| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
55801 |
CVE-2013-7350 |
|
|
|
2014-04-01 |
2014-04-01 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x before R75.20.4 and 600 and 1100 appliances R75.20.x before R75.20.42 have unknown impact and attack vectors related to "important security fixes." |
|
55802 |
CVE-2013-7349 |
89 |
1
|
Exec Code Sql |
2014-03-31 |
2016-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.php or (4) users/register.php. NOTE: these issues were SPLIT from CVE-2013-5640 due to differences in researchers and disclosure dates. |
|
55803 |
CVE-2013-7348 |
399 |
|
DoS |
2014-04-01 |
2014-04-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the ioctx_alloc function in fs/aio.c in the Linux kernel before 3.12.4 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via vectors involving an error condition in the aio_setup_ring function. |
|
55804 |
CVE-2013-7346 |
352 |
|
Sql CSRF |
2014-03-27 |
2014-03-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559. |
|
55805 |
CVE-2013-7345 |
264 |
|
DoS |
2014-03-24 |
2014-11-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. |
|
55806 |
CVE-2013-7344 |
|
|
Exec Code |
2014-03-24 |
2014-03-24 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions. |
|
55807 |
CVE-2013-7343 |
79 |
|
XSS |
2014-03-24 |
2014-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in flowplayer.swf in the Flash fallback feature in Flowplayer HTML5 5.4.3 allows remote attackers to inject arbitrary web script or HTML by using URL encoding within the callback parameter name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7342. |
|
55808 |
CVE-2013-7342 |
79 |
|
XSS |
2014-03-24 |
2014-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in flowplayer.swf in the Flash fallback feature in Flowplayer HTML5 5.4.1 allows remote attackers to inject arbitrary web script or HTML via the callback parameter, a related issue to CVE-2013-7341. |
|
55809 |
CVE-2013-7341 |
79 |
|
XSS |
2014-03-24 |
2014-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342. |
|
55810 |
CVE-2013-7340 |
399 |
|
DoS |
2014-03-21 |
2014-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
VideoLAN VLC Media Player before 2.0.7 allows remote attackers to cause a denial of service (memory consumption) via a crafted playlist file. |
|
55811 |
CVE-2013-7339 |
399 |
|
DoS |
2014-03-24 |
2014-07-17 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. |
|
55812 |
CVE-2013-7338 |
20 |
|
DoS |
2014-04-22 |
2019-08-21 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function. |
|
55813 |
CVE-2013-7335 |
20 |
|
|
2014-03-12 |
2014-03-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
55814 |
CVE-2013-7334 |
352 |
|
Sql CSRF |
2014-03-11 |
2014-03-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in ImageCMS before 4.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the q parameter, related to CVE-2012-6290. |
|
55815 |
CVE-2013-7332 |
399 |
|
DoS |
2014-02-26 |
2019-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
|
55816 |
CVE-2013-7331 |
200 |
|
+Info |
2014-02-26 |
2019-05-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014. |
|
55817 |
CVE-2013-7330 |
264 |
|
|
2014-10-17 |
2016-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions. |
|
55818 |
CVE-2013-7329 |
200 |
|
+Info |
2014-10-06 |
2018-03-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function. |
|
55819 |
CVE-2013-7328 |
189 |
|
DoS +Info |
2014-02-18 |
2014-03-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226. |
|
55820 |
CVE-2013-7327 |
20 |
|
DoS |
2014-02-18 |
2016-09-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226. |
|
55821 |
CVE-2013-7326 |
79 |
|
XSS |
2014-02-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php. |
|
55822 |
CVE-2013-7323 |
|
|
Exec Code |
2014-06-09 |
2014-06-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. |
|
55823 |
CVE-2013-7322 |
287 |
|
|
2014-03-09 |
2017-08-28 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
usersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly handle lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath, which causes the wrong line to be updated when invalidating an OTP and allows context-dependent attackers to conduct replay attacks, as demonstrated by a commented out line when using libpam-oath. |
|
55824 |
CVE-2013-7321 |
79 |
|
XSS |
2014-02-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in D-Link DAP-2253 Access Point (Rev. A1) with firmware before 1.30 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
55825 |
CVE-2013-7320 |
352 |
|
CSRF |
2014-02-06 |
2014-02-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in D-Link DAP-2253 Access Point (Rev. A1) with firmware before 1.30 allows remote attackers to hijack the authentication of administrators for requests that modify configuration settings via unspecified vectors. |
|
55826 |
CVE-2013-7319 |
79 |
1
|
XSS |
2014-02-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field. |
|
55827 |
CVE-2013-7318 |
79 |
|
XSS |
2014-01-29 |
2014-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter. |
|
55828 |
CVE-2013-7317 |
79 |
|
XSS |
2014-01-24 |
2014-02-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf. |
|
55829 |
CVE-2013-7316 |
79 |
1
|
XSS |
2014-01-24 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html. |
|
55830 |
CVE-2013-7315 |
264 |
|
DoS CSRF |
2014-01-23 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. |
|
55831 |
CVE-2013-7314 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55832 |
CVE-2013-7313 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55833 |
CVE-2013-7312 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55834 |
CVE-2013-7311 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55835 |
CVE-2013-7310 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55836 |
CVE-2013-7309 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55837 |
CVE-2013-7308 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55838 |
CVE-2013-7307 |
|
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55839 |
CVE-2013-7306 |
20 |
|
DoS +Info |
2014-01-23 |
2014-01-23 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149. |
|
55840 |
CVE-2013-7305 |
255 |
|
|
2014-01-22 |
2014-01-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user. |
|
55841 |
CVE-2013-7304 |
310 |
|
|
2014-01-22 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Check Point Endpoint Security MI Server through R73 3.0.0 HFA2.5 does not configure X.509 certificate validation for client devices, which allows man-in-the-middle attackers to spoof SSL servers by presenting an arbitrary certificate during a session established by a client. |
|
55842 |
CVE-2013-7303 |
79 |
|
XSS |
2014-01-30 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field. |
|
55843 |
CVE-2013-7302 |
287 |
|
|
2014-04-29 |
2014-04-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. |
|
55844 |
CVE-2013-7301 |
264 |
|
+Info |
2014-02-01 |
2014-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Cantata before 1.2.2 does not restrict access to files in the play queue, which allows remote attackers to obtain sensitive information by reading the songs in the queue. |
|
55845 |
CVE-2013-7300 |
22 |
|
Dir. Trav. |
2014-02-01 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301. |
|
55846 |
CVE-2013-7299 |
200 |
|
+Info |
2014-01-26 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
framework/common/messageheaderparser.cpp in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests. |
|
55847 |
CVE-2013-7298 |
399 |
|
DoS |
2014-01-26 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters. |
|
55848 |
CVE-2013-7296 |
119 |
|
DoS Overflow |
2014-01-25 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted PDF file. |
|
55849 |
CVE-2013-7295 |
310 |
|
Bypass |
2014-01-17 |
2014-02-11 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. |
|
55850 |
CVE-2013-7294 |
20 |
|
DoS |
2014-01-16 |
2018-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in libreswan before 3.7 allows remote attackers to cause a denial of service (restart) via an IKEv2 I1 notification without a KE payload. |
