Multiple format string vulnerabilities in Babo Violent 2 2.08.00 and earlier allow remote attackers to execute arbitrary code via format string specifiers in (1) a message or (2) certain data associated with an admin login.

Babo Violent 2 2.08.00 does not validate the sender field of a chat message composed by a client, which allows remote authenticated users to spoof messages.

Babo Violent 2 2.08.00 and earlier allows remote attackers to cause a denial of service (application crash) via (1) a value greater than 0x27 for the (a) 0xca, (b) 0xcb, (c) 0xcc, (d) 0xce, (e) 0xcf, or (f) 0xd0 data ID; (2) a nonexistent map name; o

The server in Babo Violent 2 2.08.00 and earlier does not properly implement password protection, which might allow remote attackers to bypass authentication by reconnecting after a connection closes.