Software Vulnerability
Main
Software Alerts
Software and Script Bug ExploitsSoftware Vulnerability
Random Feeds
Archives
| Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Feb 2010 | Jan 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 | Feb 2008 | Jan 2008 | Dec 2007 | Nov 2007 |Fri, 30 Oct 09
firefox, seamonkey
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3372
Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file.
Fri, 30 Oct 09
firefox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3371
Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively.
Fri, 30 Oct 09
firefox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3370
Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote attackers to read form history by forging mouse and keyboard events that leverage the auto-fill feature to populate form fields, in an attacker-readable form, with history entries.
Fri, 30 Oct 09
firefox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1563
Array index error in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows remote attackers to execute arbitrary code via a long string that triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
Thu, 29 Oct 09
gencms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3825
Multiple directory traversal vulnerabilities in GenCMS 2006 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) p parameter to show.php and the (2) Template parameter to admin/pages/SiteNew.php.
Thu, 29 Oct 09
content_manager_systems
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3824
Directory traversal vulnerability in include/processor.php in Greenwood PHP Content Manager 0.3.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the content_path parameter.
Thu, 29 Oct 09
mobilelib_gold
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3823
Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, when magic_quotes_gpc is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the GLOBALS[page] parameter.
Thu, 29 Oct 09
com_ajaxchat
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3822
PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Thu, 29 Oct 09
solr
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3821
Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Thu, 29 Oct 09
fb_filebase
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3820
SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Thu, 29 Oct 09
maag_randomimage
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3819
Unspecified vulnerability in the Random Images (maag_randomimage) extension 1.6.4 and earlier for TYPO3 allows remote attackers to execute arbitrary shell commands via unspecified vectors.
Thu, 29 Oct 09
sr_freecap
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3818
Unspecified vulnerability in the session handling feature in freeCap CAPTCHA (sr_freecap) extension 1.2.0 and earlier for TYPO3 has unknown impact and attack vectors.
Thu, 29 Oct 09
com_booklibrary
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3817
PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Thu, 29 Oct 09
lotus_connections
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3816
Multiple cross-site scripting (XSS) vulnerabilities in Activities pages in the Mobile subsystem in IBM Lotus Connections 2.5.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Tue, 27 Oct 09
sahana
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3625
Directory traversal vulnerability in www/index.php in Sahana 0.6.2.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod parameter.
Tue, 27 Oct 09
backintime
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3611
common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes certain permissions to 0777 before deleting the files in an old backup snapshot, which allows local users to obtain sensitive information by reading these files, or interfere with backup integrity by modifying files that are shared across snapshots.
Fri, 23 Oct 09
jd_edwards_enterpriseone, peoplesoft_enterprise
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3409
Unspecified vulnerability in the PeopleSoft Enterprise HCM (TAM) component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 9.0 Bundle 10 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3408
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
application_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3407
Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors.
Fri, 23 Oct 09
jd_edwards_enterpriseone, peoplesoft_enterprise
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3406
Unspecified vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.98.2.1 allows remote authenticated users to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
jd_edwards_enterpriseone, peoplesoft_enterprise
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3405
Unspecified vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.98.1.4 allows remote authenticated users to affect integrity and availability via unknown vectors.
Fri, 23 Oct 09
jd_edwards_enterpriseone, peoplesoft_enterprise
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3404
Unspecified vulnerability in the PeopleSoft PeopleTools & Enterprise Portal component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.23 allows remote authenticated users to affect integrity via unknown vectors.
Fri, 23 Oct 09
bea_product_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3403
Unspecified vulnerability in the JRockit component in BEA Product Suite R27.6.4: JRE/JDK, 1.4.2, 5, and, and 6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this issue subsumes CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, and CVE-2009-2676.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3402
Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote authenticated users to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3401
Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows local users to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3400
Unspecified vulnerability in the Oracle Advanced Benefits component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Fri, 23 Oct 09
bea_product_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3399
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0.6 and 8.1.5 allows remote attackers to affect integrity, related to WLS Console.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3397
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
bea_product_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3396
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2.3, 10.0.1, and 10.3 allows remote attackers to affect integrity, related to WLS Console.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3395
Unspecified vulnerability in the AutoVue component in Oracle E-Business Suite 19.3.2 allows remote attackers to affect availability via unknown vectors.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3393
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect integrity via unknown vectors.
Fri, 23 Oct 09
e-business_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3392
Unspecified vulnerability in the Agile Engineering Data Management (EDM) component in Oracle E-Business Suite 6.1.0.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
bea_product_suite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2002
Unspecified vulnerability in the WebLogic Portal component in BEA Product Suite 8.1.6, 9.2.3, 10.0.1, 10.2.1, and 10.3.1.0.0 allows remote attackers to affect integrity via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2001
Unspecified vulnerability in the PL/SQL component in Oracle Database 10.2.0.4 and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2000
Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.7 allows remote attackers to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
application_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1999
Unspecified vulnerability in the Business Intelligence Enterprise Edition component in unspecified Oracle Application Server versions allows remote attackers to affect integrity via unknown vectors.
Fri, 23 Oct 09
industry_applications
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1998
Unspecified vulnerability in the Oracle Communications Order and Service Management component in Oracle Industry Applications 2.8.0, 6.2.0, 6.3.0, and 6.3.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1997
Unspecified vulnerability in the Authentication component in Oracle Database 10.2.0.3 and 11.1.0.7 allows remote attackers to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1995
Unspecified vulnerability in the Advanced Queuing component in Oracle Database 10.2.0.4 and 11.1.0.7 allows remote authenticated users to affect confidentiality and integrity, related to SYS.DBMS_AQ_INV.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1994
Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 allows remote authenticated users to affect confidentiality, integrity, and availability, related to MDSYS.PRVT_CMT_CBK.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1993
Unspecified vulnerability in the Application Express component in Oracle Database 3.0.1 allows remote authenticated users to affect confidentiality and integrity, related to FLOWS_030000.WWV_EXECUTE_IMMEDIATE.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1992
Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1991
Unspecified vulnerability in the Oracle Text component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity, related to CTXSYS.DRVXTABC.
Fri, 23 Oct 09
application_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1990
Unspecified vulnerability in the Business Intelligence Enterprise Edition component in Oracle Application Server 10.1.3.4.1 allows local users to affect confidentiality via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1985
Unspecified vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1979
Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1972
Unspecified vulnerability in the Auditing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect integrity, related to DBMS_SYS_SQL and DBMS_SQL.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1971
Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.7 allows remote authenticated users to affect integrity via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1965
Unspecified vulnerability in the Net Foundation Layer component in Oracle Database 9.2.0.8 and 10.1.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1964
Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1018
Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity, related to SYS.LTRIC (WMSYS.LTRIC).
Fri, 23 Oct 09
database_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1007
Unspecified vulnerability in the Data Mining component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality, integrity, and availability, related to SYS.DMP_SYS.
Fri, 23 Oct 09
boxalino
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1479
Directory traversal vulnerability in client/desktop/default.htm in Boxalino before 09.05.25-0421 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter.
Fri, 23 Oct 09
documentum_applicationxtender_workflow_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3685
Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to upload arbitrary files, and execute arbitrary code, via directory traversal sequences in requests to TCP port 2606.
Fri, 23 Oct 09
documentum_applicationxtender_workflow_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3684
Heap-based buffer overflow in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to execute arbitrary code via crafted packet data to TCP port 2606.
Wed, 21 Oct 09
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2909
Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation.
Sat, 17 Oct 09
battle_blog
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3719
Cross-site scripting (XSS) vulnerability in comment.asp in Battle Blog 1.25 and 1.30 build 2 allows remote attackers to inject arbitrary web script or HTML via a comment.
Sat, 17 Oct 09
battle_blog
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3718
SQL injection vulnerability in admin/authenticate.asp in Battle Blog 1.25 and 1.30 build 2 allows remote attackers to execute arbitrary SQL commands via the UserName parameter.
Sat, 17 Oct 09
patplayer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3717
Heap-based buffer overflow in LucVil PatPlayer 3.9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long URI in a playlist (.m3u) file.
Sat, 17 Oct 09
mcshoutbox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3716
Unrestricted file upload vulnerability in admin.php in MCshoutbox 1.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in smilies/.
Sat, 17 Oct 09
mcshoutbox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3715
Multiple SQL injection vulnerabilities in scr_login.php in MCshoutbox 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
Sat, 17 Oct 09
mcshoutbox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3714
Cross-site scripting (XSS) vulnerability in admin_login.php in MCshoutbox 1.1 allows remote attackers to inject arbitrary web script or HTML via the loginerror parameter.
Sat, 17 Oct 09
morcego_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3713
SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and earlier allows remote attackers to execute arbitrary SQL commands via the query string.
Sat, 17 Oct 09
ebay_clone
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3712
Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php; and the item_id parameter to (2) view_full_size.php, (3) classifide_ad.php, and (4) crosspromoteitems.php.
Sat, 17 Oct 09
alleycode_html_editor
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3709
Stack-based buffer overflow in the Meta Content Optimizer in Konae Technologies Alleycode HTML Editor 2.21 allows user-assisted remote attackers to execute arbitrary code via a long value in a TITLE tag.
Sat, 17 Oct 09
alleycode_html_editor
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3708
Stack-based buffer overflow in the Meta Content Optimizer in Konae Technologies Alleycode HTML Editor 2.21 allows user-assisted remote attackers to execute arbitrary code via a long value in a (1) description or (2) keyword META tag. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Sat, 17 Oct 09
ace, player, workstation
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3707
VMware Authentication Daemon 1.0 in vmware-authd.exe 6.5.3.8888 in the VMware Authorization Service 2.5.3 and earlier in VMware Workstation 6.5.3 build 185404, VMware Player 2.5.2 build 156735 and 2.5.3 build 185404, and VMware ACE 2.5.3 allows remote attackers to cause a denial of service (process crash) via a \x25\xFF sequence in the USER and PASS commands, related to a "format string DoS" issue. NOTE: some of these details are obtained from third party information.
Sat, 17 Oct 09
opensolaris
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3706
Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and OpenSolaris snv_100 through snv_117, allows local users to bypass intended limitations of the file_chown_self privilege via certain uses of the chown system call.
Sat, 17 Oct 09
achievo
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3705
PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter.
Sat, 17 Oct 09
phpmyadmin
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3697
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.
Sat, 17 Oct 09
phpmyadmin
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3696
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.
Sat, 17 Oct 09
fusion
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3282
Integer overflow in the vmx86 kernel extension in VMware Fusion before 2.0.6 build 196839 allows host OS users to cause a denial of service to the host OS via unspecified vectors.
Sat, 17 Oct 09
fusion
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3281
The vmx86 kernel extension in VMware Fusion before 2.0.6 build 196839 does not use correct file permissions, which allows host OS users to gain privileges on the host OS via unspecified vectors.
Sat, 17 Oct 09
unified_presence_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2874
The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6), and 7.x before 7.0(4) allows remote attackers to cause a denial of service (process crash) via a large number of TCP connections to ports 16200 and 22794, aka Bug ID CSCsy17662.
Sat, 17 Oct 09
achievo
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2734
SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php.
Sat, 17 Oct 09
achievo
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2733
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php.
Fri, 16 Oct 09
aix, vios
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3699
Stack-based buffer overflow in libcsa.a (aka the calendar daemon library) in IBM AIX 5.x through 5.3.10 and 6.x through 6.1.3, and VIOS 2.1 and earlier, allows remote attackers to execute arbitrary code via a long XDR string in the first argument to procedure 21 of rpc.cmsd.
Fri, 16 Oct 09
securityexpressions_audit_and_compliance_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3030
Cross-site scripting (XSS) vulnerability in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote attackers to inject arbitrary web script or HTML via vectors that trigger an error message in a response, related to an "HTML Injection issue."
Fri, 16 Oct 09
securityexpressions_audit_and_compliance_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3029
Cross-site scripting (XSS) vulnerability in the console in Symantec SecurityExpressions Audit and Compliance Server 4.1.1, 4.1, and earlier allows remote authenticated users to inject arbitrary web script or HTML via "external client input" that triggers crafted error messages.
Thu, 15 Oct 09
android
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3698
An unspecified function in the Dalvik API in Android 1.5 and earlier allows remote attackers to cause a denial of service (system process restart) via a crafted application, possibly a related issue to CVE-2009-2656.
Thu, 15 Oct 09
CVE-2009-3126 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3126
Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007...
Thu, 15 Oct 09
android
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2999
The com.android.phone process in Android 1.5 CRBxx allows remote attackers to cause a denial of service (application restart and network disconnection) via an SMS message containing a malformed WAP Push message that triggers an ArrayIndexOutOfBoundsException exception, possibly a related issue to CVE-2009-2656.
Thu, 15 Oct 09
windows_server_2008, windows_vista
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2532
Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability."
Thu, 15 Oct 09
internet_explorer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2531
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530.
Thu, 15 Oct 09
internet_explorer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2530
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2531.
Thu, 15 Oct 09
internet_explorer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2529
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not properly handle argument validation for unspecified variables, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "HTML Component Handling Vulnerability."
Thu, 15 Oct 09
CVE-2009-2528 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2528
GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."
Thu, 15 Oct 09
windows_2000, windows_2003_server, windows_media_player, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2527
Heap-based buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via (1) a crafted ASF file or (2) crafted streaming content, aka "WMP Heap Overflow Vulnerability."
Thu, 15 Oct 09
windows_server_2008, windows_vista
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2526
Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."
Thu, 15 Oct 09
CVE-2009-2525 (windows_2000, windows_media_format_runtime, windows_media_player, windows_xp, win...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2525
Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly initialize unspecified functions within compressed audio files, which allows remote attackers to execute arbitrary code via (1) a crafted media file or (2) crafted streaming content, aka "Windows Media Runtime Heap Corruption Vulnerability."
Thu, 15 Oct 09
windows_2003_server, windows_7, windows_server_2008, windows_vista, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2524
Integer underflow in the NTLM authentication feature in the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to cause a denial of service (reboot) via a malformed packet, aka "Local Security Authority Subsystem Service Integer Overflow Vulnerability."
Thu, 15 Oct 09
CVE-2009-2518 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2518
Integer overflow in GDI+ in Microsoft Office XP SP3 allows remote attackers to execute arbitrary code via an Office document with a bitmap (aka BMP) image that triggers memory corruption, aka "Office BMP Integer Overflow Vulnerability."
Thu, 15 Oct 09
windows_2000, windows_server_2003, windows_server_2008, windows_vista, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2517
The kernel in Microsoft Windows Server 2003 SP2 does not properly handle unspecified exceptions when an error condition occurs, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Exception Handler Vulnerability."
Thu, 15 Oct 09
windows_2000, windows_server_2003, windows_server_2008, windows_vista, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2516
The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, aka "Windows Kernel NULL Pointer Dereference Vulnerability."
Thu, 15 Oct 09
windows_2000, windows_server_2003, windows_server_2008, windows_vista, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2515
Integer underflow in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application that triggers an incorrect truncation of a 64-bit integer to a 32-bit integer, aka "Windows Kernel Integer Underflow Vulnerability."
Thu, 15 Oct 09
CVE-2009-2511 (windows_2000, windows_7, windows_server_2003, windows_server_2008, windows_vista,...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2511
Integer overflow in the CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows man-in-the-middle attackers to spoof arbitrary SSL servers and other entities via an X.509 certificate that has a malformed ASN.1 Object Identifier (OID) and was issued by a legitimate Certification Authority, aka "Integer Overflow in X.509 Object Identifiers Vulnerability."
Thu, 15 Oct 09
CVE-2009-2510 (windows_2000, windows_2003_server, windows_7, windows_server_2008, windows_vista,...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2510
The CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, as used by Internet Explorer and other applications, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certifi...
Thu, 15 Oct 09
windows_2000, windows_2003_server, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2507
A certain ActiveX control in the Indexing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly process URLs, which allows remote attackers to execute arbitrary programs via unspecified vectors that cause a "vulnerable binary" to load and run, aka "Memory Corruption in Indexing Service Vulnerability."
Thu, 15 Oct 09
CVE-2009-2504 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2504
Multiple integer overflows in unspecified APIs in GDI+ in Microsoft .NET Framework 1.1 SP1, .NET Framework 2.0 SP1 and SP2, Windows XP SP2 and SP3, Windows Server 2003 SP2, Vista Gold and SP1, Server 2008 Gold, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Com...
Thu, 15 Oct 09
CVE-2009-2503 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2503
GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove...
Thu, 15 Oct 09
CVE-2009-2502 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2502
Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 ...
Thu, 15 Oct 09
CVE-2009-2501 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2501
Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, G...
Thu, 15 Oct 09
CVE-2009-2500 (windows_2003_server, windows_server_2008, windows_vista, windows_xp, .net_framewo...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2500
Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007...
Thu, 15 Oct 09
CVE-2009-2497 (.net_framework, windows_2000, windows_server_2003, windows_server_2008, windows_v...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2497
The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0, 2.0 SP1, 2.0 SP2, 3.5, and 3.5 SP1, and Silverlight 2, does not properly handle interfaces, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted Silverlight application, (3) a crafted ASP.NET application, or (4) a crafted .NET Framework application, aka "Microsoft Silverlight and Microsoft .NET Framework CLR Vulnerability."
Thu, 15 Oct 09
internet_explorer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1547
Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via a crafted data stream header that triggers memory corruption, aka "Data Stream Header Corruption Vulnerability."
Thu, 15 Oct 09
CVE-2009-0555 (windows_2000, windows_media_format_runtime, windows_media_player, windows_xp, win...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0555
Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka "Windows Media Runtime Voice Sample Rate Vulnerability."
Thu, 15 Oct 09
CVE-2009-0091 (.net_framework, windows_2000, windows_server_2003, windows_server_2008, windows_v...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0091
Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enforce a certain type-equality constraint in .NET verifiable code, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft .NET Framework Type Verification Vulnerability."
Thu, 15 Oct 09
CVE-2009-0090 (.net_framework, windows_2000, windows_server_2003, windows_server_2008, windows_v...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0090
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, and 2.0 SP1 does not properly validate .NET verifiable code, which allows remote attackers to obtain unintended access to stack memory, and execute arbitrary code, via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft .NET Framework Pointer Verification Vulnerability."
Wed, 14 Oct 09
django
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
Wed, 14 Oct 09
ezrecipe-zee
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3694
Directory traversal vulnerability in config/config.php in ezRecipe-Zee 91, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg[prePath] parameter.
Wed, 14 Oct 09
loadrunner, xupload
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3693
Directory traversal vulnerability in the Persits.XUpload.2 ActiveX control (XUpload.ocx) in HP LoadRunner 9.5 allows remote attackers to create arbitrary files via \.. (backwards slash dot dot) sequences in the third argument to the MakeHttpRequest method.
Wed, 14 Oct 09
virtualbox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3692
Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in Sun VirtualBox 3.0.x before 3.0.8 on Solaris x86, Linux, and Mac OS X allows local users to gain privileges via unknown vectors.
Wed, 14 Oct 09
informix_client_sdk, informix_connect_runtime
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3691
Multiple integer overflows in setnet32.exe 3.50.0.13752 in IBM Informix Client SDK 3.0 and 3.50 and Informix Connect Runtime 3.x allow remote attackers to execute arbitrary code via a .nfx file with a crafted (1) HostSize, and possibly (2) ProtoSize and (3) ServerSize, field that triggers a stack-based buffer overflow involving a crafted HostList field. NOTE: some of these details are obtained from third party information.
Wed, 14 Oct 09
unbound
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3602
Unbound before 1.3.4 does not properly verify signatures for NSEC3 records, which allows remote attackers to cause secure delegations to be downgraded via DNS spoofing or other DNS-related attacks in conjunction with crafted delegation responses.
Wed, 14 Oct 09
CVE-2009-3588 (anti-virus, anti-virus_for_the_enterprise, anti-virus_gateway, anti-virus_plus, a...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3588
Unspecified vulnerability in the arclib component in the Anti-Virus engine in CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 through r8.1; Anti-Virus 2007 (v8) through 2009; eTrust EZ Antivirus r7.1; Internet Security Suite 2007 (v3) through Plus 2009; and other CA products allows remote attackers to cause a denial of service via a crafted RAR archive file that triggers stack corruption, a different vulnerability than CVE-2009-3587.
Wed, 14 Oct 09
CVE-2009-3587 (anti-virus, anti-virus_for_the_enterprise, anti-virus_plus, etrust_ez_antivirus, ...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3587
Unspecified vulnerability in the arclib component in the Anti-Virus engine in CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 through r8.1; Anti-Virus 2007 (v8) through 2009; eTrust EZ Antivirus r7.1; Internet Security Suite 2007 (v3) through Plus 2009; and other CA products allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted RAR archive file that triggers heap corruption, a different vulnerability than CVE-2009-3588.
Wed, 14 Oct 09
acrobat, reader
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3459
Unspecified vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier, and possibly 7.1.3 and 8.1.6, allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
Wed, 14 Oct 09
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2908
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
Wed, 14 Oct 09
application_management_suite, hyperic_hq, tc_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2898
Cross-site scripting (XSS) vulnerability in the Alerts list feature in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allows remote authenticated users to inject arbitrary web script or HTML via the Description field. NOTE: some of these details are obtained from third party information.
Wed, 14 Oct 09
application_management_suite, hyperic_hq, tc_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2897
Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception ...
Wed, 14 Oct 09
apr, http_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2699
The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs.
Wed, 14 Oct 09
CVE-2009-2684 (cm8050_mfp, cm8060_mfp, color_laserjet_3000n, color_laserjet_3600n, color_laserje...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2684
Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script.
Fri, 9 Oct 09
ddcms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3597
Digitaldesign CMS 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for autoconfig.dd.
Fri, 9 Oct 09
vs_panel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3590
SQL injection vulnerability in showcat.php in VS PANEL 7.3.6 allows remote attackers to execute arbitrary SQL commands via the Cat_ID parameter.
Fri, 9 Oct 09
incron
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3589
incron 0.5.5 does not initialize supplementary groups when running a process from a user's incrontabs, which causes the process to be run with the incrond supplementary groups and allows local users to gain privileges via an incrontab table.
Fri, 2 Oct 09
tivoli_composite_application_manager_for_wesbsphere
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3521
Multiple cross-site scripting (XSS) vulnerabilities in the Visualization Engine (VE) in IBM Tivoli Composite Application Manager for WebSphere (ITCAM) 6.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Fri, 2 Oct 09
cmsphp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3520
Cross-site request forgery (CSRF) vulnerability in the Your_account module in CMSphp 0.21 allows remote attackers to hijack the authentication of administrators for requests that change an administrator password via the pseudo, pwd, and uid parameters in an admin_info_user_verif action.
Fri, 2 Oct 09
justvisual
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3511
Multiple PHP remote file inclusion vulnerabilities in justVisual 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the fs_jVroot parameter to (1) sites/site/pages/index.php, (2) sites/test/pages/contact.php, (3) system/pageTemplate.php, and (4) system/utilities.php.
Fri, 2 Oct 09
linkspheric
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3510
SQL injection vulnerability in viewListing.php in linkSpheric 0.74 Beta 6 allows remote attackers to execute arbitrary SQL commands via the listID parameter.
Fri, 2 Oct 09
cj_dynamic_poll
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3509
Cross-site scripting (XSS) vulnerability in admin/admin_index.php in CJ Dynamic Poll PRO 2.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Fri, 2 Oct 09
mujecms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3508
Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) _class parameter to admin.php and the (2) url parameter to install/install.php; and allow remote authenticated administrators to read arbitrary files via a .. (dot dot) in the (3) _htmlfile parameter to admin.php.
Fri, 2 Oct 09
cmsphp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3507
Directory traversal vulnerability in modules.php in CMSphp 0.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod_file parameter.
Fri, 2 Oct 09
cmsphp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3506
Multiple cross-site scripting (XSS) vulnerabilities in CMSphp 0.21 allow remote attackers to inject arbitrary web script or HTML via the (1) cook_user parameter to index.php and the (2) name parameter to modules.php.
Thu, 1 Oct 09
icrm_basic
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3480
SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.