| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
9751 |
CVE-2013-6425 |
189 |
|
DoS |
2014-01-18 |
2014-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. |
|
9752 |
CVE-2013-6424 |
189 |
|
DoS |
2014-01-18 |
2017-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. |
|
9753 |
CVE-2013-6419 |
200 |
|
+Info |
2014-01-07 |
2014-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Neutron. |
|
9754 |
CVE-2013-6418 |
20 |
|
|
2014-05-05 |
2016-11-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
PyWBEM 0.7 and earlier uses a separate connection to validate X.509 certificates, which allows man-in-the-middle attackers to spoof a peer via an arbitrary certificate. |
|
9755 |
CVE-2013-6414 |
20 |
|
DoS |
2013-12-06 |
2017-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. |
|
9756 |
CVE-2013-6413 |
399 |
|
DoS |
2014-05-19 |
2014-05-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a denial of service (crash) via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7384 was assigned for the NULL pointer dereference. |
|
9757 |
CVE-2013-6411 |
119 |
|
DoS Overflow |
2013-12-14 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HandleCrashedAircraft function in aircraft_cmd.cpp in OpenTTD 0.3.6 through 1.3.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) by crashing an aircraft outside of the map. |
|
9758 |
CVE-2013-6401 |
310 |
|
DoS |
2014-03-20 |
2014-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted JSON document. |
|
9759 |
CVE-2013-6396 |
310 |
|
+Info |
2014-02-18 |
2014-02-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
9760 |
CVE-2013-6391 |
264 |
|
+Priv |
2013-12-14 |
2017-08-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request. |
|
9761 |
CVE-2013-6389 |
20 |
|
|
2013-12-07 |
2014-01-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
9762 |
CVE-2013-6385 |
94 |
|
Exec Code CSRF |
2013-12-07 |
2014-01-13 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. |
|
9763 |
CVE-2013-6376 |
189 |
|
DoS |
2013-12-14 |
2014-03-16 |
5.2 |
None |
Local Network |
Medium |
Single system |
None |
None |
Complete |
|
The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. |
|
9764 |
CVE-2013-6373 |
264 |
|
|
2013-11-25 |
2016-07-15 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
The Exclusion plugin before 0.9 for Jenkins does not properly prevent access to resource locks, which allows remote authenticated users to list and release resources via unspecified vectors. |
|
9765 |
CVE-2013-6371 |
310 |
|
DoS |
2014-04-22 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. |
|
9766 |
CVE-2013-6370 |
119 |
|
DoS Overflow |
2014-04-22 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors. |
|
9767 |
CVE-2013-6367 |
189 |
|
DoS |
2013-12-14 |
2018-01-08 |
5.7 |
None |
Local Network |
Medium |
Not required |
None |
None |
Complete |
|
The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. |
|
9768 |
CVE-2013-6312 |
|
|
|
2013-11-22 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in IBM Rational Service Tester 8.3.x and 8.5.x before 8.5.1 and Rational Performance Tester 8.3.x and 8.5.x before 8.5.1 allows remote attackers to read arbitrary files via unknown vectors. |
|
9769 |
CVE-2013-6285 |
200 |
|
+Info |
2013-10-27 |
2013-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The search component in the Treasurer application in Tyler Technologies TaxWeb 3.13.3.1 allows remote attackers to obtain sensitive query-structure information via an invalid search request, a different vulnerability than CVE-2013-6020. |
|
9770 |
CVE-2013-6246 |
264 |
|
Bypass +Info |
2013-10-23 |
2013-10-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Dell Quest One Password Manager, possibly 5.0, allows remote attackers to bypass CAPTCHA protections and obtain sensitive information (user's full name) by sending a login request with a valid domain and username but without the CaptchaType, UseCaptchaEveryTime, and CaptchaResponse parameters. |
|
9771 |
CVE-2013-6244 |
|
|
|
2013-10-23 |
2013-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP) in SAP NetWeaver 7.31 and earlier allows remote attackers to read arbitrary files and directories via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
9772 |
CVE-2013-6197 |
|
|
Exec Code |
2013-12-28 |
2017-08-28 |
5.2 |
None |
Local Network |
Low |
Single system |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote authenticated users to execute arbitrary code via unknown vectors. |
|
9773 |
CVE-2013-6193 |
|
|
DoS |
2013-12-17 |
2014-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability on HP LaserJet M1522n and M2727; LaserJet Pro 100, 300, 400, CM1415fnw, CP1*, M121*, M1536dnf, and P1*; Color LaserJet CM* and CP*; and TopShot LaserJet Pro M275 printers allows remote attackers to cause a denial of service via unknown vectors. |
|
9774 |
CVE-2013-6174 |
20 |
|
|
2013-11-20 |
2015-07-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in xAdmin in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. |
|
9775 |
CVE-2013-6171 |
287 |
|
Bypass |
2013-12-09 |
2018-03-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server. |
|
9776 |
CVE-2013-6143 |
399 |
|
DoS |
2014-01-31 |
2014-02-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Schneider Electric Telvent SAGE 3030 RTU with firmware C3413-500-001D3_P4 and C3413-500-001F0_PB allows remote attackers to cause a denial of service (temporary outage and CPU consumption) via malformed DNP3 traffic. |
|
9777 |
CVE-2013-6141 |
|
|
|
2014-01-29 |
2014-02-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in op5 Monitor before 6.1.3 allows attackers to read arbitrary files via unknown vectors related to lack of authorization. |
|
9778 |
CVE-2013-6128 |
264 |
1
|
Dir. Trav. |
2013-10-25 |
2013-10-28 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack. |
|
9779 |
CVE-2013-6127 |
22 |
1
|
Dir. Trav. |
2013-10-25 |
2013-10-28 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The SUPERGRIDLib.SuperGrid ActiveX control in SuperGrid.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict ReplaceDBFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the two pathname arguments, as demonstrated by a directory traversal attack. |
|
9780 |
CVE-2013-6114 |
190 |
1
|
DoS Overflow |
2013-11-04 |
2016-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the OZDocument::parseElement function in Apple Motion 5.0.7 allows remote attackers to cause a denial of service (application crash) via a (1) large or (2) small value in the subview attribute of a viewer element in a .motn file. |
|
9781 |
CVE-2013-6078 |
310 |
|
|
2014-06-17 |
2014-06-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The default configuration of EMC RSA BSAFE Toolkits and RSA Data Protection Manager (DPM) 20130918 uses the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging unspecified "security concerns," aka the ESA-2013-068 issue. NOTE: this issue has been SPLIT from CVE-2007-6755 because the vendor announcement did not state a specific technical rationale for a change in the algorithm; thus, CVE cannot reach a conclusion that a CVE-2007-6755 concern was the reason, or one of the reasons, for this change. |
|
9782 |
CVE-2013-6077 |
264 |
|
Bypass |
2013-11-05 |
2013-11-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Citrix XenDesktop 7.0, when upgraded from XenDesktop 5.x, does not properly enforce policy rule permissions, which allows remote attackers to bypass intended restrictions. |
|
9783 |
CVE-2013-6076 |
|
|
DoS |
2013-11-02 |
2013-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
strongSwan 5.0.2 through 5.1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and charon daemon crash) via a crafted IKEv1 fragmentation packet. |
|
9784 |
CVE-2013-6075 |
119 |
|
DoS Overflow Bypass |
2013-11-02 |
2013-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The compare_dn function in utils/identification.c in strongSwan 4.3.3 through 5.1.1 allows (1) remote attackers to cause a denial of service (out-of-bounds read, NULL pointer dereference, and daemon crash) or (2) remote authenticated users to impersonate arbitrary users and bypass access restrictions via a crafted ID_DER_ASN1_DN ID, related to an "insufficient length check" during identity comparison. |
|
9785 |
CVE-2013-6053 |
20 |
|
+Info |
2014-04-27 |
2014-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
OpenJPEG 1.5.1 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based out-of-bounds read. |
|
9786 |
CVE-2013-6052 |
200 |
|
+Info |
2013-12-12 |
2014-01-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive information via unspecified vectors. |
|
9787 |
CVE-2013-6048 |
20 |
|
DoS |
2013-12-13 |
2014-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data. |
|
9788 |
CVE-2013-6043 |
200 |
|
+Info |
2014-12-27 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests. |
|
9789 |
CVE-2013-6030 |
22 |
|
Dir. Trav. |
2014-01-23 |
2016-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability on the Emerson Network Power Avocent MergePoint Unity 2016 (aka MPU2016) KVM switch with firmware 1.9.16473 allows remote attackers to read arbitrary files via unspecified vectors, as demonstrated by reading the /etc/passwd file. |
|
9790 |
CVE-2013-6020 |
200 |
|
+Info |
2013-10-27 |
2013-11-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends different HTTP status codes for invalid password-recovery requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests to the (1) Assessor, (2) Recorder, or (3) Treasurer application. |
|
9791 |
CVE-2013-6006 |
287 |
|
Bypass |
2013-12-27 |
2013-12-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request. |
|
9792 |
CVE-2013-6002 |
399 |
|
DoS |
2013-12-05 |
2014-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The server in Cybozu Garoon before 3.7 SP1 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
|
9793 |
CVE-2013-6000 |
22 |
|
Dir. Trav. |
2013-12-05 |
2014-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Tattyan HP TOWN before 5_10_1 allows remote attackers to read arbitrary files via a .. (dot dot) in a request. |
|
9794 |
CVE-2013-5999 |
310 |
|
+Info |
2013-11-22 |
2014-03-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Kingsoft KDrive Personal before 1.21.0.1880 on Windows does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
9795 |
CVE-2013-5995 |
200 |
|
+Info |
2013-11-20 |
2013-11-21 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
data/class/helper/SC_Helper_Address.php in the front-features implementation in LOCKON EC-CUBE 2.12.3 through 2.13.0 allows remote authenticated users to obtain sensitive information via unspecified vectors related to addresses. |
|
9796 |
CVE-2013-5994 |
200 |
|
+Info |
2013-11-20 |
2013-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-CUBE 2.11.2 through 2.13.0 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. |
|
9797 |
CVE-2013-5979 |
22 |
|
Dir. Trav. |
2013-10-02 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php. |
|
9798 |
CVE-2013-5965 |
264 |
|
+Info |
2013-09-30 |
2013-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. |
|
9799 |
CVE-2013-5962 |
|
1
|
Exec Code |
2013-09-30 |
2017-08-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in frames/upload-images.php in the Complete Gallery Manager plugin before 3.3.4 rev40279 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/[year]/[month]/. |
|
9800 |
CVE-2013-5960 |
310 |
|
Bypass |
2013-09-30 |
2017-11-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679. |
