Security Vulnerabilities, CVEs, Published In April 2010 (Gain Privilege)
Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.
Max CVSS
6.8
EPSS Score
0.76%
Published
2010-04-29
Updated
2020-12-01
Support Incident Tracker before 3.51, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Max CVSS
6.8
EPSS Score
1.71%
Published
2010-04-28
Updated
2017-08-17
The memory-management implementation in the Virtual Machine Monitor (aka VMM or hypervisor) in Microsoft Virtual PC 2007 Gold and SP1, Virtual Server 2005 Gold and R2 SP1, and Windows Virtual PC does not properly restrict access from the guest OS to memory locations in the VMM work area, which allows context-dependent attackers to bypass certain anti-exploitation protection mechanisms on the guest OS via crafted input to a vulnerable application. NOTE: the vendor reportedly found that only systems with an otherwise vulnerable application are affected, because "the memory areas accessible from the guest cannot be leveraged to achieve either remote code execution or elevation of privilege and ... no data from the host is exposed to the guest OS."
Max CVSS
9.3
EPSS Score
11.37%
Published
2010-04-01
Updated
2018-10-10
CA XOsoft r12.5 does not properly perform authentication, which allows remote attackers to obtain potentially sensitive information via a SOAP request.
Max CVSS
5.0
EPSS Score
0.36%
Published
2010-04-07
Updated
2018-10-10
CA XOsoft r12.0 and r12.5 does not properly perform authentication, which allows remote attackers to enumerate usernames via a SOAP request.
Max CVSS
5.0
EPSS Score
0.36%
Published
2010-04-07
Updated
2018-10-10
aMSN (aka Alvaro's Messenger) 0.98.3 and earlier, when SSL is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field or a Subject Alternative Name field of the X.509 certificate, which allows man-in-the-middle attackers to spoof an MSN server via an arbitrary certificate.
Max CVSS
5.8
EPSS Score
0.33%
Published
2010-04-20
Updated
2010-05-14
Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attackers to bypass authentication and obtain access to an Administrator account via unknown vectors, possibly related to www/admin/install.php, www/admin/install-plugins.php, and other www/admin/ files.
Max CVSS
7.5
EPSS Score
0.45%
Published
2010-04-27
Updated
2010-07-30
The D-Link DIR-615 with firmware 3.10NA does not require administrative authentication for apply.cgi, which allows remote attackers to (1) change the admin password via the admin_password parameter, (2) disable the security requirement for the Wi-Fi network via unspecified vectors, or (3) modify DNS settings via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.25%
Published
2010-04-27
Updated
2010-04-28
admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the g_admin cookie to 1.
Max CVSS
7.5
EPSS Score
1.00%
Published
2010-04-23
Updated
2017-09-19
admin/save_user.asp in Digital Interchange Document Library 1.0.1 does not require administrative authentication, which allows remote attackers to read or modify the administrator's credentials via unspecified vectors. NOTE: some of these details are obtained from third party information.
Max CVSS
7.5
EPSS Score
0.87%
Published
2010-04-23
Updated
2017-09-19
EZ-Blog Beta 1 does not require authentication, which allows remote attackers to create or delete arbitrary posts via requests to PHP scripts.
Max CVSS
7.5
EPSS Score
0.54%
Published
2010-04-23
Updated
2018-10-10
CVE-2009-2936
Public exploit
** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless."
Max CVSS
7.5
EPSS Score
51.79%
Published
2010-04-05
Updated
2018-10-10
12 vulnerabilities found