| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2008-2041 |
94 |
|
|
2008-04-30 |
2008-11-15 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in eGroupWare before 1.4.004 have unspecified attack vectors and "grave" impact when the web server has write access to a directory under the web document root. |
|
2 |
CVE-2008-2040 |
119 |
|
DoS Exec Code Overflow |
2008-04-30 |
2008-09-10 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the HTTP::getAuthUserPass function (core/common/http.cpp) in Peercast 0.1218 and gnome-peercast allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Basic Authentication string with a long (1) username or (2) password. |
|
3 |
CVE-2008-2038 |
89 |
|
Exec Code Sql |
2008-04-30 |
2008-11-05 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in admin/adminindex.php in Turnkey Web Tools SunShop Shopping Cart 4.1.0 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) orderby and (2) sort parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
4 |
CVE-2008-2037 |
79 |
|
XSS |
2008-04-30 |
2012-10-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php. |
|
5 |
CVE-2008-2036 |
89 |
1
|
Exec Code Sql |
2008-04-30 |
2009-01-29 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in dream4 Koobi Pro 6.25 allows remote attackers to execute arbitrary SQL commands via the poll_id parameter in a poll action. |
|
6 |
CVE-2008-2035 |
79 |
|
XSS |
2008-04-30 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube 2.1, and ImpressCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
7 |
CVE-2008-2034 |
89 |
|
Exec Code Sql |
2008-04-30 |
2008-09-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
8 |
CVE-2008-2032 |
20 |
|
DoS |
2008-04-30 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The FTP service in Acritum Femitter Server 1.03 allows remote attackers to cause a denial of service (crash) by sending multiple crafted RETR commands. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
9 |
CVE-2008-2031 |
20 |
|
DoS |
2008-04-30 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
VicFTPS 5.0 allows remote attackers to cause a denial of service (crash) via a crafted LIST command, which triggers a NULL pointer dereference. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
10 |
CVE-2008-2030 |
79 |
|
XSS |
2008-04-30 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in installControl.php3 in F5 FirePass 4100 SSL VPN 5.4.2-5.5.2 and 6.0-6.2 allows remote attackers to inject arbitrary web script or HTML via the query string. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
11 |
CVE-2008-2029 |
89 |
1
|
Exec Code Sql |
2008-04-30 |
2008-10-30 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in (1) setup_mysql.php and (2) setup_options.php in miniBB 2.2 and possibly earlier, when register_globals is enabled, allow remote attackers to execute arbitrary SQL commands via the xtr parameter in a userinfo action to index.php. |
|
12 |
CVE-2008-2028 |
200 |
1
|
+Info |
2008-04-30 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to obtain the full path via a direct request to the glang parameter in a registernew action to index.php, which leaks the path in an error message. |
|
13 |
CVE-2008-2027 |
200 |
|
+Info |
2008-04-30 |
2009-04-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in WebID/IISWebAgentIF.dll in RSA Authentication Agent 5.3.0.258 for Web for IIS, when accessed via certain browsers such as Mozilla Firefox, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an ftp URL in the url parameter to a Redirect action. |
|
14 |
CVE-2008-2026 |
79 |
|
XSS |
2008-04-30 |
2009-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WebID/IISWebAgentIF.dll in RSA Authentication Agent 5.3.0.258, and other versions before 5.3.3.378, allows remote attackers to inject arbitrary web script or HTML via a URL-encoded postdata parameter. NOTE: this is different than CVE-2005-1118, but it might be the same as CVE-2008-1470. |
|
15 |
CVE-2008-2024 |
79 |
1
|
XSS |
2008-04-30 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the glang[] parameter in a registernew action. |
|
16 |
CVE-2008-2023 |
89 |
1
|
Exec Code Sql |
2008-04-30 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to execute arbitrary SQL commands via the (1) invisible and (2) timeoffset parameters to profile/controlpanel.asp and the (3) attachmentid parameter to forums/attach-file.asp. |
|
17 |
CVE-2008-2022 |
79 |
1
|
XSS |
2008-04-30 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) toid parameter to send-private-message.asp and the (2) redirect parameter to admin/impersonate.asp. NOTE: vector 2 requires authentication. |
|
18 |
CVE-2008-2021 |
119 |
|
Exec Code Overflow |
2008-04-30 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in Lhaplus before 1.57 allows remote attackers to execute arbitrary code via a long comment field in a ZOO archive. |
|
19 |
CVE-2008-2020 |
264 |
|
|
2008-04-29 |
2009-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings. |
|
20 |
CVE-2008-2019 |
264 |
|
|
2008-04-29 |
2009-01-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308. |
|
21 |
CVE-2008-2018 |
200 |
1
|
+Info |
2008-04-29 |
2008-09-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which allows remote authenticated users to obtain sensitive information via a comment containing a macro, as demonstrated by a "{user.password}" comment in the profile of the admin user. |
|
22 |
CVE-2008-2017 |
22 |
|
Dir. Trav. |
2008-04-29 |
2009-01-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the operation parameter to the default URI under install/. |
|
23 |
CVE-2008-2016 |
94 |
|
Exec Code Dir. Trav. File Inclusion |
2008-04-29 |
2009-01-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter to the default URI under install/. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences. |
|
24 |
CVE-2008-2015 |
22 |
1
|
Exec Code Dir. Trav. |
2008-04-29 |
2008-09-05 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the (1) CompactSave and (2) SaveSession method in one control, and the (3) saveRecordedExploreToFile method in a different control. NOTE: this can be leveraged for code execution by writing to a Startup folder. |
|
25 |
CVE-2008-2014 |
399 |
|
DoS |
2008-04-29 |
2009-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Mozilla Firefox 3.0 beta 5 allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls document.write in an infinite loop. |
|
26 |
CVE-2008-2013 |
89 |
1
|
Exec Code Sql |
2008-04-29 |
2008-10-16 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in the pnFlashGames 1.5 through 2.5 module for PostNuke, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a display action. |
|
27 |
CVE-2008-2012 |
89 |
1
|
Exec Code Sql |
2008-04-29 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid parameter in an event action. |
|
28 |
CVE-2008-2011 |
79 |
|
Exec Code XSS |
2008-04-29 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the National Rail Enquiries Live Departure Boards gadget before 1.1 allows remote National Rail Enquiries servers or man-in-the-middle attackers to inject arbitrary web script or HTML, and execute arbitrary code, via a response body, as demonstrated by a SCRIPT element that references a vbscript: URI. |
|
29 |
CVE-2008-2010 |
|
|
Exec Code |
2008-04-29 |
2010-03-10 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Apple QuickTime Player on Windows XP SP2 and Vista SP1 allows remote attackers to execute arbitrary code via a crafted QuickTime media file. NOTE: as of 20080429, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. |
|
30 |
CVE-2008-2008 |
119 |
|
DoS Exec Code Overflow |
2008-04-29 |
2009-01-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the Display Names message feature in Cerulean Studios Trillian Basic and Pro 3.1.9.0 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long nickname in an MSN protocol message. |
|
31 |
CVE-2008-2003 |
264 |
|
DoS Exec Code |
2008-04-28 |
2009-01-29 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
BadBlue 2.72 Personal Edition stores multiple programs in the web document root with insufficient access control, which allows remote attackers to (1) cause a denial of service via multiple invocations of uninst.exe, and have an unknown impact via (2) badblue.exe and (3) dyndns.exe. NOTE: this can be leveraged for arbitrary remote code execution in conjunction with CVE-2007-6378. |
|
32 |
CVE-2008-2002 |
352 |
|
DoS CSRF |
2008-04-28 |
2009-01-29 |
7.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Complete |
|
Multiple cross-site request forgery (CSRF) vulnerabilities on Motorola Surfboard with software SB5100-2.3.3.0-SCM00-NOSH allow remote attackers to (1) cause a denial of service (device reboot) via the "Restart Cable Modem" value in the BUTTON_INPUT parameter to configdata.html, and (2) cause a denial of service (hard reset) via the "Reset All Defaults" value in the BUTTON_INPUT parameter to configdata.html. |
|
33 |
CVE-2008-2001 |
119 |
|
DoS Overflow |
2008-04-28 |
2009-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Apple Safari 3.1.1 allows remote attackers to cause a denial of service (application crash) via a file:///%E2 link that triggers an out-of-bounds access, possibly due to a NULL pointer dereference. |
|
34 |
CVE-2008-2000 |
399 |
|
DoS |
2008-04-28 |
2009-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Apple Safari 3.1.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls document.write in an infinite loop. |
|
35 |
CVE-2008-1999 |
|
|
|
2008-04-28 |
2009-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences. |
|
36 |
CVE-2008-1998 |
|
|
|
2008-04-28 |
2012-10-30 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter. |
|
37 |
CVE-2008-1997 |
94 |
|
Exec Code |
2008-04-28 |
2009-01-29 |
9.0 |
Admin |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unknown vectors. NOTE: the ADMIN_SP_C issue is already covered by CVE-2008-0699. |
|
38 |
CVE-2008-1996 |
399 |
|
DoS |
2008-04-28 |
2012-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections. |
|
39 |
CVE-2008-1995 |
264 |
|
Bypass |
2008-04-28 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Sun Java System Directory Proxy Server 6.0, 6.1, and 6.2 classifies a connection using the "bind-dn" criteria, which can cause an incorrect application of policy and allows remote attackers to bypass intended access restrictions for the server. |
|
40 |
CVE-2008-1994 |
119 |
|
Exec Code Overflow |
2008-04-27 |
2008-09-05 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple stack-based buffer overflows in (a) acon.c, (b) menu.c, and (c) child.c in Acon 1.0.5-5 through 1.0.5-7 allow local users to execute arbitrary code via (1) a long HOME environment variable or (2) a large number of terminal columns. |
|
41 |
CVE-2008-1993 |
264 |
1
|
|
2008-04-27 |
2009-01-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, which allows remote attackers to upload arbitrary files. |
|
42 |
CVE-2008-1992 |
264 |
1
|
Bypass |
2008-04-27 |
2009-01-29 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mail_aspemail.asp, (2) default_mail_cdosys.asp or (3) default_mail_jmail.asp, which allows remote attackers to bypass restrictions and relay email messages with modified From, FromName, and To fields. |
|
43 |
CVE-2008-1991 |
79 |
1
|
XSS |
2008-04-27 |
2009-01-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in admin_colors_swatch.asp in Acidcat CMS 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the field parameter. |
|
44 |
CVE-2008-1990 |
89 |
1
|
Exec Code Sql |
2008-04-27 |
2009-01-29 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) cID parameter to default.asp and the (2) username parameter to main_login2.asp. |
|
45 |
CVE-2008-1989 |
94 |
1
|
Exec Code File Inclusion |
2008-04-27 |
2008-09-05 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
PHP remote file inclusion vulnerability in 123flashchat.php in the 123 Flash Chat 6.8.0 module for e107, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the e107path parameter. |
|
46 |
CVE-2008-1988 |
20 |
|
|
2008-04-27 |
2012-10-29 |
9.0 |
Admin |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
Unrestricted file upload vulnerability in the file_upload function in core/misc.class.php in EncapsGallery 2.0.2 allows remote authenticated administrators to upload and execute arbitrary PHP files by uploading a file with an executable extension, then accessing it via a direct request to the file in the rwx_gallery directory. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
47 |
CVE-2008-1987 |
79 |
|
XSS |
2008-04-27 |
2012-10-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in search.php in EncapsGallery 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter. |
|
48 |
CVE-2008-1986 |
79 |
|
XSS |
2008-04-27 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in liste_article.php in Blog Pixel Motion (aka PixelMotion) allows remote attackers to inject arbitrary web script or HTML via the jours parameter. |
|
49 |
CVE-2008-1985 |
79 |
|
XSS |
2008-04-27 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in base.php in DigitalHive 2.0 RC2 allows remote attackers to inject arbitrary web script or HTML via the mt parameter, possibly related to membres.php. |
|
50 |
CVE-2008-1984 |
399 |
|
DoS |
2008-04-27 |
2008-09-05 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The eTrust Common Services (Transport) Daemon (eCSqdmn) in CA Secure Content Manager 8.0.28000.511 and earlier allows remote attackers to cause a denial of service (crash or CPU consumption) via a malformed packet to TCP port 1882. |
