CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2008(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-5721 287 Bypass +Info 2008-12-26 2009-02-26
5.0
None Remote Low Not required Partial None None
SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
2 CVE-2008-5699 264 +Priv +Info 2008-12-22 2009-01-06
4.6
User Local Low Not required Partial Partial Partial
The name service cache daemon (nscd) in Sun Solaris 10 and OpenSolaris snv_50 through snv_104 does not properly check permissions, which allows local users to gain privileges and obtain sensitive information via unspecified vectors.
3 CVE-2008-5688 200 +Info 2008-12-19 2009-02-18
4.3
None Remote Medium Not required Partial None None
MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception.
4 CVE-2008-5687 264 +Info 2008-12-19 2010-12-28
5.0
None Remote Low Not required Partial None None
MediaWiki 1.11, and other versions before 1.13.3, does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/.
5 CVE-2008-5683 200 +Info 2008-12-19 2012-06-07
7.8
None Remote Low Not required Complete None None
Unspecified vulnerability in Opera before 9.63 allows remote attackers to "reveal random data" via unknown vectors.
6 CVE-2008-5678 20 1 +Info 2008-12-18 2009-01-29
4.0
None Remote Low Single system Partial None None
Fretwell-Downing Informatics (FDI) OLIB7 WebView 2.5.1.1 allows remote authenticated users to obtain sensitive information from files via the infile parameter to the default URI under cgi/, as demonstrated by the (1) get_settings.ini, (2) setup.ini, and (3) text.ini files.
7 CVE-2008-5507 200 Bypass +Info 2008-12-17 2012-10-30
6.0
None Remote Medium Single system Partial Partial Partial
Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API.
8 CVE-2008-5498 200 +Info 2008-12-26 2010-08-21
5.0
None Remote Low Not required Partial None None
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
9 CVE-2008-5423 200 +Info 2008-12-11 2009-05-14
4.3
None Local Low Single system Partial Partial Partial
Sun Sun Ray Server Software 3.x and 4.0 and Sun Ray Windows Connector 1.1 and 2.0 expose the LDAP password during a configuration step, which allows local users to discover the Sun Ray administration password, and obtain admin access to the Data Store and Administration GUI, via unspecified vectors related to the utconfig component of the Server Software and the uttscadm component of the Windows Connector.
10 CVE-2008-5420 200 +Info 2008-12-10 2009-01-29
7.8
None Remote Low Not required Complete None None
The SAN Manager Master Agent service (aka msragent.exe) in EMC Control Center before 6.1 does not properly authenticate SST_SENDFILE requests, which allows remote attackers to read arbitrary files.
11 CVE-2008-5413 200 +Info 2008-12-09 2011-08-23
5.0
None Remote Low Not required Partial None None
PerfServlet in the PMI/Performance Tools component in IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 allows attackers to obtain sensitive information by reading the (1) systemout.log and (2) ffdc files. NOTE: this is probably a duplicate of CVE-2009-0434.
12 CVE-2008-5411 310 +Info 2008-12-09 2008-12-11
5.0
None Remote Low Not required Partial None None
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 sends SSL traffic over "unsecured TCP," which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
13 CVE-2008-5350 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors.
14 CVE-2008-5346 200 +Info 2008-12-05 2013-07-21
7.1
None Remote Medium Not required Complete None None
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file.
15 CVE-2008-5342 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors, aka 6767668.
16 CVE-2008-5341 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors, aka CR 6727071.
17 CVE-2008-5328 310 +Info 2008-12-04 2009-06-30
4.6
User Remote High Single system Partial Partial Partial
The ClearQuest Maintenance Tool in IBM Rational ClearQuest before 7 stores the database password in cleartext in an object in a ClearQuest connection profile or export file, which allows remote authenticated users to obtain sensitive information by locating the password object within the object tree during an import process.
18 CVE-2008-5327 255 +Info 2008-12-04 2008-12-05
6.5
User Remote Low Single system Partial Partial Partial
The ClearQuest Maintenance Tool in IBM Rational ClearQuest 7 before 7.1 stores the database password in cleartext in an object in a ClearQuest connection profile or export file, which allows remote authenticated users to obtain sensitive information by locating the password object within the object tree.
19 CVE-2008-5322 200 2 +Info 2008-12-03 2009-02-05
7.8
None Remote Low Not required Complete None None
Wysi Wiki Wyg 1.0 allows remote attackers to obtain system information via an invalid categup parameter to index.php, which calls the phpinfo function.
20 CVE-2008-5279 119 Exec Code Overflow +Info 2008-11-28 2008-12-01
10.0
Admin Remote Low Not required Complete Complete Complete
The Local ZIM Server (zcs.exe) in Zilab Chat and Instant Messaging (ZIM) Server 2.1 and earlier allow remote attackers to execute arbitrary code via (1) heap-based buffer overflows involving multiple vectors including a long room name and a long source account, and (2) a stack-based buffer overflow with a long username in an information request. NOTE: some of these details are obtained from third party information.
21 CVE-2008-5188 255 +Info 2008-11-20 2013-01-22
7.2
None Local Low Not required Complete Complete Complete
The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and (3) ecryptfs-setup-pam-wrapped.sh scripts in ecryptfs-utils 45 through 61 in eCryptfs place cleartext passwords on command lines, which allows local users to obtain sensitive information by listing the process.
22 CVE-2008-5161 200 +Info 2008-11-19 2014-08-08
2.6
None Remote High Not required Partial None None
Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
23 CVE-2008-5130 264 +Info 2008-11-18 2009-03-07
5.0
None Remote Low Not required Partial None None
Ocean12 Calendar Manager Gold 2.04 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12cal.mdb.
24 CVE-2008-5129 264 +Info 2008-11-18 2009-03-03
5.0
None Remote Low Not required Partial None None
Ocean12 Poll Manager Pro 1.00 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12poll.mdb.
25 CVE-2008-5128 264 +Info 2008-11-18 2009-03-03
5.0
None Remote Low Not required Partial None None
Ocean12 Membership Manager Pro stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12member.mdb.
26 CVE-2008-5127 264 1 +Info 2008-11-18 2009-03-04
5.0
None Remote Low Not required Partial None None
Ocean12 Contact Manager Pro 1.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12con.mdb.
27 CVE-2008-5112 200 +Info 2008-11-17 2009-08-12
5.0
None Remote Low Not required Partial None None
The LDAP server in Active Directory in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 responds differently to a failed bind attempt depending on whether the user account exists and is permitted to login, which allows remote attackers to enumerate valid usernames via a series of LDAP bind requests, as demonstrated by ldapuserenum.
28 CVE-2008-5107 200 +Info 2008-11-17 2008-11-18
1.9
None Local Medium Not required Partial None None
The installation process for Citrix Presentation Server 4.5 and Desktop Server 1.0, when MSI logging is enabled, stores database credentials in MSI log files, which allows local users to obtain these credentials by reading the log files.
29 CVE-2008-5099 200 +Priv Bypass +Info 2008-11-17 2009-08-12
4.6
User Local Low Not required Partial Partial Partial
Sun Logical Domain Manager (aka LDoms Manager or ldm) 1.0 through 1.0.3 displays the value of the OpenBoot PROM (OBP) security-password variable in cleartext, which allows local users to bypass the SPARC firmware's password protection, and gain privileges or obtain data access, via the "ldm ls -l" command, a different vulnerability than CVE-2008-4992.
30 CVE-2008-5096 200 +Info 2008-11-14 2008-11-17
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the TYPO3 File List (file_list) extension 0.2.1 and earlier allows remote attackers to obtain sensitive information via unknown attack vectors.
31 CVE-2008-5076 200 +Info 2008-11-14 2012-10-30
4.6
None Local Low Not required Partial Partial Partial
htop 0.7 writes process names to a terminal without sanitizing non-printable characters, which might allow local users to hide processes, modify arbitrary files, or have unspecified other impact via a process name with "crazy control strings."
32 CVE-2008-5012 200 Bypass +Info 2008-11-13 2012-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.
33 CVE-2008-4831 264 +Priv Bypass +Info 2008-11-10 2009-01-06
7.2
Admin Local Low Not required Complete Complete Complete
Unspecified vulnerability in Adobe ColdFusion 8 and 8.0.1 and ColdFusion MX 7.0.2 allows local users to bypass sandbox restrictions, and obtain sensitive information or possibly gain privileges, via unknown vectors.
34 CVE-2008-4821 200 +Info 2008-11-10 2012-10-30
4.3
None Remote Medium Not required Partial None None
Adobe Flash Player 9.0.124.0 and earlier, when a Mozilla browser is used, does not properly interpret jar: URLs, which allows attackers to obtain sensitive information via unknown vectors.
35 CVE-2008-4820 200 +Info 2008-11-10 2012-10-30
7.1
None Remote Medium Not required Complete None None
Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player 9.0.124.0 and earlier on Windows allows attackers to obtain sensitive information via unknown vectors.
36 CVE-2008-4808 200 +Info 2008-10-31 2008-11-03
5.0
None Remote Low Not required Partial None None
IBM Lotus Connections 2.x before 2.0.1 allows attackers to discover passwords via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
37 CVE-2008-4807 255 +Info 2008-10-31 2008-11-03
2.1
None Local Low Not required Partial None None
IBM Lotus Connections 2.x before 2.0.1 stores the password for the administrative user in the trace.log file, which allows local users to obtain sensitive information by reading this file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
38 CVE-2008-4747 200 +Info 2008-10-27 2008-11-15
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the search feature in Sun Java System LDAP JDK before 4.20 allows context-dependent attackers to obtain sensitive information via unknown attack vectors related to the LDAP JDK library.
39 CVE-2008-4695 200 +Info 2008-10-23 2009-02-26
9.3
None Remote Medium Not required Complete Complete Complete
Opera before 9.60 allows remote attackers to obtain sensitive information and have unspecified other impact by predicting the cache pathname of a cached Java applet and then launching this applet from the cache, leading to applet execution within the local-machine context.
40 CVE-2008-4693 200 +Info 2008-10-22 2009-04-30
5.0
None Remote Low Not required Partial None None
The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 before FP2 writes sensitive information to the trace output, which allows attackers to obtain sensitive information by reading "PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES."
41 CVE-2008-4688 200 +Info 2008-10-22 2009-02-10
5.0
None Remote Low Not required Partial None None
core/string_api.php in Mantis before 1.1.3 does not check the privileges of the viewer before composing a link with issue data in the source anchor, which allows remote attackers to discover an issue's title and status via a request with a modified issue number.
42 CVE-2008-4677 255 +Info 2008-10-22 2009-04-01
4.3
None Remote Medium Not required Partial None None
autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."
43 CVE-2008-4638 200 +Info 2008-10-21 2011-08-10
4.6
None Local Low Single system Complete None None
qioadmin in the Quick I/O for Database feature in Symantec Veritas File System (VxFS) on HP-UX, and before 5.0 MP3 on Solaris, Linux, and AIX, allows local users to read arbitrary files by causing qioadmin to write a file's content to standard error in an error message.
44 CVE-2008-4635 200 +Info 2008-10-20 2009-07-22
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Hisanaga Electric Co, Ltd. hisa_cart 1.29 and earlier, a module for XOOPS, allows remote attackers to obtain sensitive user information via unknown vectors.
45 CVE-2008-4593 200 +Info 2008-10-17 2009-07-22
1.2
None Local High Not required Partial None None
Apple iPhone 2.1 with firmware 5F136, when Require Passcode is enabled and Show SMS Preview is disabled, allows physically proximate attackers to obtain sensitive information by performing an Emergency Call tap and then reading SMS messages on the device screen, aka Apple bug number 6267416.
46 CVE-2008-4582 264 Bypass +Info 2008-10-15 2012-10-30
4.3
None Remote Medium Not required Partial None None
Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.
47 CVE-2008-4545 264 +Info 2008-10-13 2008-12-24
4.0
None Remote Low Single system Partial None None
Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x before 7.0(2)ES8 uses weak permissions for the D:\CommServer\Reports directory, which allows remote authenticated users to obtain sensitive information by reading files in this directory.
48 CVE-2008-4512 264 +Info 2008-10-09 2013-01-03
5.0
None Remote Low Not required Partial None None
ASP/MS Access Shoutbox, probably 1.1 beta, stores db/shoutdb.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request.
49 CVE-2008-4511 264 +Info 2008-10-09 2009-01-29
5.0
None Remote Low Not required Partial None None
Todd Woolums ASP News Management, possibly 2.21, stores db/news.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request.
50 CVE-2008-4491 200 +Info 2008-10-08 2009-02-10
5.0
None Remote Low Not required Partial None None
Apple Mail.app 3.5 on Mac OS X, when "Store draft messages on the server" is enabled, stores draft copies of S/MIME email in plaintext on the email server, which allows server owners and remote man-in-the-middle attackers to read sensitive mail.
Total number of vulnerabilities : 270   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.