Total
3376 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-2058 | 1 Apple | 1 Safari | 2024-11-21 | 6.8 MEDIUM | N/A |
| Apple Safari before 3.2.2 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
| CVE-2009-2057 | 1 Microsoft | 2 Ie, Internet Explorer | 2024-11-21 | 5.8 MEDIUM | N/A |
| Microsoft Internet Explorer before 8 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
| CVE-2009-2040 | 1 Grestul | 1 Grestul | 2024-11-21 | 7.5 HIGH | N/A |
| admin/options.php in Grestul 1.2 does not properly restrict access, which allows remote attackers to bypass authentication and create administrative accounts via a manage_admin action in a direct request. | |||||
| CVE-2009-2003 | 1 Ascadnetworks | 1 Password Protector Sd | 2024-11-21 | 7.5 HIGH | N/A |
| Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin." | |||||
| CVE-2009-1905 | 1 Ibm | 1 Db2 | 2024-11-21 | 2.6 LOW | N/A |
| The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors. | |||||
| CVE-2009-1878 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 5.8 MEDIUM | N/A |
| Session fixation vulnerability in Adobe ColdFusion 8.0.1 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2009-1854 | 1 Cmsnx | 1 Million Dollar Text Links | 2024-11-21 | 7.5 HIGH | N/A |
| Million Dollar Text Links 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the userid cookie to 1. | |||||
| CVE-2009-1836 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2024-11-21 | 6.8 MEDIUM | N/A |
| Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
| CVE-2009-1826 | 1 Collector | 1 Mygesuad | 2024-11-21 | 6.5 MEDIUM | N/A |
| modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action. | |||||
| CVE-2009-1825 | 1 Collector | 1 Mycolex | 2024-11-21 | 4.0 MEDIUM | N/A |
| modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action. | |||||
| CVE-2009-1754 | 1 Google | 1 Android | 2024-11-21 | 4.3 MEDIUM | N/A |
| The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application. | |||||
| CVE-2009-1670 | 1 Tcpdb | 1 Tcpdb | 2024-11-21 | 7.5 HIGH | N/A |
| user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-1664 | 1 Easy-scripts | 1 Answer And Question Script | 2024-11-21 | 7.5 HIGH | N/A |
| myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters. | |||||
| CVE-2009-1638 | 1 T-dreams | 1 Job Career Package | 2024-11-21 | 7.5 HIGH | N/A |
| Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login. | |||||
| CVE-2009-1629 | 1 Antony Lesuisse | 1 Ajaxterm | 2024-11-21 | 6.8 MEDIUM | N/A |
| ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with predictable random numbers based on certain JavaScript functions, which makes it easier for remote attackers to (1) hijack a session or (2) cause a denial of service (session ID exhaustion) via a brute-force attack. | |||||
| CVE-2009-1619 | 1 Teraway | 1 Filestream | 2024-11-21 | 7.5 HIGH | N/A |
| Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1. | |||||
| CVE-2009-1618 | 1 Teraway | 1 Livehelp | 2024-11-21 | 7.5 HIGH | N/A |
| Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie. | |||||
| CVE-2009-1617 | 1 Teraway | 1 Linktracker | 2024-11-21 | 7.5 HIGH | N/A |
| Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie. | |||||
| CVE-2009-1596 | 1 Igniterealtime | 1 Openfire | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet. | |||||
| CVE-2009-1595 | 1 Igniterealtime | 1 Openfire | 2024-11-21 | 4.0 MEDIUM | N/A |
| The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. | |||||