CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2009

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-1831 189 4 Exec Code Overflow 2009-05-29 2012-08-13
9.3
None Remote Medium Not required Complete Complete Complete
The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow.
2 CVE-2009-1830 119 2 Exec Code Overflow 2009-05-29 2009-06-09
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.
3 CVE-2009-1829 DoS 2009-05-29 2010-08-21
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets.
4 CVE-2009-1828 399 1 DoS 2009-05-29 2010-08-21
5.0
None Remote Low Not required None None Partial
Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of service (infinite loop, application hang, and memory consumption) via a KEYGEN element in conjunction with (1) a META element specifying automatic page refresh or (2) a JavaScript onLoad event handler for a BODY element. NOTE: it was later reported that earlier versions are also affected.
5 CVE-2009-1827 399 1 DoS 2009-05-29 2009-06-01
5.0
None Remote Low Not required None None Partial
The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to cause a denial of service (application hang) via a large value in the r (aka Radius) attribute of a circle element, related to an "unclamped loop."
6 CVE-2009-1826 287 1 2009-05-29 2009-06-09
6.5
None Remote Low Single system Partial Partial Partial
modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
7 CVE-2009-1825 287 1 2009-05-29 2009-06-09
4.0
None Remote Low Single system Partial None None
modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
8 CVE-2009-1824 20 1 +Priv 2009-05-29 2009-06-01
7.2
Admin Local Low Not required Complete Complete Complete
The ps_drv.sys kernel driver in ArcaBit ArcaVir 2009 Antivirus Protection 9.4.3201.9 and earlier, ArcaVir 2009 Internet Security 9.4.3202.9 and earlier, ArcaVir 2009 System Protection 9.4.3203.9 and earlier, and ArcaBit 2009 Home Protection 9.4.3204.9 and earlier, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\ps_drv containing arbitrary kernel addresses, as demonstrated using the (1) 0x2A7B802B and possibly (2) 0x2A7B8004 and (3) 0x2A7B802F IOCTLs.
9 CVE-2009-1823 79 XSS 2009-05-29 2009-06-01
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575.
10 CVE-2009-1822 94 1 Exec Code File Inclusion 2009-05-29 2010-07-26
7.5
None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in the InterJoomla ArtForms (com_artforms) component 2.1b7 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) imgcaptcha.php or (2) mp3captcha.php in assets/captcha/includes/captchaform/, or (3) assets/captcha/includes/captchatalk/swfmovie.php.
11 CVE-2009-1821 264 1 2009-05-29 2009-06-09
5.0
None Remote Low Not required Partial None None
DMXReady Registration Manager 1.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for databases/webblogmanager.mdb.
12 CVE-2009-1820 79 1 XSS 2009-05-29 2009-06-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to inject arbitrary web script or HTML via the id parameter.
13 CVE-2009-1819 89 1 Exec Code Sql 2009-05-29 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
14 CVE-2009-1818 89 1 Exec Code Sql 2009-05-29 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/admin_manager.asp in MaxCMS 2.0 allows remote attackers to execute arbitrary SQL commands via an m_username cookie in an add action.
15 CVE-2009-1817 119 1 Exec Code Overflow 2009-05-29 2009-06-01
9.3
None Remote Medium Not required Complete Complete Complete
Multiple buffer overflows in DigiMode Maya 1.0.2 allow remote attackers to execute arbitrary code via a long string in a malformed (1) .m3u or (2) .m3l playlist file.
16 CVE-2009-1816 89 1 Exec Code Sql 2009-05-29 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin.php in My Game Script 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka the username field). NOTE: some of these details are obtained from third party information.
17 CVE-2009-1815 119 2 Exec Code Overflow 2009-05-29 2009-06-01
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Sonic Spot Audioactive Player 1.93b allows remote attackers to execute arbitrary code via a long string in a playlist file, as demonstrated by a long .mp3 URL in a .m3u file.
18 CVE-2009-1814 89 1 Exec Code Sql 2009-05-29 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in mail.php in PHPenpals 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: the profile.php vector is already covered by CVE-2006-0074.
19 CVE-2009-1813 89 1 Exec Code Sql 2009-05-29 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/index.php in Submitter Script 2 allow remote attackers to execute arbitrary SQL commands via (1) the uNev parameter (aka the username field) or (2) the uJelszo parameter (aka the Password field).
20 CVE-2009-1812 89 1 Exec Code Sql 2009-05-29 2009-06-09
6.0
None Remote Medium Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) budget.php, (4) zahlung.php, or (5) adresse.php in modules/, related to classes/class.perform.php.
21 CVE-2009-1811 79 1 XSS 2009-05-29 2009-06-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to inject arbitrary web script or HTML via (1) the Page parameter in a List action to modules/ereignis.php, (2) the Kontext parameter in a Search action to modules/kategorie.php, (3) the image parameter to modules/image.php, or (4) the ID parameter in a Detail action to modules/sitzung.php.
22 CVE-2009-1810 89 1 Exec Code Sql 2009-05-29 2009-06-09
6.0
None Remote Medium Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in myColex 1.4.2 allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) medium.php, (4) person.php, or (5) schlagwort.php in modules/, related to classes/class.perform.php.
23 CVE-2009-1809 79 1 XSS 2009-05-29 2009-06-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the year parameter to modules/kalender.php, (2) the Page parameter in a List action to modules/ereignis.php, (3) the Kontext parameter in a Search action to modules/kategorie.php, or (4) the image parameter to modules/image.php.
24 CVE-2009-1808 DoS 2009-05-28 2009-06-10
4.9
None Local Low Not required None None Complete
Microsoft Windows XP SP3 allows local users to cause a denial of service (system crash) by making an SPI_SETDESKWALLPAPER SystemParametersInfo call with an improperly terminated pvParam argument, followed by an SPI_GETDESKWALLPAPER SystemParametersInfo call.
25 CVE-2009-1807 Exec Code 2009-05-28 2009-06-09
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Config.dll in Baofeng products 3.09.04.17 and earlier allows remote attackers to execute arbitrary code by calling the SetAttributeValue method, as exploited in the wild in April and May 2009.
26 CVE-2009-1806 2009-05-28 2009-06-09
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.4.0 SP2, when Active Memory Sharing is used, has unknown impact and attack vectors, related to a shared memory partition and a shared memory pool with redundant paging Virtual I/O Server (VIOS) partitions. NOTE: some of these details are obtained from third party information.
27 CVE-2009-1804 89 1 Exec Code Sql 2009-05-28 2009-06-01
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in admin/index.php in VideoScript.us YouTube Video Script allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
28 CVE-2009-1803 200 +Info 2009-05-28 2009-05-29
5.0
None Remote Low Not required Partial None None
FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
29 CVE-2009-1802 352 CSRF 2009-05-28 2009-05-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact.
30 CVE-2009-1801 79 XSS 2009-05-28 2009-05-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php. NOTE: some of these details are obtained from third party information.
31 CVE-2009-1800 119 Exec Code Overflow 2009-05-28 2009-05-28
7.5
User Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the Chinagames CGAgent ActiveX control 1.x in CGAgent.dll, as distributed in Chinagames iGame 2009, allows remote attackers to execute arbitrary code via a long argument to the CreateChinagames method, as exploited in the wild in April and May 2009. NOTE: some of these details are obtained from third party information.
32 CVE-2009-1799 89 1 Exec Code Sql 2009-05-28 2009-05-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the getGalleryImage function in st_admin/gallery_output.php in ST-Gallery 0.1 alpha, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) gallery_category or (2) gallery_show parameter to example.php.
33 CVE-2009-1796 79 XSS 2009-05-26 2009-06-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Sun Java System Portal Server 6.3.1, 7.1, and 7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to an error page.
34 CVE-2009-1792 78 Exec Code 2009-05-29 2012-03-20
9.3
None Remote Medium Not required Complete Complete Complete
The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).
35 CVE-2009-1791 119 DoS Exec Code Overflow 2009-05-26 2009-06-23
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value.
36 CVE-2009-1790 79 XSS 2009-05-26 2009-05-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in CGI RESCUE Trees before 2.11 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
37 CVE-2009-1789 1 DoS 2009-05-26 2009-07-10
4.3
None Remote Medium Not required None None Partial
mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.
38 CVE-2009-1788 119 DoS Exec Code Overflow 2009-05-26 2009-06-23
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.
39 CVE-2009-1787 89 1 Sql Bypass 2009-05-26 2009-06-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PHP Dir Submit (aka WebsiteSubmitter and Submitter Script) allow remote attackers to bypass authentication and gain administrative access via the (1) username and (2) password parameters.
40 CVE-2009-1786 362 1 2009-05-26 2010-08-21
6.9
Admin Local Medium Not required Complete Complete Complete
The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.
41 CVE-2009-1785 79 XSS 2009-05-22 2009-05-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Ulteo Open Virtual Desktop 1.0 allows remote attackers to inject arbitrary web script or HTML via the error parameter to header.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
42 CVE-2009-1784 20 Bypass 2009-05-22 2009-05-29
10.0
None Remote Low Not required Complete Complete Complete
The AVG parsing engine 8.5 323, as used in multiple AVG anti-virus products including Anti-Virus Network Edition, Internet Security Netzwerk Edition, Server Edition für Linux/FreeBSD, Anti-Virus SBS Edition, and others allows remote attackers to bypass malware detection via a crafted (1) RAR and (2) ZIP archive.
43 CVE-2009-1783 20 Bypass 2009-05-22 2009-05-29
10.0
None Remote Low Not required Complete Complete Complete
Multiple FRISK Software F-Prot anti-virus products, including Antivirus for Exchange, Linux on IBM zSeries, Linux x86 File Servers, Linux x86 Mail Servers, Linux x86 Workstations, Solaris Mail Servers, Antivirus for Windows, and others, allow remote attackers to bypass malware detection via a crafted CAB archive.
44 CVE-2009-1782 Bypass 2009-05-22 2009-05-27
6.8
None Remote Medium Not required Partial Partial Partial
Multiple F-Secure anti-virus products, including Anti-Virus for Microsoft Exchange 7.10 and earlier; Internet Gatekeeper for Windows 6.61 and earlier, Windows 6.61 and earlier, and Linux 2.16 and earlier; Internet Security 2009 and earlier, Anti-Virus 2009 and earlier, Client Security 8.0 and earlier, and others; allow remote attackers to bypass malware detection via a crafted (1) ZIP and (2) RAR archive.
45 CVE-2009-1781 94 1 2009-05-22 2009-05-27
6.8
None Remote Medium Not required Partial Partial Partial
Static code injection vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to inject arbitrary PHP code into phpre_config.php via the form_aula parameter.
46 CVE-2009-1780 264 1 +Priv 2009-05-22 2009-05-27
7.5
None Remote Low Not required Partial Partial Partial
admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters.
47 CVE-2009-1779 94 1 Exec Code File Inclusion 2009-05-22 2009-05-24
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the form_include_template parameter.
48 CVE-2009-1778 89 1 Exec Code Sql 2009-05-22 2009-05-27
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the new user registration feature in BigACE CMS 2.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
49 CVE-2009-1777 20 Http R.Spl. 2009-05-22 2009-06-04
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in FormMail.pl in Matt Wright FormMail 1.92, and possibly earlier, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the redirect parameter.
50 CVE-2009-1776 79 XSS 2009-05-22 2009-06-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in FormMail.pl in Matt Wright FormMail 1.92, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via javascript: URIs in the (1) request and (2) return_link_url parameters.
Total number of vulnerabilities : 364   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.