Total
263 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-3115 | 1 Sun | 2 Jdk, Jre | 2018-10-11 | 7.5 HIGH | N/A |
| Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlier, and 5.0 Update 6 through 15, does not properly prevent execution of applets on older JRE releases, which might allow remote attackers to exploit vulnerabilities in these older releases. | |||||
| CVE-2008-1522 | 1 Zyxel | 3 Prestige 660, Prestige 661, Zynos | 2018-10-11 | 7.5 HIGH | N/A |
| ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), have (1) "user" as their default password for the "user" account and (2) "1234" as their default password for the "admin" account, which makes it easier for remote attackers to obtain access. | |||||
| CVE-2008-1524 | 1 Zyxel | 3 Prestige 660, Prestige 661, Zynos | 2018-10-11 | 7.5 HIGH | N/A |
| The SNMP service on ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), has "public" as its default community for both (1) read and (2) write operations, which allows remote attackers to perform administrative actions via SNMP, as demonstrated by reading the Dynamic DNS service password or inserting an XSS sequence into the system.sysName.0 variable, which is displayed on the System Status page. | |||||
| CVE-2008-1525 | 1 Zyxel | 3 Prestige 660, Prestige 661, Zynos | 2018-10-11 | 5.0 MEDIUM | N/A |
| The default SNMP configuration on ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), has a Trusted Host value of 0.0.0.0, which allows remote attackers to send SNMP requests from any source IP address. | |||||
| CVE-2008-1392 | 2 Microsoft, Vmware | 4 Windows, Ace, Player and 1 more | 2018-10-11 | 10.0 HIGH | N/A |
| The default configuration of VMware Workstation 6.0.2, VMware Player 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 makes the console of the guest OS accessible through anonymous VIX API calls, which has unknown impact and attack vectors. | |||||
| CVE-2008-1199 | 1 Dovecot | 1 Dovecot | 2018-10-11 | 4.4 MEDIUM | N/A |
| Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack. | |||||
| CVE-2010-4312 | 1 Apache | 1 Tomcat | 2018-10-10 | 6.4 MEDIUM | N/A |
| The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. | |||||
| CVE-2010-2306 | 1 Sourcefire | 4 3d1000, 3d2000, 3d9900 and 1 more | 2018-10-10 | 4.3 MEDIUM | N/A |
| The default installation of Sourcefire 3D Sensor 1000, 2000, and 9900; and Defense Center 1000; uses the same static, private SSL keys for multiple devices and installations, which allows remote attackers to decrypt SSL traffic via a man-in-the-middle (MITM) attack. | |||||
| CVE-2010-1913 | 1 Consona | 3 Consona Dynamic Agent, Consona Live Assistance, Consona Subscriber Assistance | 2018-10-10 | 9.3 HIGH | N/A |
| The default configuration of pluginlicense.ini for the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance, when downloaded from a server operated by Telefonica or possibly other companies, contains an incorrect DNS whitelist that includes the DNS hostnames of home computers of many persons, which allows remote attackers to bypass intended restrictions on ActiveX execution by hosting an ActiveX control on an applicable home web server. | |||||
| CVE-2009-4402 | 1 Sql-ledger | 1 Sql-ledger | 2018-10-10 | 7.5 HIGH | N/A |
| The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface. | |||||
| CVE-2009-3584 | 1 Sql-ledger | 1 Sql-ledger | 2018-10-10 | 5.0 MEDIUM | N/A |
| SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
| CVE-2009-3489 | 1 Adobe | 1 Photoshop Elements | 2018-10-10 | 6.9 MEDIUM | N/A |
| Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 service with an insecure security descriptor, which allows local users to (1) stop the service via the stop command, (2) execute arbitrary commands as SYSTEM by using the config command to modify the binPath variable, or (3) restart the service via the start command. | |||||
| CVE-2009-2357 | 1 Yasinkaplan | 1 Tekradius | 2018-10-10 | 10.0 HIGH | N/A |
| The default configuration of TekRADIUS 3.0 uses the sa account to communicate with Microsoft SQL Server, which makes it easier for remote attackers to obtain privileged access to the database and the underlying Windows operating system. | |||||
| CVE-2009-1312 | 1 Mozilla | 2 Firefox, Seamonkey | 2018-10-10 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | |||||
| CVE-2009-1104 | 1 Sun | 1 Java | 2018-10-10 | 5.8 MEDIUM | N/A |
| The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; and 1.4.2_19 and earlier does not prevent Javascript that is loaded from the localhost from connecting to other ports on the system, which allows user-assisted attackers to bypass intended access restrictions via LiveConnect, aka CR 6724331. NOTE: this vulnerability can be leveraged with separate cross-site scripting (XSS) vulnerabilities for remote attack vectors. | |||||
| CVE-2009-1093 | 1 Sun | 3 Jdk, Jre, Sdk | 2018-10-10 | 5.0 MEDIUM | N/A |
| LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang). | |||||
| CVE-2009-0696 | 1 Isc | 1 Bind | 2018-10-10 | 4.3 MEDIUM | N/A |
| The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009. | |||||
| CVE-2011-1424 | 3 Emc, Ibm, Microsoft | 4 Sourceone Email Management, Lotus Domino, Lotus Notes and 1 more | 2018-10-09 | 3.5 LOW | N/A |
| The default configuration of ExShortcut\Web.config in EMC SourceOne Email Management before 6.6 SP1, when the Mobile Services component is used, does not properly set the localOnly attribute of the trace element, which allows remote authenticated users to obtain sensitive information via ASP.NET Application Tracing. | |||||
| CVE-2009-1309 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2018-10-03 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document. | |||||
| CVE-2009-1306 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2018-10-03 | 4.3 MEDIUM | N/A |
| The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation. | |||||