| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-3511 |
20 |
|
|
2013-05-08 |
2013-05-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
2 |
CVE-2013-3504 |
22 |
|
Dir. Trav. |
2013-05-08 |
2013-05-08 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Directory traversal vulnerability in monarch.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to overwrite arbitrary files by leveraging access to the nagios account. |
|
3 |
CVE-2013-3336 |
|
|
|
2013-05-09 |
2013-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors. |
|
4 |
CVE-2013-3242 |
20 |
|
DoS |
2013-05-03 |
2013-05-03 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors. |
|
5 |
CVE-2013-3210 |
200 |
|
+Info |
2013-04-19 |
2013-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Opera before 12.15 does not properly block top-level domains in Set-Cookie headers, which allows remote attackers to obtain sensitive information by leveraging control of a different web site in the same top-level domain. |
|
6 |
CVE-2013-2835 |
264 |
|
Bypass |
2013-04-16 |
2013-04-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2834. |
|
7 |
CVE-2013-2834 |
264 |
|
Bypass |
2013-04-16 |
2013-04-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2835. |
|
8 |
CVE-2013-2832 |
119 |
|
Overflow +Info |
2013-04-16 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Buffer::Set function in core/cross/buffer.cc in the O3D plug-in in Google Chrome OS before 26.0.1410.57 does not prevent uninitialized data from remaining in a buffer, which might allow remote attackers to obtain sensitive information via unspecified vectors. |
|
9 |
CVE-2013-2770 |
20 |
|
|
2013-04-07 |
2013-04-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The installation functionality in the Novell Kanaka component before 2.8 for Novell Open Enterprise Server (OES) on Mac OS X does not verify the server's X.509 certificate during an SSL session, which allows man-in-the-middle attackers to spoof servers via an arbitrary certificate. |
|
10 |
CVE-2013-2767 |
|
|
Bypass |
2013-04-25 |
2013-05-02 |
5.4 |
None |
Remote |
High |
Not required |
Complete |
None |
None |
|
Unspecified vulnerability in Citrix NetScaler Access Gateway Enterprise Edition (AGEE) before 9.3.62.4 and 10.x through 10.0.74.4, and NetScaler AGEE Common Criteria build before 9.3.53.6, allows remote attackers to bypass intended intranet access restrictions via unknown vectors. |
|
11 |
CVE-2013-2763 |
119 |
|
DoS Overflow |
2013-04-04 |
2013-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** The Schneider Electric M340 PLC modules allow remote attackers to cause a denial of service (resource consumption) via unspecified vectors. NOTE: the vendor reportedly disputes this issue because it "could not be duplicated" and "an attacker could not remotely exploit this observed behavior to deny PLC control functions." |
|
12 |
CVE-2013-2744 |
200 |
|
+Info |
2013-04-02 |
2013-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function. |
|
13 |
CVE-2013-2737 |
200 |
|
+Info |
2013-05-16 |
2013-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to obtain sensitive information via unspecified vectors. |
|
14 |
CVE-2013-2716 |
310 |
|
|
2013-04-10 |
2013-04-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie. |
|
15 |
CVE-2013-2686 |
119 |
|
DoS Overflow |
2013-04-01 |
2013-04-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976. |
|
16 |
CVE-2013-2640 |
264 |
|
XSS |
2013-03-22 |
2013-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731. |
|
17 |
CVE-2013-2633 |
20 |
|
+Info |
2013-03-21 |
2013-04-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Piwik before 1.11 accepts input from a POST request instead of a GET request in unspecified circumstances, which might allow attackers to obtain sensitive information by leveraging the logging of parameters. |
|
18 |
CVE-2013-2503 |
20 |
|
|
2013-03-11 |
2013-04-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. |
|
19 |
CVE-2013-2438 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to JavaFX. |
|
20 |
CVE-2013-2424 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality via vectors related to JMX. |
|
21 |
CVE-2013-2419 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect availability via unknown vectors related to 2D. |
|
22 |
CVE-2013-2417 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect availability via unknown vectors related to Networking. |
|
23 |
CVE-2013-2409 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality via vectors related to PIA Core Technology. |
|
24 |
CVE-2013-2405 |
|
|
|
2013-04-17 |
2013-05-16 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 7.0, 8.1, and 8.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Web Access. |
|
25 |
CVE-2013-2397 |
|
|
|
2013-04-17 |
2013-04-18 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Oracle Retail Central Office component in Oracle Industry Applications 13.1, 13.2, 13.3, and 13.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Customer Operations (Add, Search). |
|
26 |
CVE-2013-2388 |
|
|
|
2013-04-17 |
2013-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect availability via unknown vectors related to Mid Tier File Management. |
|
27 |
CVE-2013-2371 |
200 |
|
+Info |
2013-03-15 |
2013-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Web API in the Statistics Server in TIBCO Spotfire Statistics Services 3.3.x before 3.3.1, 4.5.x before 4.5.1, and 5.0.x before 5.0.1 allows remote attackers to obtain sensitive information via an unspecified HTTP request. |
|
28 |
CVE-2013-2307 |
|
|
|
2013-04-26 |
2013-04-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Yahoo! Browser application before 1.4.3 for Android allows remote attackers to spoof the address bar via a crafted web site. |
|
29 |
CVE-2013-2306 |
|
|
|
2013-04-26 |
2013-04-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The jigbrowser+ application before 1.6.4 for Android does not properly open windows, which allows remote attackers to spoof the address bar via a crafted web site. |
|
30 |
CVE-2013-2304 |
264 |
|
+Info |
2013-04-16 |
2013-04-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Sleipnir Mobile application 2.8.0 and earlier and Sleipnir Mobile Black Edition application 2.8.0 and earlier for Android allow remote attackers to load arbitrary Extension APIs, and trigger downloads or obtain sensitive HTTP response-body information, via a crafted web page. |
|
31 |
CVE-2013-2303 |
|
|
|
2013-04-16 |
2013-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Sleipnir 4.0.0.4000 and earlier on Windows allows remote attackers to spoof the SSL lock icon and address-bar colors via unspecified vectors. |
|
32 |
CVE-2013-2300 |
264 |
|
+Info |
2013-03-27 |
2013-03-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The FlickWnn (aka OpenWnn/Flick support) application 2.02 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. |
|
33 |
CVE-2013-2293 |
399 |
|
DoS |
2013-03-12 |
2013-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before 0.8.0rc1 copies transactions from disk to memory without incrementally checking for spent prevouts, which allows remote attackers to cause a denial of service (disk I/O consumption) via a Bitcoin transaction with many inputs corresponding to many different parts of the stored block chain. |
|
34 |
CVE-2013-2273 |
200 |
|
+Info |
2013-03-12 |
2013-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 make it easier for remote attackers to obtain potentially sensitive information about returned change by leveraging certain predictability in the outputs of a Bitcoin transaction. |
|
35 |
CVE-2013-2272 |
200 |
|
+Info |
2013-03-12 |
2013-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The penny-flooding protection mechanism in the CTxMemPool::accept method in bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 allows remote attackers to determine associations between wallet addresses and IP addresses via a series of large Bitcoin transactions with insufficient fees. |
|
36 |
CVE-2013-2264 |
200 |
|
+Info |
2013-04-01 |
2013-04-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur. |
|
37 |
CVE-2013-2263 |
264 |
|
|
2013-03-19 |
2013-03-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in Citrix Access Gateway Standard Edition 5.0.x before 5.0.4.223524 allows remote attackers to access network resources via unknown attack vectors. |
|
38 |
CVE-2013-2020 |
189 |
|
DoS |
2013-05-13 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer underflow in the cli_scanpe function in pe.c in ClamAV before 0.97.8 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an out-of-bounds read. |
|
39 |
CVE-2013-1949 |
|
|
|
2013-04-25 |
2013-05-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload of arbitrary files. |
|
40 |
CVE-2013-1944 |
200 |
|
+Info |
2013-04-29 |
2013-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. |
|
41 |
CVE-2013-1926 |
|
|
+Info |
2013-04-29 |
2013-05-14 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. |
|
42 |
CVE-2013-1914 |
119 |
|
DoS Overflow |
2013-04-29 |
2013-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results. |
|
43 |
CVE-2013-1912 |
119 |
|
DoS Exec Code Overflow |
2013-04-10 |
2013-05-14 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring. |
|
44 |
CVE-2013-1884 |
119 |
|
DoS Overflow |
2013-05-02 |
2013-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable. |
|
45 |
CVE-2013-1861 |
119 |
|
DoS Overflow |
2013-03-28 |
2013-03-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and unspecified versions of Oracle MySQL, allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error. |
|
46 |
CVE-2013-1856 |
20 |
|
DoS |
2013-03-19 |
2013-03-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. |
|
47 |
CVE-2013-1854 |
20 |
|
DoS |
2013-03-19 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. |
|
48 |
CVE-2013-1847 |
|
|
DoS |
2013-05-02 |
2013-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. |
|
49 |
CVE-2013-1831 |
200 |
|
+Info |
2013-03-25 |
2013-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. |
|
50 |
CVE-2013-1830 |
264 |
|
+Info |
2013-03-25 |
2013-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. |
