CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-4121 352 CSRF 2009-11-30 2009-12-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products or (3) delete orders via unspecified vectors. NOTE: some of these details are obtained from third party information.
2 CVE-2009-4120 352 CSRF 2009-11-30 2009-12-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete pages via unspecified vectors.
3 CVE-2009-4119 79 XSS 2009-11-30 2009-12-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Feed Element Mapper module 5.x before 5.x-1.3, 6.x before 6.x-1.3, and 6.x-2.0-alpha before 6.x-2.0-alpha4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4 CVE-2009-4118 1 DoS 2009-11-30 2012-10-25
2.1
None Local Low Not required None None Partial
The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.exe) in Cisco VPN client for Windows before 5.0.06.0100 does not properly handle an ERROR_FAILED_SERVICE_CONTROLLER_CONNECT error, which allows local users to cause a denial of service (service crash and VPN connection loss) via a manual start of cvpnd.exe while the cvpnd service is running.
5 CVE-2009-4117 119 DoS Exec Code Overflow 2009-11-30 2012-10-24
9.3
None Remote Medium Not required Complete Complete Complete
Multiple stack-based buffer overflows in pdf_shade4.c in MuPDF before commit 20091125231942, as used in SumatraPDF before 1.0.1, allow remote attackers to cause a denial of service and possibly execute arbitrary code via a /Decode array for certain types of shading that are not properly handled by the (1) pdf_loadtype4shade, (2) pdf_loadtype5shade, (3) pdf_loadtype6shade, and (4) pdf_loadtype7shade functions. NOTE: some of these details are obtained from third party information.
6 CVE-2009-4116 22 Exec Code Dir. Trav. 2009-11-30 2009-12-01
3.5
None Remote Medium Single system Partial None None
Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6, when magic_quotes_gpc is disabled, allow remote authenticated users with editor or administrative application access to read arbitrary files via a .. (dot dot) in the source parameter in a (1) list or (2) editnews action to the Editnews module, and (3) the save_con[skin] parameter in the Options module. NOTE: vector 3 can be leveraged for code execution by using a .. to include and execute arbitrary local files.
7 CVE-2009-4115 94 2009-11-30 2011-01-18
6.5
None Remote Low Single system Partial Partial Partial
Multiple static code injection vulnerabilities in the Categories module in CutePHP CuteNews 1.4.6 allow remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the (1) category and (2) Icon URL fields; or (3) inject arbitrary PHP code into data/ipban.php via the add_ip parameter.
8 CVE-2009-4114 20 DoS Mem. Corr. 2009-11-30 2009-12-01
4.9
None Local Low Not required None None Complete
kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other versions before 9.0.0.736, does not properly validate input to IOCTL 0x0022c008, which allows local users to cause a denial of service (system crash) via IOCTL requests using crafted kernel addresses that trigger memory corruption, possibly related to klavemu.kdl.
9 CVE-2009-4113 94 2009-11-30 2009-12-01
6.5
None Remote Low Single system Partial Partial Partial
Static code injection vulnerability in the Categories module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote authenticated users with application administrative privileges to inject arbitrary PHP code into data/category.db.php via the Category Access field.
10 CVE-2009-4112 264 +Priv 2009-11-30 2009-12-19
9.0
Admin Remote Low Single system Complete Complete Complete
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
11 CVE-2009-4111 94 2009-11-29 2010-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
12 CVE-2009-4110 79 XSS 2009-11-29 2009-12-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not properly filtered before display in a custom results page.
13 CVE-2009-4109 200 +Info 2009-11-29 2009-11-30
5.0
None Remote Low Not required Partial None None
The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.
14 CVE-2009-4108 119 DoS Overflow 2009-11-29 2009-12-01
4.0
None Remote Low Single system None None Partial
XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to cause a denial of service (crash) by uploading or creating a large number of files or directories, then performing a LIST command.
15 CVE-2009-4107 119 1 Exec Code Overflow 2009-11-29 2009-11-30
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remote attackers to execute arbitrary code via a crafted .ibkey file containing a long string.
16 CVE-2009-4106 20 1 Exec Code 2009-11-29 2009-11-30
7.5
User Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in admintools/editpage-2.php in Agoko CMS 0.4 and earlier allows remote attackers to inject and execute arbitrary PHP code via the filename and text parameters.
17 CVE-2009-4105 20 DoS 2009-11-29 2009-11-30
3.5
None Remote Medium Single system None None Partial
TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (crash) by sending an APPE (append) command immediately followed by a DELE (delete) command without sending file data in between these two commands.
18 CVE-2009-4104 89 Exec Code Sql 2009-11-29 2011-07-26
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyftenbloggie) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter to index.php.
19 CVE-2009-4103 119 DoS Exec Code Overflow 2009-11-29 2009-11-30
9.3
Admin Remote Medium Not required Complete Complete Complete
Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allows remote FTP servers to cause a denial of service and possibly execute arbitrary code via unspecified FTP server responses. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
20 CVE-2009-4102 20 Exec Code 2009-11-29 2011-09-09
9.3
None Remote Medium Not required Complete Complete Complete
Sage 1.4.3 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
21 CVE-2009-4101 20 Exec Code 2009-11-29 2009-12-07
9.3
None Remote Medium Not required Complete Complete Complete
infoRSS 1.1.4.2 and earlier extension for Firefox performs certain operations with chrome privileges, which allows remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via the description tag of an RSS feed.
22 CVE-2009-4100 20 Exec Code 2009-11-29 2009-12-19
9.3
None Remote Medium Not required Complete Complete Complete
Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via DOM event handlers such as onload.
23 CVE-2009-4099 89 1 Exec Code Sql 2009-11-29 2009-12-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information.
24 CVE-2009-4098 20 Exec Code 2009-11-29 2011-07-25
6.0
None Remote Medium Single system Partial Partial Partial
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.
25 CVE-2009-4097 119 2 Exec Code Overflow 2009-11-29 2009-12-19
9.3
Admin Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the MplayInputFile function in Serenity Audio Player 3.2.3 and earlier allows remote attackers to execute arbitrary code via a long URL in an M3U file. NOTE: some of these details are obtained from third party information.
26 CVE-2009-4096 255 2 +Info 2009-11-29 2009-12-02
7.5
User Remote Low Not required Partial Partial Partial
RADIO istek scripti 2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user credentials via a direct request for estafresgaftesantusyan.inc.
27 CVE-2009-4095 287 Bypass 2009-11-29 2011-12-12
7.5
None Remote Low Not required Partial Partial Partial
myPhile 1.2.1 allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.
28 CVE-2009-4094 94 Exec Code File Inclusion 2009-11-29 2009-11-30
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
29 CVE-2009-4093 79 1 XSS 2009-11-29 2010-03-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in comments.php in Simplog 0.9.3.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cname (Name) or (2) email parameters.
30 CVE-2009-4092 352 1 CSRF 2009-11-29 2010-03-31
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.
31 CVE-2009-4091 264 1 2009-11-29 2010-03-31
5.0
None Remote Low Not required None Partial None
comments.php in Simplog 0.9.3.2, and possibly earlier, does not properly restrict access, which allows remote attackers to edit or delete comments via the (1) edit or (2) del action.
32 CVE-2009-4090 20 1 Exec Code 2009-11-29 2009-12-02
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in ajax/addComment.php in telepark.wiki 2.4.23 and earlier script allows remote attackers to execute arbitrary code by uploading a file with a name containing a NULL byte.
33 CVE-2009-4089 287 2 Bypass 2009-11-29 2010-03-31
5.0
None Remote Low Not required None Partial None
telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php.
34 CVE-2009-4088 22 2 Dir. Trav. 2009-11-29 2010-03-31
6.8
None Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 and earlier allow remote attackers to read arbitrary files via directory traversal sequences in the css parameter to (1) getjs.php and (2) getcsslocal.php; and include and execute arbitrary local files via the (3) group parameter to upload.php.
35 CVE-2009-4087 79 1 XSS 2009-11-29 2011-12-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in telepark.wiki 2.4.23 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
36 CVE-2009-4086 20 1 Http R.Spl. 2009-11-29 2011-12-12
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via certain byte sequences at the end of a URL. NOTE: some of these details are obtained from third party information.
37 CVE-2009-4085 94 Exec Code File Inclusion 2009-11-29 2011-12-12
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_id.php in PHP Traverser 0.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[BASE] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
38 CVE-2009-4084 89 Exec Code Sql 2009-11-29 2009-11-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the search feature in e107 0.7.16 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
39 CVE-2009-4083 79 XSS 2009-11-29 2009-11-30
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) submitnews.php, (2) usersettings.php; and (3) newpost.php, (4) banlist.php, (5) banner.php, (6) cpage.php, (7) download.php, (8) users_extended.php, (9) frontpage.php, (10) links.php, and (11) mailout.php in e107_admin/. NOTE: this may overlap CVE-2004-2040 and CVE-2006-4794, but there are insufficient details to be certain.
40 CVE-2009-4082 94 2 Exec Code File Inclusion 2009-11-29 2009-12-08
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in forums/Forum_Include/index.php in Outreach Project Tool (OPT) 1.2.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CRM_path parameter.
41 CVE-2009-4081 +Priv 2009-11-29 2009-12-31
4.4
None Local Medium Not required Partial Partial Partial
Untrusted search path vulnerability in dstat before r3199 allows local users to gain privileges via a Trojan horse Python module in the current working directory, a different vulnerability than CVE-2009-3894.
42 CVE-2009-4080 DoS 2009-11-29 2009-12-19
2.1
None Local Low Not required None None Partial
Multiple unspecified vulnerabilities in ldap_cachemgr (aka the LDAP client configuration cache daemon) in Sun Solaris 9 and 10, and OpenSolaris before snv_78, allow local users to cause a denial of service (daemon crash) via vectors involving multiple serviceSearchDescriptor attributes and a call to the getldap_lookup function, and unspecified other vectors.
43 CVE-2009-4079 352 CSRF 2009-11-25 2009-11-25
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors.
44 CVE-2009-4078 79 XSS 2009-11-25 2009-11-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
45 CVE-2009-4077 352 CSRF 2009-11-25 2009-11-25
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076.
46 CVE-2009-4076 352 CSRF 2009-11-25 2009-12-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077.
47 CVE-2009-4075 DoS 2009-11-25 2009-12-19
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the timeout mechanism in sshd in Sun Solaris 10, and OpenSolaris snv_99 through snv_123, allows remote attackers to cause a denial of service (daemon outage) via unknown vectors that trigger a "dangling sshd authentication thread."
48 CVE-2009-4074 XSS 2009-11-25 2010-08-21
4.3
None Remote Medium Not required None Partial None
The XSS Filter in Microsoft Internet Explorer 8 allows remote attackers to leverage the "response-changing mechanism" to conduct cross-site scripting (XSS) attacks against web sites that have no inherent XSS vulnerabilities, related to the details of output encoding and improper modification of an HTML attribute, aka "XSS Filter Script Handling Vulnerability."
49 CVE-2009-4073 200 +Info 2009-11-24 2011-07-18
5.0
None Remote Low Not required Partial None None
The printing functionality in Microsoft Internet Explorer 8 allows remote attackers to discover a local pathname, and possibly a local username, by reading the dc:title element of a PDF document that was generated from a local web page.
50 CVE-2009-4072 2009-11-24 2010-08-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Opera before 10.10 has unknown impact and attack vectors, related to a "moderately severe issue."
Total number of vulnerabilities : 313   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.