MidnightBSD

Advisories for aol

CVE-1999-0486 MEDIUM

Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 3.5
CVE-2000-0190 MEDIUM

AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger *
CVE-2000-0383 MEDIUM

The file transfer component of AOL Instant Messenger (AIM) reveals the physical path of the transferred file to the remote recipient.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.0
CVE-2000-1000 MEDIUM

Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.1.2010
CVE-2000-1093 HIGH

Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote attackers to execute arbitrary commands via a long "goim" command.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 3.0_n
aol instant_messenger 3.5.1635
aol instant_messenger 3.5.1808
aol instant_messenger 2.5.1366
aol instant_messenger 4.2.1193
aol instant_messenger 2.0_n
aol instant_messenger 3.5.1670
aol instant_messenger 4.0
aol instant_messenger 3.0.1470
aol instant_messenger 4.1.2010
aol instant_messenger 2.5.1598
aol instant_messenger 3.5.1856
CVE-2000-1094 HIGH

Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows remote attackers to execute arbitrary commands via a "buddyicon" command with a long "src" argument.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
aol aim *
CVE-2001-0205 MEDIUM

Directory traversal vulnerability in AOLserver 3.2 and earlier allows remote attackers to read arbitrary files by inserting "..." into the requested pathname, a modified .. (dot dot) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 3.2
CVE-2001-0314 HIGH

Buffer overflow in www.tol module in America Online (AOL) 5.0 may allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long URL in a link.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 5.0
CVE-2001-1067 HIGH

Buffer overflow in AOLserver 3.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via an HTTP request with a long Authorization header.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 3.0
aol aol_server 3.2
CVE-2001-1416 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the log messages in certain Alpha versions of AOL Instant Messenger (AIM) 4.4 allow remote attackers to execute arbitrary web script or HTML via an image in the (1) DATA, (2) STYLE, or (3) BINARY tags.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4a
CVE-2001-1417 MEDIUM

AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a denial of service (application hang or crash) via a buddy icon GIF file whose length and width values are larger than the actual image data.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.7
CVE-2001-1418 MEDIUM

AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a denial of service (application crash) via a malformed WAV file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.7
CVE-2001-1419 MEDIUM

AOL Instant Messenger (AIM) 4.7.2480 and earlier allows remote attackers to cause a denial of service (application crash) via an instant message that contains a large amount of "<!--" HTML comments.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.3
aol instant_messenger 4.7
aol instant_messenger 4.1
aol instant_messenger 4.3.2229
cerulean_studios trillian 0.6351
aol instant_messenger 4.2
aol instant_messenger 4.6
aol instant_messenger 4.0
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
CVE-2001-1420 MEDIUM

AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a denial of service (application crash) via a long filename, possibly caused by a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.7
CVE-2001-1421 MEDIUM

AOL Instant Messenger (AIM) 4.7 and earlier allows remote attackers to cause a denial of service (application crash) via a large number of different fonts followed by an HTML HR tag.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger *
CVE-2002-0005 HIGH

Buffer overflow in AOL Instant Messenger (AIM) 4.7.2480, 4.8.2616, and other versions allows remote attackers to execute arbitrary code via a long argument in a game request (AddGame).

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.3
aol instant_messenger 4.7
aol instant_messenger 4.8.2616
aol instant_messenger 4.3.2229
aol instant_messenger 4.6
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
CVE-2002-0100 HIGH

AOL AOLserver 3.4.2 Win32 allows remote attackers to bypass authentication and read password-protected files via a URL that directly references the file.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 3.4.2
CVE-2002-0362 HIGH

Buffer overflow in AOL Instant Messenger (AIM) 4.2 and later allows remote attackers to execute arbitrary code via a long AddExternalApp request and a TLV type greater than 0x2711.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.2
CVE-2002-0586 HIGH

Format string vulnerability in Ns_PdLog function for the external database driver proxy daemon library (libnspd.a) of AOLServer 3.0 through 3.4.2 allows remote attackers to execute arbitrary code via the Error or Notice parameters.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 3.4.2
aol aol_server 3.3.1
aol aol_server 3.0
aol aol_server 3.1
aol aol_server 3.2.1
aol aol_server 3.2
aol aol_server 3.4
aol aol_server 3.3
aol aol_server 3.4.1
CVE-2002-0587 HIGH

Buffer overflow in Ns_PdLog function for the external database driver proxy daemon library (libnspd.a) of AOLServer 3.0 through 3.4.2 allows remote attackers to cause a denial of service or execute arbitrary code via the Error or Notice parameters.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_server 3.4.2
aol aol_server 3.3.1
aol aol_server 3.0
aol aol_server 3.1
aol aol_server 3.2.1
aol aol_server 3.2
aol aol_server 3.4
aol aol_server 3.3
aol aol_server 3.4.1
CVE-2002-0591 MEDIUM

Directory traversal vulnerability in AOL Instant Messenger (AIM) 4.8 beta and earlier allows remote attackers to create arbitrary files and execute commands via a Direct Connection with an IMG tag with a SRC attribute that specifies the target filename.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.3
aol instant_messenger 4.7
aol instant_messenger 4.8_beta
aol instant_messenger 4.1
aol instant_messenger 4.2
aol instant_messenger 4.6
aol instant_messenger 4.0
aol instant_messenger 4.5
CVE-2002-0592 HIGH

AOL Instant Messenger (AIM) allows remote attackers to steal files that are being transferred to other clients by connecting to port 4443 (Direct Connection) or port 5190 (file transfer) before the intended user.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 3.5.1635
aol instant_messenger 4.3
aol instant_messenger 3.5.1808
aol instant_messenger 4.6
aol instant_messenger 4.8.2646
aol instant_messenger 4.7
aol instant_messenger 3.0.1415
aol instant_messenger 4.3.2229
aol instant_messenger 4.2
aol instant_messenger 2.0.996
aol instant_messenger 3.0.1470
aol instant_messenger 4.5
aol instant_messenger 3.5.1856
aol instant_messenger 3.0_n
aol instant_messenger 2.0.912
aol instant_messenger 4.8.2616
aol instant_messenger 2.5.1366
aol instant_messenger 4.2.1193
aol instant_messenger 2.0_n
aol instant_messenger 2.1.1236
aol instant_messenger 4.1
aol instant_messenger 3.5.1670
aol instant_messenger 4.0
aol instant_messenger 4.1.2010
aol instant_messenger 2.5.1598
aol instant_messenger 4.7.2480
CVE-2002-0785 MEDIUM

AOL Instant Messenger (AIM) allows remote attackers to cause a denial of service (crash) via an "AddBuddy" link with the ScreenName parameter set to a large number of comma-separated values, possibly triggering a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.3
aol instant_messenger 4.8.2616
aol instant_messenger 4.6
aol instant_messenger 4.8.2646
aol instant_messenger 4.7
aol instant_messenger 4.2.1193
aol instant_messenger 4.1
aol instant_messenger 4.3.2229
aol instant_messenger 4.2
aol instant_messenger 4.0
aol instant_messenger 4.1.2010
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
CVE-2002-1591 HIGH

AOL Instant Messenger (AIM) 4.7.2480 adds free.aol.com to the Trusted Sites Zone in Internet Explorer without user approval, which could allow code from free.aol.com to bypass intended access restrictions.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.7.2480
CVE-2002-1813 LOW

Directory traversal vulnerability in AOL Instant Messenger (AIM) 4.8.2790 allows remote attackers to execute arbitrary programs by specifying the program in the href attribute of a link.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.8.2616
aol instant_messenger 5.0.2938
aol instant_messenger 4.7.2480
aol instant_messenger 4.8.2646
CVE-2002-1953 MEDIUM

Heap-based buffer overflow in the goim handler of AOL Instant Messenger (AIM) 4.4 through 4.8.2616 allows remote attackers to cause a denial of service (crash) via escaping of the screen name parameter, which triggers the overflow when the user selects "Get Info" on the buddy.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.7
aol instant_messenger 4.8.2616
aol instant_messenger 4.6
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
aol instant_messenger 4.8.2646
CVE-2002-2169 MEDIUM

Cross-site scripting vulnerability AOL Instant Messenger (AIM) 4.5 and 4.7 for MacOS and Windows allows remote attackers to conduct unauthorized activities, such as adding buddies and groups to a user's buddy list, via a URL with a META HTTP-EQUIV="refresh" tag to an aim: URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.7
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
CVE-2003-1503 HIGH

Buffer overflow in AOL Instant Messenger (AIM) 5.2.3292 allows remote attackers to execute arbitrary code via an aim:getfile URL with a long screen name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
aol instant_messenger 5.2.3292
CVE-2004-0636 HIGH

Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 5.5
aol instant_messenger 5.5.3415_beta
aol instant_messenger 5.5.3595
CVE-2004-2373 HIGH

The Buddy icon file for AOL Instant Messenger (AIM) 4.3 through 5.5 is created in a predictable location, which may allow remote attackers to use a shell: URI to exploit other vulnerabilities that involve predictable locations.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 4.3
aol instant_messenger 4.8.2616
aol instant_messenger 5.5.3415_beta
aol instant_messenger 5.0.2938
aol instant_messenger 4.6
aol instant_messenger 5.1.3036
aol instant_messenger 4.8.2646
aol instant_messenger 4.7
aol instant_messenger 5.5
aol instant_messenger 4.3.2229
aol instant_messenger 4.8.2790
aol instant_messenger 5.2.3292
aol instant_messenger 4.5
aol instant_messenger 4.7.2480
CVE-2005-1655 MEDIUM

AOL Instant Messenger 5.5.x and earlier allows remote attackers to cause a denial of service (client crash) via an invalid smiley icon location in the sml parameter of a font tag.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 4.4
aol instant_messenger 3.5.1635
aol instant_messenger 4.3
aol instant_messenger 5.5.3415_beta
aol instant_messenger 3.5.1808
aol instant_messenger 5.0.2938
aol instant_messenger 4.6
aol instant_messenger 1.2
aol instant_messenger 5.5.3595
aol instant_messenger 4.8.2646
aol instant_messenger 4.7
aol instant_messenger 3.0.1415
aol instant_messenger 5.5
aol instant_messenger 4.3.2229
aol instant_messenger 4.2
aol instant_messenger 2.0.996
aol instant_messenger 3.0.1470
aol instant_messenger 5.2.3292
aol instant_messenger 4.5
aol instant_messenger 3.5.1856
aol instant_messenger 3.0_n
aol instant_messenger 2.0.912
aol instant_messenger 4.8.2616
aol instant_messenger 2.5.1366
aol instant_messenger 5.1.3036
aol instant_messenger 4.2.1193
aol instant_messenger 2.0_n
aol instant_messenger 2.1.1236
aol instant_messenger 4.1
aol instant_messenger 3.5.1670
aol instant_messenger 4.8.2790
aol instant_messenger 4.0
aol instant_messenger 5.9.3702
aol instant_messenger 4.1.2010
aol instant_messenger 2.5.1598
aol instant_messenger 4.7.2480
CVE-2005-1891 MEDIUM

The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-191,

Products Affected

Vendor Product Version
aol aim *
CVE-2005-2597 HIGH

AOL Client Software 9.0 uses insecure permissions for its installation path, which allows local users to execute arbitrary code with SYSTEM privileges by replacing ACSD.exe with a malicious program.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_client_software 9.0
CVE-2006-0316 HIGH

Buffer overflow in YGPPicFinder.DLL in AOL You've Got Pictures (YGP) Picture Finder Tool ActiveX Control, as used in AOL 8.0, 8.0 Plus, and 9.0 Classic, allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_client_software 8.0
aol aol_client_software 9.0
CVE-2006-0526 HIGH

The default configuration of the America Online (AOL) client software allows all users to modify a certain registry value that specifies a DLL file name, which might allow local users to gain privileges via a Trojan horse program.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol aol_client_software 8.0
aol aol_client_software 9.0
CVE-2006-0629 MEDIUM

Unspecified vulnerability in AOL Instant Messenger (AIM) 5.9.3861 allows user-assisted remote attackers to cause a denial of service (client crash) and possibly execute arbitrary code by tricking the user into requesting Buddy Info about a long screen name, which might cause a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 5.9.3861
CVE-2007-3350 HIGH

AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote attackers to cause a denial of service (application hang) via a flood of spoofed SIP INVITE requests.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 6.1.32.1
CVE-2007-3437 HIGH

AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote attackers to cause a denial of service (application crash) via a malformed header value in a SIP INVITE message, a different vulnerability than CVE-2007-3350.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
aol instant_messenger 6.1.32.1
CVE-2009-3658 HIGH

Use-after-free vulnerability in the Sb.SuperBuddy.1 ActiveX control (sb.dll) in America Online (AOL) 9.5.0.1 allows remote attackers to trigger memory corruption or possibly execute arbitrary code via a malformed argument to the SetSuperBuddy method.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
aol superbuddy_activex_control 9.5.0.1
CVE-2012-5816 MEDIUM

AOL Instant Messenger (AIM) 1.0.1.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
aol aim 1.0.1.2
CVE-2014-5570 MEDIUM

The DailyFinance - Stocks & News (aka com.aol.mobile.dailyFinance) application 2.0.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
aol dailyfinance_-_stocks_&_news 2.0.2.1