The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2008-4461 | SQL injection vulnerability in advanced_search_results.php in Vastal I-Tech Dating Zone, possibly 0.9.9, allows remote attackers to execute arbitrary SQL commands via the fage parameter. | High | Oct 7, 2008 |
| CVE-2008-4460 | SQL injection vulnerability in game.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the game_id parameter. | High | Oct 7, 2008 |
| CVE-2008-4459 | SQL injection vulnerability in pick_users.php in the groups module in eXtrovert Thyme 1.3 allows remote attackers to execute arbitrary SQL commands via the uname_search parameter. NOTE: some of these details are obtained from third party information. | High | Oct 7, 2008 |
| CVE-2008-4458 | SQL injection vulnerability in listings.php in E-Php B2B Trading Marketplace Script allows remote attackers to execute arbitrary SQL commands via the cid parameter in a product action. | High | Oct 7, 2008 |
| CVE-2008-4457 | SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal 3.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a stats_res cookie to index.php. | Medium | Oct 7, 2008 |
| CVE-2008-4456 | Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. | Low | Oct 11, 2008 |
| CVE-2008-4455 | Directory traversal vulnerability in index.php in EKINdesigns MySQL Quick Admin 1.5.5 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the language cookie. | Medium | Oct 7, 2008 |
| CVE-2008-4454 | Directory traversal vulnerability in EKINdesigns MySQL Quick Admin 1.5.5 allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the lang parameter to actions.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | Medium | Oct 7, 2008 |
| CVE-2008-4453 | The GdPicture (1) Light Imaging Toolkit 4.7.1 GdPicture4S.Imaging ActiveX control (gdpicture4s.ocx) 4.7.0.1 and (2) Pro Imaging SDK 5.7.1 GdPicturePro5S.Imaging ActiveX control (gdpicturepro5s.ocx) 5.7.0.1 allows remote attackers to create, overwrite, and modify arbitrary files via the SaveAsPDF method. NOTE: this issue might only be exploitable in limited environments or non-default browser settings. NOTE: this can be leveraged for remote code execution by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information. | High | Oct 15, 2008 |
| CVE-2008-4452 | Buffer overflow in Cambridge Computer Corporation vxFtpSrv 2.0.3 allows remote attackers to cause a denial of service (crash and hang) and possibly execute arbitrary code via a long CWD request. | High | Oct 7, 2008 |
| CVE-2008-4451 | The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET System Analyzer Tool 1.1.1.0 allows local users to execute arbitrary code via a certain IOCTL request to \\Device\\esiasdrv that overwrites a pointer. | High | Oct 7, 2008 |
| CVE-2008-4450 | Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Windows 1.6.8 allows remote attackers to inject arbitrary web script or HTML via the (1) dbserver, (2) host, (3) user, (4) password, (5) database, and (6) table parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | Medium | Oct 7, 2008 |
| CVE-2008-4449 | Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message. | High | Oct 7, 2008 |
| CVE-2008-4448 | Cross-site request forgery (CSRF) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to perform unauthorized actions as an administrator, including file deletion and creation, via a link or IMG tag to the (1) overkill, (2) futils, or (3) edit actions. | Medium | Oct 7, 2008 |
| CVE-2008-4447 | Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the fld parameter during a search action, and (3) the tab parameter during a sysinfo action. | Medium | Oct 7, 2008 |
| CVE-2008-4446 | Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Medium | Oct 10, 2008 |
| CVE-2008-4445 | The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113. | Medium | Oct 10, 2008 |
| CVE-2008-4444 | Cisco Unified IP Phone (aka SIP phone) 7960G and 7940G with firmware P0S3-08-9-00 and possibly other versions before 8.10 allows remote attackers to cause a denial of service (device reboot) or possibly execute arbitrary code via a Realtime Transport Protocol (RTP) packet with malformed headers. | High | Jan 29, 2009 |
| CVE-2008-4441 | The Marvell driver for the Linksys WAP4400N Wi-Fi access point with firmware 1.2.14 on the Marvell 88W8361P-BEM1 chipset, when WEP mode is enabled, does not properly parse malformed 802.11 frames, which allows remote attackers to cause a denial of service (reboot or hang-up) via a malformed association request containing the WEP flag, as demonstrated by a request that is too short, a different vulnerability than CVE-2008-1144 and CVE-2008-1197. | High | Oct 17, 2008 |
| CVE-2008-4440 | The to-upgrade plugin in feta 1.4.16 allows local users to overwrite arbitrary files via a symlink on a temporary file. | High | Oct 11, 2008 |
| CVE-2008-4439 | PHP remote file inclusion vulnerability in admin/bin/patch.php in MartinWood Datafeed Studio allows remote attackers to execute arbitrary PHP code via a URL in the INSTALL_FOLDER parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | High | Oct 6, 2008 |
| CVE-2008-4438 | Cross-site scripting (XSS) vulnerability in search.php in Datafeed Studio 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | Medium | Oct 6, 2008 |
| CVE-2008-4437 | Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. | High | Oct 6, 2008 |
| CVE-2008-4436 | SQL injection vulnerability in bblog_plugins/builtin.help.php in bBlog 0.7.6 allows remote attackers to execute arbitrary SQL commands via the mod parameter.bBlog is no longer actively maintained, and there are no plans to carry on with development. Source: http://www.bblog.com/ | High | Oct 6, 2008 |
| CVE-2008-4435 | Multiple cross-site scripting (XSS) vulnerabilities in the RMSOFT Downloads Plus (rmdp) module 1.5 and 1.7 for Xoops allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to search.php and the (2) id parameter to down.php. | Medium | Oct 6, 2008 |
| CVE-2008-4434 | Stack-based buffer overflow in (1) uTorrent 1.7.7 build 8179 and earlier and (2) BitTorrent 6.0.3 build 8642 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Created By field in a .torrent file. | High | Oct 6, 2008 |
| CVE-2008-4433 | SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter. | High | Oct 7, 2008 |
| CVE-2008-4432 | Cross-site scripting (XSS) vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops allows remote attackers to inject arbitrary web script or HTML via the itemsxpag parameter. | Medium | Oct 6, 2008 |
| CVE-2008-4431 | SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php. | High | Oct 6, 2008 |
| CVE-2008-4430 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-3699. Reason: This candidate is a duplicate of CVE-2008-3699. Notes: All CVE users should reference CVE-2008-3699 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | REJECT | Oct 10, 2008 |
| CVE-2008-4429 | Unspecified vulnerability in SOURCENEXT Virus Security ZERO 9.5.0173 and earlier and Virus Security 9.5.0173 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via malformed compressed files. NOTE: some of these details are obtained from third party information. | High | Oct 6, 2008 |
| CVE-2008-4428 | Unrestricted file upload vulnerability in upload.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory. | High | Oct 6, 2008 |
| CVE-2008-4427 | changepassword.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords. | High | Oct 6, 2008 |
| CVE-2008-4426 | Cross-site scripting (XSS) vulnerability in events.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a Unchanged action. | Medium | Oct 6, 2008 |
| CVE-2008-4425 | Directory traversal vulnerability in upload.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter within a delfile action. | High | Oct 6, 2008 |
| CVE-2008-4424 | Cross-site scripting (XSS) vulnerability in index.php in Domain Group Network GooCMS 1.02 allows remote attackers to inject arbitrary web script or HTML via the s parameter in a comments action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | Medium | Oct 6, 2008 |
| CVE-2008-4423 | SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action. | Medium | Oct 6, 2008 |
| CVE-2008-4422 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-4409. Reason: This candidate is a duplicate of CVE-2008-4409. Notes: All CVE users should reference CVE-2008-4409 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | REJECT | Oct 7, 2008 |
| CVE-2008-4421 | Directory traversal vulnerability in MetaGauge 1.0.0.17, and probably other versions before 1.0.3.38, allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the URL. | High | Oct 10, 2008 |
| CVE-2008-4420 | Multiple stack-based buffer overflows in DZIP32.DLL before 5.0.0.8 in DynaZip Max and DZIPS32.DLL before 6.0.0.5 in DynaZip Max Secure; as used in HP OpenView Performance Agent C.04.60, HP Performance Agent C.04.70 and C.04.72, TurboZIP 6.0, and other products; allow user-assisted attackers to execute arbitrary code via a long filename in a ZIP archive during a (1) Fix (aka Repair), (2) Add, (3) Update, or (4) Freshen action, a related issue to CVE-2006-3985. | High | Apr 16, 2009 |
| CVE-2008-4419 | Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI. | High | Feb 10, 2009 |
| CVE-2008-4418 | Unspecified vulnerability in DCE in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. | High | Dec 11, 2008 |
| CVE-2008-4416 | Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. | Medium | Dec 5, 2008 |
| CVE-2008-4415 | Unspecified vulnerability in HP Service Manager (HPSM) before 7.01.71 allows remote authenticated users to execute arbitrary code via unknown vectors. | High | Nov 18, 2008 |
| CVE-2008-4414 | Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UNIX 5.1B-3 and 5.1B-4 allows local users to gain privileges via unspecified vectors. | High | Nov 15, 2008 |
| CVE-2008-4413 | Unspecified vulnerability in HP System Management Homepage (SMH) 2.2.6 and earlier on HP-UX B.11.11 and B.11.23, and SMH 2.2.6 and 2.2.8 and earlier on HP-UX B.11.23 and B.11.31, allows local users to gain unauthorized access via unknown vectors, possibly related to temporary file permissions. | Medium | Nov 15, 2008 |
| CVE-2008-4412 | Unspecified vulnerability in HP Systems Insight Manager (SIM) before 5.2 Update 2 (C.05.02.02.00) allows remote attackers to obtain sensitive information via unspecified vectors. | Medium | Oct 22, 2008 |
| CVE-2008-4411 | Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663. | Medium | Oct 13, 2008 |
| CVE-2008-4410 | The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247. | Medium | Oct 10, 2008 |
| CVE-2008-4409 | libxml2 2.7.0 and 2.7.1 does not properly handle predefined entities definitions in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. | Medium | Oct 10, 2008 |
