
Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 on Windows allows remote attackers to obtain the names of local files via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4820.
Max CVSS
7.1
EPSS Score
0.82%
Published
2009-12-10
Updated
2018-10-30
Multiple unspecified vulnerabilities in the Windows Pluggable Look and Feel (PL&F) feature in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657138.
Max CVSS
7.5
EPSS Score
0.86%
Published
2009-11-09
Updated
2018-10-30
Multiple unspecified vulnerabilities in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657026.
Max CVSS
7.5
EPSS Score
0.86%
Published
2009-11-09
Updated
2018-10-30
Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not prevent the existence of children of a resurrected ClassLoader, which allows remote attackers to gain privileges via unspecified vectors, related to an "information leak vulnerability," aka Bug Id 6636650.
Max CVSS
7.5
EPSS Score
1.89%
Published
2009-11-09
Updated
2017-09-19
Multiple unspecified vulnerabilities in HP Performance Insight 5.3 on Windows allow attackers to obtain sensitive information via unknown vectors, as demonstrated by certain modules in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
Max CVSS
7.8
EPSS Score
0.21%
Published
2009-09-08
Updated
2020-07-28
The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability."
Max CVSS
7.8
EPSS Score
6.22%
Published
2009-07-29
Updated
2018-10-12
Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673.
Max CVSS
7.8
EPSS Score
0.65%
Published
2009-08-10
Updated
2017-09-19
The Huawei D100 allows remote attackers to obtain sensitive information via a direct request to (1) lan_status_adv.asp, (2) wlan_basic_cfg.asp, or (3) lancfg.asp in en/, related to use of JavaScript to protect against reading file contents.
Max CVSS
7.8
EPSS Score
0.41%
Published
2009-07-01
Updated
2018-10-10
WebKit in Apple Safari before 4.0.3 does not properly restrict the URL scheme of the pluginspage attribute of an EMBED element, which allows user-assisted remote attackers to launch arbitrary file: URLs and obtain sensitive information via a crafted HTML document.
Max CVSS
7.1
EPSS Score
0.44%
Published
2009-08-12
Updated
2011-02-17
import_wbb1.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message.
Max CVSS
7.8
EPSS Score
0.33%
Published
2009-06-05
Updated
2017-09-29
WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to obtain sensitive information via vectors involving drag events and the dragging of content over a crafted web page.
Max CVSS
7.1
EPSS Score
0.43%
Published
2009-06-10
Updated
2011-02-17
The XSLT functionality in WebKit in Apple Safari before 4.0 does not properly implement the document function, which allows remote attackers to read (1) arbitrary local files and (2) files from different security zones via unspecified vectors.
Max CVSS
7.1
EPSS Score
0.65%
Published
2009-06-10
Updated
2017-08-17
WebKit in Apple Safari before 4.0 does not prevent references to file: URLs within (1) audio and (2) video elements, which allows remote attackers to determine the existence of arbitrary files via a crafted HTML document.
Max CVSS
7.1
EPSS Score
0.65%
Published
2009-06-10
Updated
2011-02-17
Argument injection vulnerability in the chromehtml: protocol handler in Google Chrome before 1.0.154.59, when invoked by Internet Explorer, allows remote attackers to determine the existence of files, and open tabs for URLs that do not satisfy the IsWebSafeScheme restriction, via a web page that sets document.location to a chromehtml: value, as demonstrated by use of a (1) javascript: or (2) data: URL. NOTE: this can be leveraged for Universal XSS by exploiting certain behavior involving persistence across page transitions.
Max CVSS
7.8
EPSS Score
0.22%
Published
2009-04-24
Updated
2021-07-23
Microsoft Internet Explorer 5.01 SP4; 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 does not prevent HTML rendering of cached content, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors, aka "Cross-Domain Information Disclosure Vulnerability."
Max CVSS
7.1
EPSS Score
2.68%
Published
2009-06-10
Updated
2023-12-07
nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.
Max CVSS
7.1
EPSS Score
0.72%
Published
2009-03-05
Updated
2018-10-03
Memory leak in the SSLVPN feature in Cisco IOS 12.3 through 12.4 allows remote attackers to cause a denial of service (memory consumption and device crash) by disconnecting an SSL session in an abnormal manner, leading to a Transmission Control Block (TCB) leak.
Max CVSS
9.0
EPSS Score
2.12%
Published
2009-03-27
Updated
2017-09-29
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console.
Max CVSS
7.5
EPSS Score
0.74%
Published
2009-03-16
Updated
2017-08-08
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown vectors.
Max CVSS
7.8
EPSS Score
0.35%
Published
2009-02-02
Updated
2011-03-08
Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows allows remote attackers to read arbitrary files on a client machine via vectors related to the association of Safari with the (1) feed, (2) feeds, and (3) feedsearch URL types for RSS feeds. NOTE: as of 20090114, the only disclosure is a vague pre-advisory. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.
Max CVSS
7.1
EPSS Score
0.33%
Published
2009-01-15
Updated
2017-08-08
All Club CMS (ACCMS) 0.0.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database configuration information, including credentials, via a direct request to accms.dat.
Max CVSS
7.5
EPSS Score
0.76%
Published
2009-08-25
Updated
2017-09-29
mxCamArchive 2.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain configuration details and passwords via a direct request for archive/config.ini.
Max CVSS
7.5
EPSS Score
0.78%
Published
2009-08-12
Updated
2017-09-29
Crysis 1.21 and earlier allows remote attackers to obtain sensitive player information such as real IP addresses by sending a keyexchange packet without a previous join packet, which causes Crysis to send a disconnect packet that includes unrelated log information.
Max CVSS
7.8
EPSS Score
3.00%
Published
2009-04-21
Updated
2017-08-17
28 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!