Software Vulnerability
Main
Software Alerts
Software and Script Bug ExploitsSoftware Vulnerability
Random Feeds
Archives
| Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Aug 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Feb 2010 | Jan 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 | Feb 2008 | Jan 2008 | Dec 2007 | Nov 2007 |Thu, 31 Dec 09
phpope
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4472
Multiple PHP remote file inclusion vulnerabilities in PHPope 1.0.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[config][dir][plugins] parameter to plugins/address/admin/index.php, (2) GLOBALS[config][dir][functions] parameter to plugins/im/compose.php, and (3) GLOBALS[config][dir][classes] parameter to plugins/cssedit/admin/index.php.
Thu, 31 Dec 09
freeschool
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4471
Multiple PHP remote file inclusion vulnerabilities in FreeSchool 1.1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the CLASSPATH parameter to (1) bib_form.php, (2) bib_pldetails.php, (3) bib_plform.php, (4) bib_plsearchc.php, (5) bib_plsearchs.php, (6) bib_save.php, (7) bib_searchc.php, (8) bib_searchs.php, (9) edi_form.php, (10) edi_save.php, (11) gen_form.php, (12) gen_save.php, (13) lin_form.php, (14) lin_save.php, (15) luo_form.php, (16) luo_save.php, (17...
Thu, 31 Dec 09
dvbbs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4470
SQL injection vulnerability in boardrule.php in DVBBS 2.0 allows remote attackers to execute arbitrary SQL commands via the groupboardid parameter.
Thu, 31 Dec 09
phppowercards
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4469
Multiple cross-site scripting (XSS) vulnerabilities in pagenumber.inc.php in phpPowerCards 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) archiv parameter, and the (3) subcat parameter.
Thu, 31 Dec 09
deluxebb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4468
Cross-site scripting (XSS) vulnerability in misc.php in DeluxeBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Thu, 31 Dec 09
deluxebb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4467
misc.php in DeluxeBB 1.3 allows remote attackers to register accounts without a valid email address via a valemail action with the valmem set to a pre-assigned user ID, which is visible from a memberlist action.
Thu, 31 Dec 09
deluxebb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4466
DeluxeBB 1.3 allows remote attackers to obtain sensitive information via a crafted page parameter to misc.php, which reveals the installation path in an error message. NOTE: this issue might be resultant from improperly controlled computation in tools.php that leads to a denial of service (CPU or memory consumption).
Thu, 31 Dec 09
deluxebb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4465
DeluxeBB 1.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and configuration information, log data, and gain administrative access via a direct request to scripts in (1) templates/ including (2) templates/deluxe/admincp/, (3) templates/corporate/admincp/, and (4) templates/blue/admincp/; (5) images/; (6) logs/ including (7) logs/cp.php; (8) wysiwyg/; (9) docs/; (10) classes/; (11) lang/; and (12) settings/.
Thu, 31 Dec 09
active_business_directory
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4464
Cross-site scripting (XSS) vulnerability in searchadvance.asp in Active Business Directory 2 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
Thu, 31 Dec 09
netbiter_webscada_firmware, netbiter_webscada_ws100, netbiter_webscada_ws200
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4463
The firmware for Intellicom NetBiter WebSCADA uses hard-coded passwords, which makes it easier for remote attackers to obtain access.
Thu, 31 Dec 09
netbiter_webscada_ws100, netbiter_webscada_ws200, netbiterconfig
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4462
Stack-based buffer overflow in NetBiterConfig.exe 1.3.0 in Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICP-protocol UDP packet.
Thu, 31 Dec 09
flatpress
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4461
Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.909 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) contact.php, (2) login.php, and (3) search.php.
Thu, 31 Dec 09
auto-surf_traffic_exchange_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4460
Multiple cross-site scripting (XSS) vulnerabilities in Auto-Surf Traffic Exchange Script 1.1 allow remote attackers to inject arbitrary web script or HTML via the rid parameter to (1) index.php, (2) faq.php, and (3) register.php.
Thu, 31 Dec 09
redmine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4459
Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as script by Internet Explorer 7 and 8.
Wed, 23 Dec 09
php-calendar
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3702
Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
Fri, 18 Dec 09
firefox, seamonkey, thunderbird
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3980
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Fri, 18 Dec 09
firefox, seamonkey
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3979
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Fri, 18 Dec 09
firefox, seamonkey
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3389
Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a video with large dimensions.
Fri, 18 Dec 09
firefox, seamonkey
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3388
liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before 2.0.1 might allow context-dependent attackers to cause a denial of service (application crash) or execute arbitrary code via unspecified vectors, related to "memory safety issues."
Sat, 5 Dec 09
mt882_modem, mt882_modem_firmware
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4197
rpwizPppoe.htm in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete.
Sat, 5 Dec 09
mt882_v100t002b020_arg-t
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4196
Multiple cross-site scripting (XSS) vulnerabilities in multiple scripts in Forms/ in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 allow remote attackers to inject arbitrary web script or HTML via the (1) BackButton parameter to error_1; (2) wzConnFlag parameter to fresh_pppoe_1; (3) diag_pppindex_argen and (4) DiagStartFlag parameters to rpDiag_argen_1; (5) wzdmz_active and (6) wzdmzHostIP parameters to rpNATdmz_argen_1; (7) wzVIRTUALSVR_endPort, (8) wzVIRTUALSVR_endPortLocal, (9...
Sat, 5 Dec 09
illustrator
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4195
Buffer overflow in Adobe Illustrator CS4 13.0.0 and 14.0.0 allows user-assisted remote attackers to execute arbitrary code via a long DSC Comment in encapsulated Postscript (.eps) file. NOTE: some of these details are obtained from third party information.
Sat, 5 Dec 09
CVE-2009-2631 (adaptive_security_appliance, e-class_ssl_vpn, safenet_securewire_access_gateway, ...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2631
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; and SafeNet SecureWire Access Gateway, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attack...
Thu, 3 Dec 09
db2
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4150
dasauto in IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and 9.7 before FP1 permits execution by unprivileged user accounts, which has unspecified impact and local attack vectors.
Thu, 3 Dec 09
asterisk, s800i
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4055
rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length.
Thu, 3 Dec 09
internet_explorer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3672
Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the CSS STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, which triggers memory corruption in the Microsoft HTML Viewer (mshtml.dll). NOTE: some of these details are obtained from third party information. NOTE: this issue was originally assigned CVE-2009-4054, but ...