The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2008-7319 | The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used. | -- | Nov 7, 2017 | n/a |
| CVE-2008-7320 | ** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision. | LOW | Dec 17, 2018 | n/a |
| CVE-2008-7321 | The tubepress plugin before 1.6.5 for WordPress has XSS. | MEDIUM | Aug 23, 2019 | n/a |
| CVE-2008-10001 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in Pro2col Stingray FTS. The manipulation of the argument Username leads to cross site scripting. The attack may be initiated remotely. It is recommended to upgrade the affected component. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | MEDIUM | Mar 29, 2022 | n/a |
| CVE-2009-0035 | alsa-utils 1.0.19 and later versions allows local users to overwrite arbitrary files via a symlink attack via the /usr/bin/alsa-info and /usr/bin/alsa-info.sh scripts. | LOW | Nov 12, 2019 | n/a |
| CVE-2009-0037 | The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. | Medium | Mar 13, 2009 | webcli_curl-7.50.3.0 (VxWorks 7) |
| CVE-2009-0590 | The ASN1_STRING_print_ex function in Ope | LOW | Apr 8, 2009 | n/a |
| CVE-2009-0591 | The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. | LOW | Mar 27, 2009 | n/a |
| CVE-2009-0789 | OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. | LOW | Mar 30, 2009 | n/a |
| CVE-2009-0947 | Multiple integer overflows in the (1) cdf_read_property_info and (2) cdf_read_sat functions in file before 5.02. | HIGH | Jun 2, 2021 | n/a |
| CVE-2009-0948 | Multiple buffer overflows in the (1) cdf_read_sat, (2) cdf_read_long_sector_chain, and (3) cdf_read_ssat function in file before 5.02. | HIGH | Jun 2, 2021 | n/a |
| CVE-2009-1120 | EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remote Code Execution Vulnerability. The flaw exists within the DoRcvRpcCall RPC function -exposed via the rep_srv.exe process- where the vulnerability is caused by an error when the rep_srv.exe handles a specially crafted packet sent by an unauthenticated attacker. | HIGH | Jan 15, 2020 | n/a |
| CVE-2009-1197 | Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp. | -- | Nov 1, 2017 | n/a |
| CVE-2009-1198 | Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | -- | Nov 1, 2017 | n/a |
| CVE-2009-2042 | libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via out-of-bounds pixels in the file. | LOW | Jun 15, 2009 | n/a |
| CVE-2009-2417 | lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '�' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | High | Aug 14, 2009 | webcli_curl-7.50.3.0 (VxWorks 7) |
| CVE-2009-2802 | MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks. | MEDIUM | Nov 12, 2019 | n/a |
| CVE-2009-3552 | In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform. | LOW | Nov 12, 2019 | n/a |
| CVE-2009-3560 | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720. | Medium | Dec 7, 2009 | xml-2.2.4.0 (VxWorks 7) |
| CVE-2009-3563 | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | LOW | Dec 10, 2009 | ntp-1.1.0.0 (VxWorks 7) |
| CVE-2009-3614 | liboping 1.3.2 allows users reading arbitrary files upon the local system. | LOW | Nov 12, 2019 | n/a |
| CVE-2009-3720 | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. | Medium | Nov 12, 2009 | xml-2.2.4.0 (VxWorks 7) |
| CVE-2009-3721 | Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution\'s TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments. | MEDIUM | May 26, 2021 | n/a |
| CVE-2009-3723 | asterisk allows calls on prohibited networks | MEDIUM | Oct 29, 2019 | n/a |
| CVE-2009-3724 | python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. | MEDIUM | Jan 16, 2020 | n/a |
| CVE-2009-3887 | ytnef has directory traversal | HIGH | Oct 29, 2019 | n/a |
| CVE-2009-4011 | dtc-xen 0.5.x before 0.5.4 suffers from a race condition where an attacker could potentially get a bash access as xenXX user on the dom0, and then access a potentially reuse an already opened VPS console. | MEDIUM | Nov 12, 2019 | n/a |
| CVE-2009-4067 | Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system. | HIGH | Feb 12, 2020 | n/a |
| CVE-2009-4267 | The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter. | MEDIUM | Feb 19, 2018 | n/a |
| CVE-2009-4899 | pixelpost 1.7.1 has SQL injection | HIGH | Oct 29, 2019 | n/a |
| CVE-2009-4900 | pixelpost 1.7.1 has XSS | MEDIUM | Oct 29, 2019 | n/a |
| CVE-2009-5004 | qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use . | MEDIUM | Nov 12, 2019 | n/a |
| CVE-2009-5025 | A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. | MEDIUM | Jan 15, 2020 | n/a |
| CVE-2009-5041 | overkill has buffer overflow via long player names that can corrupt data on the server machine | HIGH | Oct 31, 2019 | n/a |
| CVE-2009-5042 | python-docutils allows insecure usage of temporary files | MEDIUM | Oct 31, 2019 | n/a |
| CVE-2009-5043 | burn allows file names to escape via mishandled quotation marks | HIGH | Oct 31, 2019 | n/a |
| CVE-2009-5045 | Dump Servlet information leak in jetty before 6.1.22. | MEDIUM | Nov 13, 2019 | n/a |
| CVE-2009-5046 | JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. | MEDIUM | Nov 13, 2019 | n/a |
| CVE-2009-5047 | Jetty 6.x through 6.1.22 suffers from an escape sequence injection vulnerability from an attack vector by means of: 1) Cookie Dump Servlet and 2) Http Content-Length header. 1) A POST request to the form at /test/cookie/ with the Age parameter set to a string throws a java.lang.NumberFormatException which reflects binary characters including ESC. These characters could be used to execute arbitrary commands or buffer dumps in the terminal. 2) The attack vector in 1) can be exploited by requesting a page using an HTTP request Content-Length header set to a consonant string (string including only letters). | HIGH | Nov 21, 2019 | n/a |
| CVE-2009-5048 | Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. | MEDIUM | Nov 7, 2019 | n/a |
| CVE-2009-5049 | WebApp JSP Snoop page XSS in jetty though 6.1.21. | MEDIUM | Nov 8, 2019 | n/a |
| CVE-2009-5050 | konversation before 1.2.3 allows attackers to cause a denial of service. | MEDIUM | Nov 8, 2019 | n/a |
| CVE-2009-5068 | There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several co-admins that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords. | LOW | Jan 15, 2020 | n/a |
| CVE-2009-5139 | The SIP implementation on the Gizmo5 software phone provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a SIP Digest Leak issue. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2009-5140 | The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a SIP Digest Leak issue. | MEDIUM | Feb 14, 2020 | n/a |
| CVE-2009-5144 | mod-gnutls does not validate client certificates when GnuTLSClientVerify require is set in a directory context, which allows remote attackers to spoof clients via a crafted certificate. | MEDIUM | Feb 3, 2018 | n/a |
| CVE-2009-5145 | Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12. | -- | Aug 7, 2017 | n/a |
| CVE-2009-5147 | DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. | High | Apr 4, 2017 | n/a |
| CVE-2009-5150 | Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the intended search.namequery.com site by modifying data within a disk\'s inter-partition space. This allows a privileged local user to execute arbitrary code even after that user loses access and all disk partitions are reformatted. | HIGH | May 11, 2018 | n/a |
| CVE-2009-5151 | The stub component of Absolute Computrace Agent V70.785 executes code from a disk\'s inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on the BIOS. This allows a privileged local user to achieve persistent control of BIOS behavior, independent of later disk changes. | HIGH | May 11, 2018 | n/a |
