Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 178945 entries
IDDescriptionPriorityModified date
CVE-2008-4461 SQL injection vulnerability in advanced_search_results.php in Vastal I-Tech Dating Zone, possibly 0.9.9, allows remote attackers to execute arbitrary SQL commands via the fage parameter. High Oct 7, 2008
CVE-2008-4460 SQL injection vulnerability in game.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the game_id parameter. High Oct 7, 2008
CVE-2008-4459 SQL injection vulnerability in pick_users.php in the groups module in eXtrovert Thyme 1.3 allows remote attackers to execute arbitrary SQL commands via the uname_search parameter. NOTE: some of these details are obtained from third party information. High Oct 7, 2008
CVE-2008-4458 SQL injection vulnerability in listings.php in E-Php B2B Trading Marketplace Script allows remote attackers to execute arbitrary SQL commands via the cid parameter in a product action. High Oct 7, 2008
CVE-2008-4457 SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal 3.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a stats_res cookie to index.php. Medium Oct 7, 2008
CVE-2008-4456 Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. Low Oct 11, 2008
CVE-2008-4455 Directory traversal vulnerability in index.php in EKINdesigns MySQL Quick Admin 1.5.5 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the language cookie. Medium Oct 7, 2008
CVE-2008-4454 Directory traversal vulnerability in EKINdesigns MySQL Quick Admin 1.5.5 allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the lang parameter to actions.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 7, 2008
CVE-2008-4453 The GdPicture (1) Light Imaging Toolkit 4.7.1 GdPicture4S.Imaging ActiveX control (gdpicture4s.ocx) 4.7.0.1 and (2) Pro Imaging SDK 5.7.1 GdPicturePro5S.Imaging ActiveX control (gdpicturepro5s.ocx) 5.7.0.1 allows remote attackers to create, overwrite, and modify arbitrary files via the SaveAsPDF method. NOTE: this issue might only be exploitable in limited environments or non-default browser settings. NOTE: this can be leveraged for remote code execution by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information. High Oct 15, 2008
CVE-2008-4452 Buffer overflow in Cambridge Computer Corporation vxFtpSrv 2.0.3 allows remote attackers to cause a denial of service (crash and hang) and possibly execute arbitrary code via a long CWD request. High Oct 7, 2008
CVE-2008-4451 The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET System Analyzer Tool 1.1.1.0 allows local users to execute arbitrary code via a certain IOCTL request to \\Device\\esiasdrv that overwrites a pointer. High Oct 7, 2008
CVE-2008-4450 Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Windows 1.6.8 allows remote attackers to inject arbitrary web script or HTML via the (1) dbserver, (2) host, (3) user, (4) password, (5) database, and (6) table parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 7, 2008
CVE-2008-4449 Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message. High Oct 7, 2008
CVE-2008-4448 Cross-site request forgery (CSRF) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to perform unauthorized actions as an administrator, including file deletion and creation, via a link or IMG tag to the (1) overkill, (2) futils, or (3) edit actions. Medium Oct 7, 2008
CVE-2008-4447 Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the fld parameter during a search action, and (3) the tab parameter during a sysinfo action. Medium Oct 7, 2008
CVE-2008-4446 Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Medium Oct 10, 2008
CVE-2008-4445 The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113. Medium Oct 10, 2008
CVE-2008-4444 Cisco Unified IP Phone (aka SIP phone) 7960G and 7940G with firmware P0S3-08-9-00 and possibly other versions before 8.10 allows remote attackers to cause a denial of service (device reboot) or possibly execute arbitrary code via a Realtime Transport Protocol (RTP) packet with malformed headers. High Jan 29, 2009
CVE-2008-4441 The Marvell driver for the Linksys WAP4400N Wi-Fi access point with firmware 1.2.14 on the Marvell 88W8361P-BEM1 chipset, when WEP mode is enabled, does not properly parse malformed 802.11 frames, which allows remote attackers to cause a denial of service (reboot or hang-up) via a malformed association request containing the WEP flag, as demonstrated by a request that is too short, a different vulnerability than CVE-2008-1144 and CVE-2008-1197. High Oct 17, 2008
CVE-2008-4440 The to-upgrade plugin in feta 1.4.16 allows local users to overwrite arbitrary files via a symlink on a temporary file. High Oct 11, 2008
CVE-2008-4439 PHP remote file inclusion vulnerability in admin/bin/patch.php in MartinWood Datafeed Studio allows remote attackers to execute arbitrary PHP code via a URL in the INSTALL_FOLDER parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. High Oct 6, 2008
CVE-2008-4438 Cross-site scripting (XSS) vulnerability in search.php in Datafeed Studio 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 6, 2008
CVE-2008-4437 Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. High Oct 6, 2008
CVE-2008-4436 SQL injection vulnerability in bblog_plugins/builtin.help.php in bBlog 0.7.6 allows remote attackers to execute arbitrary SQL commands via the mod parameter.bBlog is no longer actively maintained, and there are no plans to carry on with development. Source: http://www.bblog.com/ High Oct 6, 2008
CVE-2008-4435 Multiple cross-site scripting (XSS) vulnerabilities in the RMSOFT Downloads Plus (rmdp) module 1.5 and 1.7 for Xoops allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to search.php and the (2) id parameter to down.php. Medium Oct 6, 2008
CVE-2008-4434 Stack-based buffer overflow in (1) uTorrent 1.7.7 build 8179 and earlier and (2) BitTorrent 6.0.3 build 8642 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Created By field in a .torrent file. High Oct 6, 2008
CVE-2008-4433 SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter. High Oct 7, 2008
CVE-2008-4432 Cross-site scripting (XSS) vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops allows remote attackers to inject arbitrary web script or HTML via the itemsxpag parameter. Medium Oct 6, 2008
CVE-2008-4431 SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php. High Oct 6, 2008
CVE-2008-4430 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-3699. Reason: This candidate is a duplicate of CVE-2008-3699. Notes: All CVE users should reference CVE-2008-3699 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. REJECT Oct 10, 2008
CVE-2008-4429 Unspecified vulnerability in SOURCENEXT Virus Security ZERO 9.5.0173 and earlier and Virus Security 9.5.0173 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via malformed compressed files. NOTE: some of these details are obtained from third party information. High Oct 6, 2008
CVE-2008-4428 Unrestricted file upload vulnerability in upload.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory. High Oct 6, 2008
CVE-2008-4427 changepassword.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords. High Oct 6, 2008
CVE-2008-4426 Cross-site scripting (XSS) vulnerability in events.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a Unchanged action. Medium Oct 6, 2008
CVE-2008-4425 Directory traversal vulnerability in upload.php in Phlatline\'s Personal Information Manager (pPIM) 1.0 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter within a delfile action. High Oct 6, 2008
CVE-2008-4424 Cross-site scripting (XSS) vulnerability in index.php in Domain Group Network GooCMS 1.02 allows remote attackers to inject arbitrary web script or HTML via the s parameter in a comments action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Medium Oct 6, 2008
CVE-2008-4423 SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action. Medium Oct 6, 2008
CVE-2008-4422 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-4409. Reason: This candidate is a duplicate of CVE-2008-4409. Notes: All CVE users should reference CVE-2008-4409 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. REJECT Oct 7, 2008
CVE-2008-4421 Directory traversal vulnerability in MetaGauge 1.0.0.17, and probably other versions before 1.0.3.38, allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the URL. High Oct 10, 2008
CVE-2008-4420 Multiple stack-based buffer overflows in DZIP32.DLL before 5.0.0.8 in DynaZip Max and DZIPS32.DLL before 6.0.0.5 in DynaZip Max Secure; as used in HP OpenView Performance Agent C.04.60, HP Performance Agent C.04.70 and C.04.72, TurboZIP 6.0, and other products; allow user-assisted attackers to execute arbitrary code via a long filename in a ZIP archive during a (1) Fix (aka Repair), (2) Add, (3) Update, or (4) Freshen action, a related issue to CVE-2006-3985. High Apr 16, 2009
CVE-2008-4419 Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI. High Feb 10, 2009
CVE-2008-4418 Unspecified vulnerability in DCE in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. High Dec 11, 2008
CVE-2008-4416 Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. Medium Dec 5, 2008
CVE-2008-4415 Unspecified vulnerability in HP Service Manager (HPSM) before 7.01.71 allows remote authenticated users to execute arbitrary code via unknown vectors. High Nov 18, 2008
CVE-2008-4414 Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UNIX 5.1B-3 and 5.1B-4 allows local users to gain privileges via unspecified vectors. High Nov 15, 2008
CVE-2008-4413 Unspecified vulnerability in HP System Management Homepage (SMH) 2.2.6 and earlier on HP-UX B.11.11 and B.11.23, and SMH 2.2.6 and 2.2.8 and earlier on HP-UX B.11.23 and B.11.31, allows local users to gain unauthorized access via unknown vectors, possibly related to temporary file permissions. Medium Nov 15, 2008
CVE-2008-4412 Unspecified vulnerability in HP Systems Insight Manager (SIM) before 5.2 Update 2 (C.05.02.02.00) allows remote attackers to obtain sensitive information via unspecified vectors. Medium Oct 22, 2008
CVE-2008-4411 Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 2.1.15.210 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-1663. Medium Oct 13, 2008
CVE-2008-4410 The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247. Medium Oct 10, 2008
CVE-2008-4409 libxml2 2.7.0 and 2.7.1 does not properly handle predefined entities definitions in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. Medium Oct 10, 2008
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online