CWE-121
Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CVE-2008-20001 (GCVE-0-2008-20001)
Vulnerability from cvelistv5
Published
2025-08-30 13:42
Modified
2025-09-16 14:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
activePDF WebGrabber version 3.8.2.0 contains a stack-based buffer overflow vulnerability in the GetStatus() method of the APWebGrb.ocx ActiveX control. By passing an overly long string to this method, a remote attacker can execute arbitrary code in the context of the vulnerable process. Although the control is not marked safe for scripting, exploitation is possible via crafted HTML content in Internet Explorer under permissive security settings.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
activePDF | WebGrabber |
Version: * ≤ 3.8.2.0 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2008-20001", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-09-02T20:47:14.729256Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-02T20:47:26.273Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "APWebGrb.ocx ActiveX control (APWebGrabber.Object)" ], "product": "WebGrabber", "vendor": "activePDF", "versions": [ { "lessThanOrEqual": "3.8.2.0", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "MC" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "activePDF WebGrabber version 3.8.2.0 contains a stack-based buffer overflow vulnerability in the GetStatus() method of the APWebGrb.ocx ActiveX control. By passing an overly long string to this method, a remote attacker can execute arbitrary code in the context of the vulnerable process. Although the control is not marked safe for scripting, exploitation is possible via crafted HTML content in Internet Explorer under permissive security settings." } ], "value": "activePDF WebGrabber version 3.8.2.0 contains a stack-based buffer overflow vulnerability in the GetStatus() method of the APWebGrb.ocx ActiveX control. By passing an overly long string to this method, a remote attacker can execute arbitrary code in the context of the vulnerable process. Although the control is not marked safe for scripting, exploitation is possible via crafted HTML content in Internet Explorer under permissive security settings." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 7.5, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-16T14:35:13.144Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/activepdf_webgrabber.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16635" }, { "tags": [ "product" ], "url": "https://web.archive.org/web/20081219180353/http://www.activepdf.com/products/serverproducts/webgrabber/" }, { "tags": [ "product" ], "url": "https://support.activepdf.com/support/solutions/35000139131" }, { "tags": [ "product" ], "url": "https://documentation.activepdf.com/WebGrabber_GS/b_installation/New_Installation.html" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/activepdf-webgrabber-activex-control-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "title": "activePDF WebGrabber ActiveX Control Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2008-20001", "datePublished": "2025-08-30T13:42:39.028Z", "dateReserved": "2025-08-28T16:51:12.840Z", "dateUpdated": "2025-09-16T14:35:13.144Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-10006 (GCVE-0-2009-10006)
Vulnerability from cvelistv5
Published
2025-08-22 14:07
Modified
2025-08-22 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
UFO: Alien Invasion versions up to and including 2.2.1 contain a buffer overflow vulnerability in its built-in IRC client component. When the client connects to an IRC server and receives a crafted numeric reply (specifically a 001 message), the application fails to properly validate the length of the response string. This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. The vulnerability is triggered during automatic IRC connection handling and does not require user interaction beyond launching the game.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
UFO: Alien Invasion Project | UFO: Alien Invasion |
Version: * ≤ 2.2.1 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-10006", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-22T14:36:26.567735Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-22T14:36:38.804Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "IRC client parser" ], "platforms": [ "Windows", "MacOS" ], "product": "UFO: Alien Invasion", "vendor": "UFO: Alien Invasion Project", "versions": [ { "lessThanOrEqual": "2.2.1", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Jason Geffner" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "UFO: Alien Invasion versions up to and including 2.2.1 contain a buffer overflow vulnerability in its built-in IRC client component. When the client connects to an IRC server and receives a crafted numeric reply (specifically a 001 message), the application fails to properly validate the length of the response string. This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. The vulnerability is triggered during automatic IRC connection handling and does not require user interaction beyond launching the game." } ], "value": "UFO: Alien Invasion versions up to and including 2.2.1 contain a buffer overflow vulnerability in its built-in IRC client component. When the client connects to an IRC server and receives a crafted numeric reply (specifically a 001 message), the application fails to properly validate the length of the response string. This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. The vulnerability is triggered during automatic IRC connection handling and does not require user interaction beyond launching the game." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-22T14:07:20.521Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/ufo_ai.rb" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/osx/misc/ufo_ai.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16864" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/14013" }, { "tags": [ "vendor-advisory", "patch" ], "url": "https://www.moddb.com/news/ufo-alien-invasion-231-released" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/ufo-alien-invasion-irc-client-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "title": "UFO: Alien Invasion \u003c= 2.2.1 IRC Client Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-10006", "datePublished": "2025-08-22T14:07:20.521Z", "dateReserved": "2025-08-20T19:45:10.227Z", "dateUpdated": "2025-08-22T14:36:38.804Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20002 (GCVE-0-2009-20002)
Vulnerability from cvelistv5
Published
2025-08-21 20:13
Modified
2025-08-22 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Millenium MP3 Studio versions up to and including 2.0 is vulnerable to a stack-based buffer overflow when parsing .pls playlist files. The application fails to properly validate the length of the File1 field within the playlist, allowing an attacker to craft a malicious .pls file that overwrites the Structured Exception Handler (SEH) and executes arbitrary code. Exploitation requires the victim to open the file locally, though remote execution may be possible if the .pls extension is registered to the application and opened via a browser.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Millenium | MP3 Studio |
Version: * ≤ 2.0 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20002", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-22T15:21:00.634193Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-22T15:24:29.208Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/9618" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/millenium_mp3_pls.rb" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ ".pls file parser" ], "product": "MP3 Studio", "vendor": "Millenium", "versions": [ { "lessThanOrEqual": "2.0", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "hack4love" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Millenium MP3 Studio versions up to and including 2.0 is vulnerable to a stack-based buffer overflow when parsing .pls playlist files. The application fails to properly validate the length of the File1 field within the playlist, allowing an attacker to craft a malicious .pls file that overwrites the Structured Exception Handler (SEH) and executes arbitrary code. Exploitation requires the victim to open the file locally, though remote execution may be possible if the .pls extension is registered to the application and opened via a browser." } ], "value": "Millenium MP3 Studio versions up to and including 2.0 is vulnerable to a stack-based buffer overflow when parsing .pls playlist files. The application fails to properly validate the length of the File1 field within the playlist, allowing an attacker to craft a malicious .pls file that overwrites the Structured Exception Handler (SEH) and executes arbitrary code. Exploitation requires the victim to open the file locally, though remote execution may be possible if the .pls extension is registered to the application and opened via a browser." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-21T20:13:17.750Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/millenium_mp3_pls.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/9618" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10240" }, { "tags": [ "exploit" ], "url": "https://web.archive.org/web/20090731112010/http://www.milw0rm.com/exploits/9277" }, { "tags": [ "product" ], "url": "https://ccm.net/downloads/sound/5995-millennium-mp3-studio/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/millenium-mp3-studio-pls-file-stack-based-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "Millenium MP3 Studio \u003c= 2.0 .pls File Stack-Based Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20002", "datePublished": "2025-08-21T20:13:17.750Z", "dateReserved": "2025-08-21T16:26:55.212Z", "dateUpdated": "2025-08-22T15:24:29.208Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20003 (GCVE-0-2009-20003)
Vulnerability from cvelistv5
Published
2025-08-21 20:15
Modified
2025-08-21 20:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Xenorate versions up to and including 2.50, a Windows-based multimedia player, is vulnerable to a stack-based buffer overflow when processing .xpl playlist files. The application fails to properly validate the length of input data, allowing an attacker to craft a malicious .xpl file that overwrites the Structured Exception Handler (SEH) and enables arbitrary code execution. Exploitation requires local interaction, typically by convincing a user to open the crafted file.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20003", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-21T20:42:17.056390Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-21T20:42:27.958Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ ".xpl file parser" ], "platforms": [ "Windows" ], "product": "Xenorate", "vendor": "Xenorate", "versions": [ { "lessThanOrEqual": "2.50", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "germaya_x" }, { "lang": "en", "type": "finder", "value": "loneferret" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Xenorate versions up to and including 2.50, a Windows-based multimedia player, is vulnerable to a stack-based buffer overflow when processing .xpl playlist files. The application fails to properly validate the length of input data, allowing an attacker to craft a malicious .xpl file that overwrites the Structured Exception Handler (SEH) and enables arbitrary code execution. Exploitation requires local interaction, typically by convincing a user to open the crafted file." } ], "value": "Xenorate versions up to and including 2.50, a Windows-based multimedia player, is vulnerable to a stack-based buffer overflow when processing .xpl playlist files. The application fails to properly validate the length of input data, allowing an attacker to craft a malicious .xpl file that overwrites the Structured Exception Handler (SEH) and enables arbitrary code execution. Exploitation requires local interaction, typically by convincing a user to open the crafted file." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-21T20:15:39.883Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10371" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10373" }, { "tags": [ "third-party-advisory" ], "url": "https://www.fortiguard.com/encyclopedia/ips/18035" }, { "tags": [ "product" ], "url": "http://www.xenorate.com/" }, { "tags": [ "vendor-advisory", "patch" ], "url": "https://web.archive.org/web/20100507021109/http://www.xenorate.com/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/xenorate-xpl-file-stack-based-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "title": "Xenorate \u003c= 2.50 .xpl File Stack-Based Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20003", "datePublished": "2025-08-21T20:15:39.883Z", "dateReserved": "2025-08-21T16:26:55.212Z", "dateUpdated": "2025-08-21T20:42:27.958Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20004 (GCVE-0-2009-20004)
Vulnerability from cvelistv5
Published
2025-08-21 20:11
Modified
2025-08-22 15:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20004", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-22T15:27:48.864360Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-22T15:28:03.572Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10339" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10345" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16664" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/galan_fileformat_bof.rb" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ ".galan file parser" ], "product": "gAlan", "vendor": "gAlan", "versions": [ { "lessThanOrEqual": "0.2.1", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Jeremy Brown" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file." } ], "value": "gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-21T20:11:57.631Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/galan_fileformat_bof.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16664" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10345" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/10339" }, { "tags": [ "third-party-advisory" ], "url": "https://www.fortiguard.com/encyclopedia/ips/18034/galan-galan-file-stack-overflow" }, { "tags": [ "product" ], "url": "https://web.archive.org/web/20101210055252/http://galan.sourceforge.net/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/galan-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "gAlan \u003c= 0.2.1 Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20004", "datePublished": "2025-08-21T20:11:57.631Z", "dateReserved": "2025-08-21T16:26:55.213Z", "dateUpdated": "2025-08-22T15:28:03.572Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20005 (GCVE-0-2009-20005)
Vulnerability from cvelistv5
Published
2025-09-16 14:32
Modified
2025-09-16 18:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A stack-based buffer overflow exists in the UtilConfigHome.csp endpoint of InterSystems Caché 2009.1. The vulnerability is triggered by sending a specially crafted HTTP GET request containing an oversized argument to the .csp handler. Due to insufficient bounds checking, the input overflows a stack buffer, allowing an attacker to overwrite control structures and execute arbitrary code. It is unknown if this vulnerability was patched and an affected version range remains undefined.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
InterSystems Corporation | InterSystems Caché |
Version: * < |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20005", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-09-16T18:18:32.419926Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-16T18:18:35.109Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/intersystems_cache.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16807" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "modules": [ "/csp/sys/mgr/UtilConfigHome.csp" ], "product": "InterSystems Cach\u00e9", "vendor": "InterSystems Corporation", "versions": [ { "lessThanOrEqual": "2009.1", "status": "affected", "version": "*", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "MC" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A stack-based buffer overflow exists in the UtilConfigHome.csp endpoint of InterSystems Cach\u00e9 2009.1. The vulnerability is triggered by sending a specially crafted HTTP GET request containing an oversized argument to the .csp handler. Due to insufficient bounds checking, the input overflows a stack buffer, allowing an attacker to overwrite control structures and execute arbitrary code. It is unknown if this vulnerability was patched and an affected version range remains undefined." } ], "value": "A stack-based buffer overflow exists in the UtilConfigHome.csp endpoint of InterSystems Cach\u00e9 2009.1. The vulnerability is triggered by sending a specially crafted HTTP GET request containing an oversized argument to the .csp handler. Due to insufficient bounds checking, the input overflows a stack buffer, allowing an attacker to overwrite control structures and execute arbitrary code. It is unknown if this vulnerability was patched and an affected version range remains undefined." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-16T14:32:00.691Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/intersystems_cache.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16807" }, { "tags": [ "third-party-advisory" ], "url": "https://www.juniper.net/us/en/threatlabs/ips-signatures/detail.APP:INTERSYSTEMS-CACHE-OF.html" }, { "tags": [ "product" ], "url": "https://www.intersystems.com/products/cache/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/intersystems-cache-stack-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "title": "InterSystems Cach\u00e9 UtilConfigHome.csp Stack Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20005", "datePublished": "2025-09-16T14:32:00.691Z", "dateReserved": "2025-08-27T18:34:34.963Z", "dateUpdated": "2025-09-16T18:18:35.109Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20007 (GCVE-0-2009-20007)
Vulnerability from cvelistv5
Published
2025-09-16 14:34
Modified
2025-09-16 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Talkative IRC v0.4.4.16 is vulnerable to a stack-based buffer overflow when processing specially crafted response strings sent to a connected client. An attacker can exploit this flaw by sending an overly long message that overflows a fixed-length buffer, potentially leading to arbitrary code execution in the context of the vulnerable process. This vulnerability is exploitable remotely and does not require authentication.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Talkative | Talkative IRC |
Version: * ≤ 0.4.4.16 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20007", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-09-16T18:16:26.267299Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-16T18:16:31.758Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/talkative_response.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/8227" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16459" }, { "tags": [ "exploit" ], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2009-4909.php" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "IRC client response handler" ], "product": "Talkative IRC", "vendor": "Talkative", "versions": [ { "lessThanOrEqual": "0.4.4.16", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Gjoko Krstic \"LiquidWorm\" of Zero Science Lab" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Talkative IRC v0.4.4.16 is vulnerable to a stack-based buffer overflow when processing specially crafted response strings sent to a connected client. An attacker can exploit this flaw by sending an overly long message that overflows a fixed-length buffer, potentially leading to arbitrary code execution in the context of the vulnerable process. This vulnerability is exploitable remotely and does not require authentication." } ], "value": "Talkative IRC v0.4.4.16 is vulnerable to a stack-based buffer overflow when processing specially crafted response strings sent to a connected client. An attacker can exploit this flaw by sending an overly long message that overflows a fixed-length buffer, potentially leading to arbitrary code execution in the context of the vulnerable process. This vulnerability is exploitable remotely and does not require authentication." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-16T14:34:39.071Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/talkative_response.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/8227" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16459" }, { "tags": [ "technical-description", "exploit" ], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2009-4909.php" }, { "tags": [ "product" ], "url": "https://web.archive.org/web/20090116203306/http://www.talkative-irc.com/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/talkative-irc-response-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "Talkative IRC v0.4.4.16 Response Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20007", "datePublished": "2025-09-16T14:34:39.071Z", "dateReserved": "2025-08-27T18:34:34.964Z", "dateUpdated": "2025-09-16T18:16:31.758Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20008 (GCVE-0-2009-20008)
Vulnerability from cvelistv5
Published
2025-08-30 13:47
Modified
2025-09-02 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Green Dam Youth Escort version 3.17 is vulnerable to a stack-based buffer overflow when processing overly long URLs. The flaw resides in the URL filtering component, which fails to properly validate input length before copying user-supplied data into a fixed-size buffer. A remote attacker can exploit this vulnerability by enticing a user to visit a specially crafted webpage containing a long URL, resulting in arbitrary code execution.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Zhengzhou Jinhui Computer System Engineering Co. Ltd. ; Beijing Dazheng Human Language Technology Academy | Green Dam Youth Escort |
Version: * ≤ |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20008", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-09-02T20:40:53.119092Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-02T20:41:12.953Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "URL filtering and content inspection module" ], "product": "Green Dam Youth Escort", "vendor": "Zhengzhou Jinhui Computer System Engineering Co. Ltd. ; Beijing Dazheng Human Language Technology Academy", "versions": [ { "lessThan": "3.174", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Scott Wolchok" }, { "lang": "en", "type": "finder", "value": "Randy Yao" }, { "lang": "en", "type": "finder", "value": "J. Alex Halderman" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Green Dam Youth Escort version 3.17 is vulnerable to a stack-based buffer overflow when processing overly long URLs. The flaw resides in the URL filtering component, which fails to properly validate input length before copying user-supplied data into a fixed-size buffer. A remote attacker can exploit this vulnerability by enticing a user to visit a specially crafted webpage containing a long URL, resulting in arbitrary code execution." } ], "value": "Green Dam Youth Escort version 3.17 is vulnerable to a stack-based buffer overflow when processing overly long URLs. The flaw resides in the URL filtering component, which fails to properly validate input length before copying user-supplied data into a fixed-size buffer. A remote attacker can exploit this vulnerability by enticing a user to visit a specially crafted webpage containing a long URL, resulting in arbitrary code execution." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-30T13:47:42.991Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "technical-description" ], "url": "https://web.archive.org/web/20110426190759/http://www.cse.umich.edu/~jhalderm/pub/gd/" }, { "tags": [ "product" ], "url": "https://en.wikipedia.org/wiki/Green_Dam_Youth_Escort" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/8969" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/8938" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/greendam_url.rb" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/green-dam-url-processing-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "Green Dam \u003c 3.174 URL Processing Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20008", "datePublished": "2025-08-30T13:47:42.991Z", "dateReserved": "2025-08-27T18:34:34.964Z", "dateUpdated": "2025-09-02T20:41:12.953Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2009-20009 (GCVE-0-2009-20009)
Vulnerability from cvelistv5
Published
2025-08-30 13:43
Modified
2025-09-02 20:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Belkin Bulldog Plus version 4.0.2 build 1219 contains a stack-based buffer overflow vulnerability in its web service authentication handler. When a specially crafted HTTP request is sent with an oversized Authorization header, the application fails to properly validate the input length before copying it into a fixed-size buffer, resulting in memory corruption and potential remote code execution. Exploitation requires network access and does not require prior authentication.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Belkin International, Inc. | Bulldog Plus UPS Monitoring Software |
Version: * < |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2009-20009", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-09-02T20:46:51.105266Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-02T20:46:59.152Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "HTTP authentication handler" ], "product": "Bulldog Plus UPS Monitoring Software", "vendor": "Belkin International, Inc.", "versions": [ { "lessThanOrEqual": "4.0.2 build 1219", "status": "affected", "version": "*", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Elazar" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Belkin Bulldog Plus version 4.0.2 build 1219 contains a stack-based buffer overflow vulnerability in its web service authentication handler. When a specially crafted HTTP request is sent with an oversized Authorization header, the application fails to properly validate the input length before copying it into a fixed-size buffer, resulting in memory corruption and potential remote code execution. Exploitation requires network access and does not require prior authentication." } ], "value": "Belkin Bulldog Plus version 4.0.2 build 1219 contains a stack-based buffer overflow vulnerability in its web service authentication handler. When a specially crafted HTTP request is sent with an oversized Authorization header, the application fails to properly validate the input length before copying it into a fixed-size buffer, resulting in memory corruption and potential remote code execution. Exploitation requires network access and does not require prior authentication." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-30T13:43:21.759Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/belkin_bulldog.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/8173" }, { "tags": [ "third-party-advisory" ], "url": "https://www.fortiguard.com/encyclopedia/ips/17325/belkin-bulldog-plus-web-services-buffer-overflow" }, { "tags": [ "product" ], "url": "https://s3.belkin.com/support/dl/bulldogwindows.pdf" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/belkin-bulldog-plus-web-service-buffer-overflow" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "Belkin Bulldog Plus Web Service Buffer Overflow", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2009-20009", "datePublished": "2025-08-30T13:43:21.759Z", "dateReserved": "2025-08-28T17:25:02.939Z", "dateUpdated": "2025-09-02T20:46:59.152Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2010-10014 (GCVE-0-2010-10014)
Vulnerability from cvelistv5
Published
2025-08-20 15:38
Modified
2025-08-22 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-Based Buffer Overflow
Summary
Odin Secure FTP <= 4.1 is vulnerable to a stack-based buffer overflow when parsing directory listings received in response to an FTP LIST command. A malicious FTP server can send an overly long filename in the directory listing, which overflows a fixed-size stack buffer in the client and overwrites the Structured Exception Handler (SEH). This allows remote attackers to execute arbitrary code on the client system.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Odin Software | Odin Secure FTP |
Version: * ≤ 4.1 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2010-10014", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-22T16:12:20.490074Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-22T16:12:25.765Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16716" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/odin_list_reply.rb" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Odin Secure FTP", "vendor": "Odin Software", "versions": [ { "lessThanOrEqual": "4.1", "status": "affected", "version": "*", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "rick2600" }, { "lang": "en", "type": "finder", "value": "corelanc0d3r of Corelan Team" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Odin Secure FTP \u0026lt;= 4.1 is vulnerable to a stack-based buffer overflow when parsing directory listings received in response to an FTP LIST command. A malicious FTP server can send an overly long filename in the directory listing, which overflows a fixed-size stack buffer in the client and overwrites the Structured Exception Handler (SEH). This allows remote attackers to execute arbitrary code on the client system." } ], "value": "Odin Secure FTP \u003c= 4.1 is vulnerable to a stack-based buffer overflow when parsing directory listings received in response to an FTP LIST command. A malicious FTP server can send an overly long filename in the directory listing, which overflows a fixed-size stack buffer in the client and overwrites the Structured Exception Handler (SEH). This allows remote attackers to execute arbitrary code on the client system." } ], "impacts": [ { "capecId": "CAPEC-100", "descriptions": [ { "lang": "en", "value": "CAPEC-100 Overflow Buffers" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121 Stack-Based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-20T15:38:23.796Z", "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck" }, "references": [ { "tags": [ "product" ], "url": "https://web.archive.org/web/20111007123101/http://odinshare.com/secure-ftp-expert.html" }, { "tags": [ "exploit" ], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/odin_list_reply.rb" }, { "tags": [ "exploit" ], "url": "https://www.exploit-db.com/exploits/16716" }, { "tags": [ "technical-description", "exploit" ], "url": "https://web.archive.org/web/20111016194057/https://www.corelan.be/index.php/2010/10/12/death-of-an-ftp-client/" }, { "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/odin-secure-ftp-stack-buffer-overflow-via-list-response" } ], "source": { "discovery": "UNKNOWN" }, "tags": [ "unsupported-when-assigned" ], "title": "Odin Secure FTP \u003c= 4.1 Stack Buffer Overflow via LIST Response", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "assignerShortName": "VulnCheck", "cveId": "CVE-2010-10014", "datePublished": "2025-08-20T15:38:23.796Z", "dateReserved": "2025-08-19T17:04:02.876Z", "dateUpdated": "2025-08-22T16:12:25.765Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Mitigation ID: MIT-10
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Phase: Architecture and Design
Description:
- Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Phase: Implementation
Description:
- Implement and perform bounds checking on input.
Mitigation
Phase: Implementation
Description:
- Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation ID: MIT-11
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.