CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
9101 CVE-2013-4050 352 CSRF 2013-11-07 2017-08-28
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in webadmin.nsf in Domino Web Administrator in IBM Domino 8.5 and 9.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
9102 CVE-2013-4041 2013-11-24 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in IBM Java SDK 5.0.0 before SR16 FP4, 7.0.0 before SR6, 6.0.1 before SR7, and 6.0.0 before SR15 allows remote attackers to access restricted classes via unspecified vectors.
9103 CVE-2013-4027 264 Bypass 2013-10-01 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, and 7.5 before 7.5.0.5 allows remote authenticated users to bypass intended access restrictions via unspecified vectors.
9104 CVE-2013-4021 File Inclusion 2013-10-01 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, and 7.5 before 7.5.0.5 allows remote authenticated users to conduct unspecified file-inclusion attacks via unknown vectors.
9105 CVE-2013-4018 +Info 2013-10-01 2017-08-28
6.0
None Remote Medium Single system Partial Partial Partial
IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, and 7.5 before 7.5.0.5 allows remote authenticated users to obtain sensitive information via unspecified vectors.
9106 CVE-2013-4017 89 Exec Code Sql 2013-10-01 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Maximo Asset Management 7.1 before 7.1.1.12 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
9107 CVE-2013-4016 89 Exec Code Sql 2014-05-26 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2; and Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140207-1801, and 7.1.1.12 before IFIX.20140218-1510 allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text.
9108 CVE-2013-4015 264 Exec Code +Priv Bypass 2013-07-26 2018-10-12
6.9
None Local Medium Not required Complete Complete Complete
Microsoft Internet Explorer 6 through 10 allows local users to bypass the elevation policy check in the (1) Protected Mode or (2) Enhanced Protected Mode protection mechanism, and consequently gain privileges, by leveraging the ability to execute sandboxed code.
9109 CVE-2013-4000 352 CSRF 2013-12-14 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in IBM Cognos Command Center before 10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) start or (2) stop services.
9110 CVE-2013-3992 352 CSRF 2013-08-06 2017-08-28
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere BigInsights 2.0 through 2.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
9111 CVE-2013-3988 20 2014-02-14 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
9112 CVE-2013-3973 89 Exec Code Sql 2013-10-01 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Maximo Asset Management 7.1 before 7.1.1.12 and 7.5 before 7.5.0.5 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
9113 CVE-2013-3969 399 DoS Exec Code 2013-10-01 2013-10-02
6.5
None Remote Low Single system Partial Partial Partial
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
9114 CVE-2013-3963 352 CSRF 2013-10-01 2013-10-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in goform/usermanage in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models allows remote attackers to hijack the authentication of unspecified victims for requests that add users.
9115 CVE-2013-3961 89 1 Exec Code Sql 2014-03-11 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in edit_event.php in Simple PHP Agenda before 2.2.9 allows remote authenticated users to execute arbitrary SQL commands via the eventid parameter.
9116 CVE-2013-3955 20 DoS Mem. Corr. 2013-06-05 2013-10-10
6.2
None Local High Not required Complete Complete Complete
The get_xattrinfo function in the XNU kernel in Apple iOS 5.x and 6.x through 6.1.3 on iPad devices does not properly validate the header of an AppleDouble file, which might allow local users to cause a denial of service (memory corruption) or have unspecified other impact via an invalid file on an msdosfs filesystem.
9117 CVE-2013-3954 20 DoS +Info 2013-06-05 2013-10-30
6.9
None Local Medium Not required Complete Complete Complete
The posix_spawn system call in the XNU kernel in Apple Mac OS X 10.8.x does not properly validate the data for file actions and port actions, which allows local users to (1) cause a denial of service (panic) via a size value that is inconsistent with a header count field, or (2) obtain sensitive information from kernel heap memory via a certain size value in conjunction with a crafted buffer.
9118 CVE-2013-3895 264 2013-10-09 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Microsoft SharePoint Server 2007 SP3 and 2010 SP1 and SP2 allows remote attackers to conduct clickjacking attacks via a crafted web page, aka "Parameter Injection Vulnerability."
9119 CVE-2013-3878 119 Overflow +Priv 2013-12-10 2018-10-12
6.9
None Local Medium Not required Complete Complete Complete
Stack-based buffer overflow in the LRPC client in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges by operating an LRPC server that sends a crafted LPC port message, aka "LRPC Client Buffer Overrun Vulnerability."
9120 CVE-2013-3862 399 +Priv 2013-09-11 2018-10-12
6.9
None Local Medium Not required Complete Complete Complete
Double free vulnerability in Microsoft Windows 7 and Server 2008 R2 SP1 allows local users to gain privileges via a crafted service description that is not properly handled by services.exe in the Service Control Manager (SCM), aka "Service Control Manager Double Free Vulnerability."
9121 CVE-2013-3859 264 +Priv 2013-09-11 2018-10-12
6.9
None Local Medium Not required Complete Complete Complete
Microsoft Pinyin IME 2010, when used in conjunction with Microsoft Office 2010 SP1, does not properly restrict configuration options, which allows local users to gain privileges by starting Internet Explorer from the IME toolbar, aka "Chinese IME Vulnerability."
9122 CVE-2013-3843 119 DoS Exec Code Overflow 2014-06-13 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the mk_request_header_process function in mk_request.c in Monkey HTTP Daemon (monkeyd) before 1.2.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP header.
9123 CVE-2013-3829 2013-10-16 2018-01-04
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the Java SE, Java SE Embedded component in Oracle Java SE Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
9124 CVE-2013-3821 2013-07-17 2017-08-28
6.4
None Remote Low Not required Partial None Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Integration Broker.
9125 CVE-2013-3819 2013-07-17 2017-08-28
6.4
None Remote Low Not required Partial None Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Mobile Applications.
9126 CVE-2013-3800 2013-07-17 2017-08-28
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Business Interlinks.
9127 CVE-2013-3789 2013-07-17 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
9128 CVE-2013-3786 2013-07-17 2017-09-18
6.0
None Local High Single system Complete Complete Complete
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel.
9129 CVE-2013-3781 2013-07-17 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3776.
9130 CVE-2013-3776 2013-07-17 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3781.
9131 CVE-2013-3757 2013-07-17 2017-09-18
6.4
None Remote Low Not required None Partial Partial
Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows remote attackers to affect integrity and availability via vectors related to SMF/File Locking Services.
9132 CVE-2013-3734 255 +Info 2017-10-24 2017-11-17
6.0
None Remote Medium Single system Partial Partial Partial
** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console.
9133 CVE-2013-3729 352 Sql CSRF 2014-03-13 2014-03-13
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Kasseler CMS before 2 r1232 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) groups[] parameter in a send action in the sendmail module or (2) query parameter in a sql_query action in the database module to admin.php, related to CVE-2013-3727.
9134 CVE-2013-3694 352 CSRF 2013-11-17 2013-11-19
6.8
None Remote Medium Not required Partial Partial Partial
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding.
9135 CVE-2013-3692 264 Bypass 2013-07-13 2017-08-28
6.2
None Local High Not required Complete Complete Complete
BlackBerry 10 OS before 10.0.10.648 on BlackBerry Z10 smartphones uses weak permissions for a BlackBerry Protect object, which allows physically proximate attackers to bypass intended access restrictions by leveraging a user's BlackBerry Protect password-reset request and a user's installation of a crafted application.
9136 CVE-2013-3690 352 CSRF 2013-10-01 2013-10-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in cgi-bin/users.cgi in Brickcom FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E, and possibly other camera models with firmware 3.1.0.8 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add users.
9137 CVE-2013-3667 20 2013-12-31 2018-08-13
6.4
None Remote Low Not required None Partial Partial
The software update mechanism as used in Bare Bones Software Yojimbo before 4.0, TextWrangler before 4.5.3, and BBEdit before 10.5.5 does not properly download and verify updates before installation, which allows attackers to perform "tampering or corruption" of the updates.
9138 CVE-2013-3665 Exec Code 2013-07-18 2013-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in Autodesk AutoCAD through 2014, AutoCAD LT through 2014, and DWG TrueView through 2014 allows remote attackers to execute arbitrary code via a crafted DWG file.
9139 CVE-2013-3660 119 1 Overflow +Priv 2013-05-24 2018-10-12
6.9
None Local Medium Not required Complete Complete Complete
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
9140 CVE-2013-3647 200 Exec Code +Info 2013-06-18 2015-11-10
6.8
None Remote Medium Not required Partial Partial Partial
The WebView class in the Cybozu Live application before 2.0.1 for Android allows attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. NOTE: this vulnerability exists because of a CVE-2012-4009 regression.
9141 CVE-2013-3646 17 Exec Code +Info 2013-06-18 2015-11-10
6.8
None Remote Medium Not required Partial Partial Partial
The Cybozu Live application before 2.0.1 for Android allows remote attackers to execute arbitrary Java methods, and obtain sensitive information or execute arbitrary commands, via a crafted web site. NOTE: this vulnerability exists because of a CVE-2012-4008 regression.
9142 CVE-2013-3631 94 Exec Code 2013-11-02 2013-11-05
6.0
None Remote Medium Single system Partial Partial Partial
NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.
9143 CVE-2013-3611 264 Bypass 2013-09-24 2013-09-24
6.0
None Remote Medium Single system Partial Partial Partial
NETELLER Direct Payment API 4.1.6 allows remote authenticated users to bypass intended payment requirements via a modified (1) amount, (2) merchant_id, (3) merch_key, or (4) secure_id parameter.
9144 CVE-2013-3610 287 2013-10-05 2013-10-07
6.1
None Local Network Low Not required Complete None None
qis/QIS_finish.htm on the ASUS RT-N10E router with firmware before 2.0.0.25 does not require authentication, which allows remote attackers to discover the administrator password via a direct request.
9145 CVE-2013-3605 352 CSRF 2013-09-06 2013-09-06
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Coursemill Learning Management System (LMS) 6.6 allows remote attackers to hijack the authentication of arbitrary users via vectors related to cookies.
9146 CVE-2013-3601 264 2013-09-06 2013-09-30
6.0
None Remote Medium Single system Partial Partial Partial
Coursemill Learning Management System (LMS) 6.6 does not properly restrict JSP function calls, which allows remote authenticated users to perform arbitrary JSP operations by leveraging the Student role and providing an op parameter.
9147 CVE-2013-3595 20 DoS 2014-01-19 2017-08-28
6.8
None Remote Low Single system None None Complete
The OpenManage web application 2.5 build 1.19 on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and 5324 2.0.1.4 switches allows remote authenticated users to cause a denial of service (device reset) via a direct request to an unspecified OSPF URL.
9148 CVE-2013-3590 Exec Code 2013-08-28 2013-10-07
6.8
None Remote Medium Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 7.5 build 1 allows remote attackers to execute arbitrary code by uploading an executable file with the image/jpeg content type, and then accessing this file via unspecified vectors, as demonstrated by access to a JSP file.
9149 CVE-2013-3583 352 CSRF 2013-08-28 2013-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in saveProperties.html in Corporater EPM Suite allows remote attackers to hijack the authentication of arbitrary users for requests that change passwords.
9150 CVE-2013-3540 352 CSRF 2013-10-04 2013-10-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in cgi-bin/admin/usrgrp.cgi in AirLive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD, and possibly other camera models allows remote attackers to hijack the authentication of administrators for requests that add users.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.