The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2008-3771 | Cross-site scripting (XSS) vulnerability in members.php in Pars4u Videosharing 1 allows remote attackers to inject arbitrary web script or HTML via the PageNo parameter. | Medium | Aug 25, 2008 |
| CVE-2008-3770 | Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to (1) includes/events_application_top.php; (2) english/account.php, (3) french/account.php, and (4) french/account_Unchangedsletters.php in includes/languages/; (5) includes/modules/faqdesk/faqdesk_article_require.php; (6) includes/modules/Unchangedsdesk/Unchangedsdesk_article_require.php; (7) card1.php, (8) loginbox.php, and (9) whos_online.php in templates/Freeway/boxes/; and (10) templates/Freeway/mainpage_modules/mainpage.php. NOTE: vector 1 may be the same as CVE-2008-3677. | High | Aug 25, 2008 |
| CVE-2008-3769 | PHP remote file inclusion vulnerability in admin/create_order_Unchanged.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter. | Medium | Aug 25, 2008 |
| CVE-2008-3768 | Multiple SQL injection vulnerabilities in class.ajax.php in Turnkey Web Tools SunShop Shopping Cart before 4.1.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an edit_registry action to index.php, (2) a vector involving the check_email function, and other vectors. | High | Aug 25, 2008 |
| CVE-2008-3767 | SQL injection vulnerability in classified.php in phpBazar 2.0.2 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | High | Aug 25, 2008 |
| CVE-2008-3766 | Realtime Internet Band Rehearsal Low-Latency (Internet) Connection tool (llcon) before 2.1.2 allows remote attackers to cause a denial of service (application crash) via malformed protocol messages. | Medium | Aug 25, 2008 |
| CVE-2008-3765 | SQL injection vulnerability in code.php in Quick Poll Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3764 | Eval injection vulnerability in chat.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via the test parameter, and probably arbitrary parameters. | High | Aug 22, 2008 |
| CVE-2008-3763 | Variable overwrite vulnerability in libsecure.php in Turnkey PHP Live Helper 2.0.1 and earlier, when register_globals is enabled, allows remote attackers to overwrite arbitrary variables related to the db config file. NOTE: this can be leveraged for code injection by overwriting the language file. | Medium | Aug 22, 2008 |
| CVE-2008-3762 | SQL injection vulnerability in onlinestatus_html.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the dep parameter, related to lack of input sanitization in the get function in global.php. | High | Aug 22, 2008 |
| CVE-2008-3761 | hcmon.sys in VMware Workstation 6.0.0.45731 uses the METHOD_NEITHER communication method for IOCTLs, which has an unknown impact (possibly crash) and local attack vectors via a crafted IOCTL request. | Medium | Aug 22, 2008 |
| CVE-2008-3760 | Cross-site request forgery (CSRF) vulnerability in the sign-out page in Vanilla 1.1.4 and earlier allows remote attackers to trigger the logout of other users via a link or IMG tag to the SignOutNow action in people.php. | Medium | Aug 22, 2008 |
| CVE-2008-3759 | Cross-site request forgery (CSRF) vulnerability in ajax/UpdateCheck.php in Vanilla 1.1.4 and earlier has unknown impact and remote attack vectors. | High | Aug 22, 2008 |
| CVE-2008-3758 | Multiple cross-site scripting (XSS) vulnerabilities in Lussumo Vanilla 1.1.4 and earlier (1) allow remote attackers to inject arbitrary web script or HTML via the UnchangedPassword parameter to people.php, and allow remote authenticated users to inject arbitrary web script or HTML via the (2) Account picture and (3) Icon fields in account.php. NOTE: some of these details are obtained from third party information. | Medium | Aug 22, 2008 |
| CVE-2008-3757 | SQL injection vulnerability in tr1.php in YourFreeWorld Forced Matrix Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3756 | SQL injection vulnerability in tr.php in YourFreeWorld Viral Marketing Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3755 | SQL injection vulnerability in view.php in YourFreeWorld Classifieds Script allows remote attackers to execute arbitrary SQL commands via the category parameter. | High | Aug 22, 2008 |
| CVE-2008-3754 | SQL injection vulnerability in trl.php in YourFreeWorld Stylish Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3753 | SQL injection vulnerability in details.php in YourFreeWorld Programs Rating Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3752 | SQL injection vulnerability in tr.php in YourFreeWorld Ad-Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3751 | SQL injection vulnerability in tr.php in YourFreeWorld Short Url & Url Tracker Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3750 | SQL injection vulnerability in tr.php in YourFreeWorld URL Rotator Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3749 | SQL injection vulnerability in tr.php in Banner Management Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3748 | SQL injection vulnerability in view_group.php in Active PHP Bookmarks (APB) 1.1.02 and 1.2.06 allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 22, 2008 |
| CVE-2008-3747 | The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | High | Aug 27, 2008 |
| CVE-2008-3746 | neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of service (NULL pointer dereference and crash) via vectors related to Digest authentication and Digest domain parameter support. | Medium | Aug 27, 2008 |
| CVE-2008-3745 | The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. | Medium | Aug 27, 2008 |
| CVE-2008-3744 | Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to (1) add or (2) delete user access rules as administrators via an unspecified URL. | Medium | Aug 27, 2008 |
| CVE-2008-3743 | Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements. | Medium | Aug 27, 2008 |
| CVE-2008-3742 | Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated. | Medium | Aug 27, 2008 |
| CVE-2008-3741 | The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. | Low | Aug 27, 2008 |
| CVE-2008-3740 | Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Medium | Aug 27, 2008 |
| CVE-2008-3739 | Cross-site scripting (XSS) vulnerability in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving upload of files containing XSS sequences. | Medium | Aug 28, 2008 |
| CVE-2008-3738 | Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | Medium | Aug 28, 2008 |
| CVE-2008-3737 | Unspecified vulnerability in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to execute arbitrary PHP scripts, and delete files, read files, and possibly have unknown other impact. | High | Aug 28, 2008 |
| CVE-2008-3736 | Multiple cross-site request forgery (CSRF) vulnerabilities in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allow remote attackers to (a) change passwords or (b) change configurations as arbitrary users via unspecified vectors. | Medium | Aug 28, 2008 |
| CVE-2008-3735 | Cross-site scripting (XSS) vulnerability in index.php in PHPizabi before 848 Core HotFix Pack 3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a blogs.search action. | Medium | Aug 22, 2008 |
| CVE-2008-3734 | Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response). | High | Aug 22, 2008 |
| CVE-2008-3733 | Stack-based buffer overflow in EO Video (eo-video) 1.36 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a .eop (aka playlist) file with a ProjectElement element that contains a long Name element. | High | Aug 21, 2008 |
| CVE-2008-3732 | Integer overflow in the Open function in modules/demux/tta.c in VLC Media Player 0.8.6i allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TTA file, which triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. | High | Aug 21, 2008 |
| CVE-2008-3731 | Unspecified vulnerability in Serv-U File Server 7.x before 7.2.0.1 allows remote authenticated users to cause a denial of service (daemon crash) via an SSH session with SFTP commands for directory creation and logging. | Medium | Aug 21, 2008 |
| CVE-2008-3730 | Cross-site scripting (XSS) vulnerability in Nordicwind Document Management System (NOAH) before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Medium | Aug 21, 2008 |
| CVE-2008-3729 | Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to bypass authentication and obtain administrative access via a direct request with (1) an IsAdmin=true cookie value or (2) no cookie. | High | Aug 21, 2008 |
| CVE-2008-3728 | Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to determine the installation path, IP addresses, and error messages via direct requests to files under LOG/. | Medium | Aug 21, 2008 |
| CVE-2008-3727 | Directory traversal vulnerability in Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. | Medium | Aug 21, 2008 |
| CVE-2008-3726 | Cross-site scripting (XSS) vulnerability in Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to inject arbitrary web script or HTML via the URI. | Medium | Aug 21, 2008 |
| CVE-2008-3725 | SQL injection vulnerability in trr.php in YourFreeWorld Ad Board Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | High | Aug 21, 2008 |
| CVE-2008-3724 | SQL injection vulnerability in index.php in Papoo before 3.7.2 allows remote attackers to execute arbitrary SQL commands via the suchanzahl parameter. | High | Aug 21, 2008 |
| CVE-2008-3723 | Directory traversal vulnerability in index.php in PHPizabi 0.848b C1 HFP3 allows remote authenticated administrators to read arbitrary files via (1) a .. (dot dot), (2) a URL, or possibly (3) a full pathname in the id parameter in an admin.templates.edittemplate action. NOTE: some of these details are obtained from third party information. | Medium | Aug 21, 2008 |
| CVE-2008-3722 | SQL injection vulnerability in forum/neu.asp in fipsCMS 2.1 allows remote attackers to execute arbitrary SQL commands via the kat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | High | Aug 21, 2008 |
