# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
60601 |
CVE-2013-0337 |
264 |
|
+Info |
2013-10-26 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. |
60602 |
CVE-2013-0336 |
20 |
|
DoS |
2014-11-03 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The ipapwd_chpwop function in daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c in the directory server (dirsrv) in FreeIPA before 3.2.0 allows remote attackers to cause a denial of service (crash) via a connection request without a username/dn, related to the 389 directory server. |
60603 |
CVE-2013-0335 |
264 |
|
|
2013-03-22 |
2013-06-04 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port. |
60604 |
CVE-2013-0334 |
20 |
|
|
2014-10-31 |
2019-07-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. |
60605 |
CVE-2013-0333 |
|
|
Exec Code Sql Bypass |
2013-01-30 |
2019-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. |
60606 |
CVE-2013-0332 |
22 |
|
Dir. Trav. |
2013-03-20 |
2013-03-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter. |
60607 |
CVE-2013-0331 |
20 |
|
DoS |
2013-03-19 |
2016-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload. |
60608 |
CVE-2013-0330 |
|
|
|
2013-03-19 |
2016-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors. |
60609 |
CVE-2013-0329 |
|
|
Bypass CSRF |
2013-03-19 |
2016-06-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors. |
60610 |
CVE-2013-0328 |
352 |
|
XSS |
2013-03-19 |
2016-06-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
60611 |
CVE-2013-0327 |
352 |
|
CSRF |
2013-03-19 |
2016-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors. |
60612 |
CVE-2013-0325 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting. |
60613 |
CVE-2013-0323 |
79 |
|
XSS |
2013-03-27 |
2013-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field. |
60614 |
CVE-2013-0322 |
79 |
|
XSS |
2013-03-27 |
2013-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field. |
60615 |
CVE-2013-0321 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field. |
60616 |
CVE-2013-0320 |
352 |
|
CSRF |
2013-03-27 |
2013-03-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors. |
60617 |
CVE-2013-0319 |
79 |
|
XSS |
2013-03-27 |
2013-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data. |
60618 |
CVE-2013-0318 |
264 |
|
Bypass |
2013-03-27 |
2013-03-28 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors. |
60619 |
CVE-2013-0317 |
79 |
|
XSS |
2013-03-27 |
2013-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field. |
60620 |
CVE-2013-0316 |
399 |
|
DoS |
2013-03-27 |
2013-03-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests. |
60621 |
CVE-2013-0315 |
264 |
|
|
2013-04-12 |
2013-04-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack. |
60622 |
CVE-2013-0314 |
287 |
|
|
2013-04-12 |
2013-04-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets. |
60623 |
CVE-2013-0313 |
|
|
DoS |
2013-02-21 |
2013-02-22 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem. |
60624 |
CVE-2013-0312 |
189 |
|
DoS |
2013-03-13 |
2013-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence. |
60625 |
CVE-2013-0311 |
|
|
|
2013-02-21 |
2019-04-22 |
6.5 |
None |
Local Network |
High |
Single system |
Complete |
Complete |
Complete |
The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges. |
60626 |
CVE-2013-0310 |
119 |
|
DoS Overflow |
2013-02-21 |
2019-04-22 |
6.6 |
None |
Local |
Medium |
Single system |
Complete |
Complete |
Complete |
The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. |
60627 |
CVE-2013-0309 |
119 |
|
DoS Overflow |
2013-02-21 |
2019-04-22 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application. |
60628 |
CVE-2013-0308 |
20 |
|
|
2013-03-08 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
60629 |
CVE-2013-0306 |
189 |
|
DoS Bypass |
2013-05-02 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. |
60630 |
CVE-2013-0305 |
200 |
|
+Info |
2013-05-02 |
2013-05-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. |
60631 |
CVE-2013-0304 |
264 |
|
CSRF |
2014-06-05 |
2014-06-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is. |
60632 |
CVE-2013-0303 |
|
|
Exec Code |
2014-03-24 |
2014-03-24 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344. |
60633 |
CVE-2013-0302 |
|
|
+Info |
2014-06-05 |
2014-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK. |
60634 |
CVE-2013-0301 |
352 |
|
CSRF |
2014-03-14 |
2014-03-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter. |
60635 |
CVE-2013-0300 |
352 |
|
CSRF |
2014-03-14 |
2014-03-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the default view via the v parameter to apps/calendar/ajax/changeview.php, mount arbitrary (2) Google Drive or (3) Dropbox folders via vectors related to addRootCertificate.php, dropbox.php and google.php in apps/files_external/ajax/, or (4) change the authentication server URL via unspecified vectors to apps/user_webdavauth/settings.php. |
60636 |
CVE-2013-0299 |
352 |
|
CSRF |
2014-03-14 |
2014-03-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php. |
60637 |
CVE-2013-0298 |
79 |
|
XSS |
2014-03-14 |
2014-03-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted iCalendar file to the calendar application, the (2) dir or (3) file parameter to apps/files_pdfviewer/viewer.php, or the (4) mountpoint parameter to /apps/files_external/addMountPoint.php. |
60638 |
CVE-2013-0296 |
264 |
|
Bypass |
2014-04-27 |
2014-04-28 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring. |
60639 |
CVE-2013-0292 |
20 |
1
|
+Priv |
2013-03-05 |
2017-08-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal. |
60640 |
CVE-2013-0290 |
20 |
|
DoS |
2013-02-19 |
2013-09-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application. |
60641 |
CVE-2013-0289 |
310 |
|
|
2014-05-23 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Isync 0.4 before 1.0.6, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
60642 |
CVE-2013-0288 |
119 |
|
DoS Exec Code Overflow |
2013-03-05 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
nss-pam-ldapd before 0.7.18 and 0.8.x before 0.8.11 allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code by performing a name lookup on an application with a large number of open file descriptors, which triggers a stack-based buffer overflow related to incorrect use of the FD_SET macro. |
60643 |
CVE-2013-0287 |
264 |
|
Bypass |
2013-03-21 |
2013-05-14 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions. |
60644 |
CVE-2013-0285 |
20 |
|
DoS Exec Code |
2013-04-09 |
2013-04-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. |
60645 |
CVE-2013-0284 |
200 |
|
+Info |
2013-04-09 |
2013-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data. |
60646 |
CVE-2013-0282 |
287 |
|
Bypass |
2013-04-12 |
2018-11-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. |
60647 |
CVE-2013-0281 |
399 |
|
DoS |
2013-11-23 |
2019-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking). |
60648 |
CVE-2013-0277 |
|
|
DoS Exec Code |
2013-02-12 |
2019-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. |
60649 |
CVE-2013-0276 |
264 |
|
Bypass |
2013-02-12 |
2019-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. |
60650 |
CVE-2013-0275 |
79 |
|
XSS |
2013-03-13 |
2013-03-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Ganglia Web before 3.5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |