CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
7151 CVE-2013-7095 2013-12-13 2018-12-10
10.0
None Remote Low Not required Complete Complete Complete
The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue.
7152 CVE-2013-6990 264 +Priv 2014-04-30 2017-08-28
9.0
Admin Remote Low Single system Complete Complete Complete
FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface.
7153 CVE-2013-6955 264 Exec Code 2014-01-09 2014-01-10
10.0
None Remote Low Not required Complete Complete Complete
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
7154 CVE-2013-6952 310 Exec Code 2014-02-22 2014-03-05
10.0
None Remote Low Not required Complete Complete Complete
The Belkin WeMo Home Automation firmware before 3949 has a hardcoded GPG key, which makes it easier for remote attackers to spoof firmware updates and execute arbitrary code via crafted signed data.
7155 CVE-2013-6949 264 2014-02-22 2014-03-05
9.3
None Remote Medium Not required Complete Complete Complete
The Belkin WeMo Home Automation firmware before 3949 does not properly use the STUN and TURN protocols, which allows remote attackers to hijack connections and possibly have unspecified other impact by leveraging access to a single WeMo device.
7156 CVE-2013-6941 2014-03-11 2014-03-11
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows users to "breakout" of the shell via unknown vectors.
7157 CVE-2013-6935 119 1 Exec Code Overflow 2013-12-04 2016-12-07
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows remote attackers to execute arbitrary code via a long string in the SourcePath value in a .wcf file.
7158 CVE-2013-6924 77 Exec Code 2017-10-11 2017-11-03
10.0
None Remote Low Not required Complete Complete Complete
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php.
7159 CVE-2013-6920 287 Bypass 2013-12-06 2013-12-09
10.0
None Remote Low Not required Complete Complete Complete
Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23.
7160 CVE-2013-6884 255 1 +Priv 2014-01-07 2014-02-24
10.0
None Remote Low Not required Complete Complete Complete
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges.
7161 CVE-2013-6881 78 1 Exec Code 2014-01-07 2014-02-25
10.0
None Remote Low Not required Complete Complete Complete
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
7162 CVE-2013-6877 119 Exec Code Overflow 2013-12-19 2016-12-30
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allows remote attackers to execute arbitrary code via a long string in the TRACKID element of an RMP file, a different vulnerability than CVE-2013-7260.
7163 CVE-2013-6874 119 1 Exec Code Overflow 2013-11-26 2013-11-27
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Vortex Light Alloy before 4.7.4 allows remote attackers to execute arbitrary code via a long URL in a .m3u file.
7164 CVE-2013-6866 94 Exec Code 2013-11-23 2013-11-27
9.0
None Remote Low Single system Complete Complete Complete
SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3, 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka CR736689.
7165 CVE-2013-6865 94 Exec Code 2013-11-23 2013-11-25
9.0
None Remote Low Single system Complete Complete Complete
SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4.3, 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka CR732989.
7166 CVE-2013-6863 264 +Priv 2013-11-23 2013-11-27
9.0
None Remote Low Single system Complete Complete Complete
SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4.3, 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to gain privileges via unspecified vectors.
7167 CVE-2013-6838 310 +Priv 2014-01-27 2014-01-31
10.0
None Remote Low Not required Complete Complete Complete
An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000) 9.0.3 (rel903), when using OpenVZ and fallback customization, uses the same SSH private key across different customers' installations, which allows remote attackers to gain privileges by leveraging knowledge of this key.
7168 CVE-2013-6822 2013-11-20 2018-12-10
10.0
None Remote Low Not required Complete Complete Complete
GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML External Entity (XXE) issue.
7169 CVE-2013-6820 Exec Code 2013-11-20 2018-12-10
9.3
None Remote Medium Not required Complete Complete Complete
Unrestricted file upload vulnerability in the SAP NetWeaver Development Infrastructure (NWDI) allows remote attackers to execute arbitrary code by uploading a file with an executable extension via unspecified vectors.
7170 CVE-2013-6810 94 Exec Code 2013-12-12 2017-09-15
10.0
None Remote Low Not required Complete Complete Complete
The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.
7171 CVE-2013-6795 94 Exec Code 2013-12-24 2013-12-26
9.3
None Remote Medium Not required Complete Complete Complete
The Updater in Rackspace Openstack Windows Guest Agent for XenServer before 1.2.6.0 allows remote attackers to execute arbitrary code via a crafted serialized .NET object to TCP port 1984, which triggers the download and extraction of a ZIP file that overwrites the Agent service binary.
7172 CVE-2013-6775 264 +Priv 2014-03-31 2014-03-31
10.0
None Remote Low Not required Complete Complete Complete
The Chainfire SuperSU package before 1.69 for Android allows attackers to gain privileges via the (1) backtick or (2) $() type of shell metacharacters in the -c option to /system/xbin/su.
7173 CVE-2013-6774 +Priv 2014-03-31 2015-11-10
10.0
None Remote Low Not required Complete Complete Complete
Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.
7174 CVE-2013-6771 22 Exec Code Dir. Trav. 2014-08-07 2014-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the file parameter. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7394 is for the issue in the "runshellscript echo.sh" script.
7175 CVE-2013-6769 20 +Priv 2014-03-31 2014-03-31
10.0
None Remote Low Not required Complete Complete Complete
The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android allows attackers to gain privileges via shell metacharacters in the -c option to /system/xbin/su.
7176 CVE-2013-6724 Exec Code 2014-02-01 2017-08-28
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in the vsflex8l ActiveX control in IBM SPSS SamplePower 3.0.1 before FP1 IF1 allows remote attackers to execute arbitrary code via a crafted ComboList property value.
7177 CVE-2013-6671 94 Exec Code 2013-12-11 2016-12-21
9.3
None Remote Medium Not required Complete Complete Complete
The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code via crafted use of JavaScript code for ordered list elements.
7178 CVE-2013-6632 189 DoS Exec Code Overflow Mem. Corr. 2013-11-18 2018-12-13
9.3
None Remote Medium Not required Complete Complete Complete
Integer overflow in Google Chrome before 31.0.1650.57 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as demonstrated during a Mobile Pwn2Own competition at PacSec 2013.
7179 CVE-2013-6618 20 1 Exec Code 2013-11-05 2017-08-28
9.0
None Remote Low Single system Complete Complete Complete
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3, and 12.3 before 12.3R1 allows remote authenticated users to execute arbitrary commands via the rsargs parameter in an exec action.
7180 CVE-2013-6617 264 +Priv 2013-11-05 2013-11-06
10.0
None Remote Low Not required Complete Complete Complete
The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.
7181 CVE-2013-6490 119 Overflow 2014-02-06 2014-03-08
10.0
None Remote Low Not required Complete Complete Complete
The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.
7182 CVE-2013-6486 20 Exec Code 2014-02-06 2014-03-16
9.3
None Remote Medium Not required Complete Complete Complete
gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185.
7183 CVE-2013-6462 119 DoS Exec Code Overflow 2014-01-09 2017-08-28
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
7184 CVE-2013-6439 287 2013-12-23 2017-08-28
9.3
None Remote Medium Not required Complete Complete Complete
Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors.
7185 CVE-2013-6345 2013-11-02 2013-11-04
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the ZCC page in Novell ZENworks Configuration Management (ZCM) before 11.2.4 has unknown impact and attack vectors related to an "Application Exception."
7186 CVE-2013-6343 119 1 Exec Code Overflow 2014-01-22 2016-12-30
10.0
None Remote Low Not required Complete Complete Complete
Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary code via the (1) apps_name or (2) apps_flag parameter to APP_Installation.asp.
7187 CVE-2013-6288 2013-10-28 2013-10-29
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attack vectors, related to "Insecure Unserialize."
7188 CVE-2013-6245 Exec Code 2013-10-23 2013-11-24
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3. 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to execute arbitrary code via unspecified vectors.
7189 CVE-2013-6221 22 1 Exec Code Dir. Trav. 2014-06-18 2014-07-18
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoPass license server is enabled, allows remote attackers to create arbitrary files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-2031.
7190 CVE-2013-6218 Exec Code 2014-04-19 2014-04-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.
7191 CVE-2013-6213 Exec Code 2014-04-19 2014-04-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.
7192 CVE-2013-6207 DoS 2014-03-11 2017-06-30
9.4
None Remote Low Not required Complete None Complete
Unspecified vulnerability in the loadFileContents function in the SOAP implementation in HP SiteScope 10.1x, 11.1x, and 11.21 allows remote attackers to read arbitrary files or cause a denial of service via unknown vectors, aka ZDI-CAN-2084.
7193 CVE-2013-6206 DoS +Info 2014-03-14 2014-03-14
9.0
None Remote Low Not required Complete Partial Partial
Unspecified vulnerability in HP Rapid Deployment Pack (RDP) and Insight Control Server Deployment allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.
7194 CVE-2013-6195 DoS Exec Code 2014-01-03 2014-02-25
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-2008.
7195 CVE-2013-6194 1 DoS Exec Code 2014-01-03 2016-04-06
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1905.
7196 CVE-2013-6189 Exec Code 2013-12-28 2016-11-18
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Archive Query Server in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, and 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1666.
7197 CVE-2013-6040 2 Exec Code 2014-01-20 2015-08-07
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls allow remote attackers to execute arbitrary code via a crafted HTML document.
7198 CVE-2013-6035 287 Exec Code 2014-02-04 2014-02-04
10.0
None Remote Low Not required Complete Complete Complete
The firmware on GateHouse; Harris BGAN RF-7800B-VU204 and BGAN RF-7800B-DU204; Hughes Network Systems 9201, 9450, and 9502; Inmarsat; Japan Radio JUE-250 and JUE-500; and Thuraya IP satellite terminals does not require authentication for sessions on TCP port 1827, which allows remote attackers to execute arbitrary code via unspecified protocol operations.
7199 CVE-2013-6034 255 2014-02-04 2014-02-04
10.0
None Remote Low Not required Complete Complete Complete
The firmware on GateHouse; Harris BGAN RF-7800B-VU204 and BGAN RF-7800B-DU204; Hughes Network Systems 9201, 9450, and 9502; Inmarsat; Japan Radio JUE-250 and JUE-500; and Thuraya IP satellite terminals has hardcoded credentials, which makes it easier for attackers to obtain unspecified login access via unknown vectors.
7200 CVE-2013-6032 20 2014-02-04 2014-02-04
10.0
None Remote Low Not required Complete Complete Complete
cgi-bin/postpf/cgi-bin/dynamic/config/config.html on Lexmark X94x before LC.BR.P142, X85x through LC4.BE.P487, X644 and X646 before LC2.MC.P374, X642 through LC2.MB.P318, W840 through LS.HA.P252, T64x before LS.ST.P344, X64xef through LC2.TI.P325, C935dn through LC.JO.P091, C920 through LS.TA.P152, C78x through LC.IO.P187, X78x through LC2.IO.P335, C77x through LC.CM.P052, X772 through LC2.TR.P291, C53x through LS.SW.P069, C52x through LS.FA.P150, 25xxN through LCL.CU.P114, N4000 through LC.MD.P119, N4050e through GO.GO.N206, N70xxe through LC.CO.N309, E450 through LM.SZ.P124, E350 through LE.PH.P129, and E250 through LE.PM.P126 printers allows remote attackers to remove the Password Protect administrative password via the vac.255.GENPASSWORD parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.