1. CVE-Search
  2. CVE-2009-4001
ID CVE-2009-4001
Summary Integer overflow in XnView before 1.97.2 might allow remote attackers to execute arbitrary code via a DICOM image with crafted dimensions, leading to a heap-based buffer overflow.
References
Vulnerable Configurations
  • cpe:2.3:a:xnview:xnview:1.0:a:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.0:a:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.01:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.01:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.02:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.02:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.03:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.03:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.04:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.04:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.05:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.05:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.05:b:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.05:b:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.05:c:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.05:c:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.06:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.06:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.07:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.07:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.08:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.08:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.09:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.09:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.10:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.10:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.11:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.12:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.12:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.13:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.13:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.14:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.14:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.15:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.15:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.16:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.16:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.17:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.17:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.17:a:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.17:a:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.18:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.18:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.18.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.19:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.19:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.20:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.20:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.21:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.21:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.22:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.22:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.23:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.23:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.24:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.24:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.25:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.25:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.25:a:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.25:a:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.30:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.30:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.31:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.31:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.32:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.32:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.33:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.33:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.34:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.34:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.35:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.35:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.36:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.36:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.37:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.37:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.40:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.40:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.41:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.41:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.45:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.45:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.46:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.46:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.50:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.50:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.50.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.50.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.55:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.55:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.60:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.60:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.61:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.61:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.65:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.65:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.66:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.66:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.67:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.67:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.68:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.68:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.68.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.68.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.70:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.70:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.70.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.70.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.70.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.70.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.70.4:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.70.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.74:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.74:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.80:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.80:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.80.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.80.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.80.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.80.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.80.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.80.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.82:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.82:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.82.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.82.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.82.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.82.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.82.4:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.82.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.90:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.90:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.90.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.90.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.90.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.90.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.4:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.5:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.5:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.91.6:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.91.6:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.92:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.92:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.92.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.92.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93.4:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.93.6:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.93.6:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.94:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.94:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.94.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.94.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.94.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.94.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.95:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.95:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.95.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.95.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.95.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.95.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.95.3:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.95.3:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.95.4:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.95.4:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.96:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.96:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.96.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.96.1:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.96.2:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.96.2:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.96.5:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.96.5:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.97:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.97:*:*:*:*:*:*:*
  • cpe:2.3:a:xnview:xnview:1.97.1:*:*:*:*:*:*:*
    cpe:2.3:a:xnview:xnview:1.97.1:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 10-10-2018 - 19:47)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
refmap via4
bid 38629
bugtraq 20100310 Secunia Research: XnView DICOM Parsing Integer Overflow Vulnerability
confirm http://newsgroup.xnview.com/viewtopic.php?f=35&t=19469
misc http://secunia.com/secunia_research/2009-60/
osvdb 62829
xf xnview-dicom-bo(56802)
Last major update 10-10-2018 - 19:47
Published 15-03-2010 - 13:28
Last modified 10-10-2018 - 19:47
Back to Top