| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
43851 |
CVE-2013-7475 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The contact-form-plugin plugin before 3.52 for WordPress has XSS. |
|
43852 |
CVE-2013-7474 |
79 |
|
XSS |
2019-08-01 |
2019-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users. |
|
43853 |
CVE-2013-7473 |
352 |
|
CSRF |
2019-08-01 |
2019-08-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account. |
|
43854 |
CVE-2013-7472 |
79 |
|
XSS |
2019-06-15 |
2019-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter. |
|
43855 |
CVE-2013-7464 |
352 |
|
Bypass CSRF |
2018-08-07 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used. |
|
43856 |
CVE-2013-7463 |
330 |
|
|
2017-04-19 |
2017-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack. |
|
43857 |
CVE-2013-7462 |
22 |
|
Dir. Trav. |
2017-03-14 |
2017-03-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A directory traversal vulnerability in the web application in McAfee (now Intel Security) SaaS Control Console (SCC) Platform 6.14 before patch 1070, and 6.15 before patch 1076 allows unauthenticated users to view contents of arbitrary system files that did not have file system level read access restrictions via a null-byte injection exploit. |
|
43858 |
CVE-2013-7461 |
284 |
|
Bypass |
2017-03-14 |
2017-03-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions. |
|
43859 |
CVE-2013-7460 |
284 |
|
Bypass |
2017-03-14 |
2017-03-17 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions. |
|
43860 |
CVE-2013-7458 |
200 |
|
+Info |
2016-08-10 |
2018-08-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file. |
|
43861 |
CVE-2013-7456 |
125 |
|
DoS |
2016-08-07 |
2018-01-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.1.1, as used in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7, allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted image that is mishandled by the imagescale function. |
|
43862 |
CVE-2013-7454 |
79 |
|
XSS Bypass |
2017-01-23 |
2017-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. |
|
43863 |
CVE-2013-7453 |
79 |
|
XSS Bypass |
2017-01-23 |
2017-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. |
|
43864 |
CVE-2013-7452 |
79 |
|
XSS Bypass |
2017-01-23 |
2017-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. |
|
43865 |
CVE-2013-7451 |
79 |
|
XSS Bypass |
2017-01-23 |
2017-01-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. |
|
43866 |
CVE-2013-7450 |
295 |
|
|
2017-04-03 |
2017-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations. |
|
43867 |
CVE-2013-7449 |
310 |
|
|
2016-04-21 |
2016-05-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
43868 |
CVE-2013-7448 |
22 |
|
Dir. Trav. |
2016-02-23 |
2016-03-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in wiki.c in didiwiki allows remote attackers to read arbitrary files via the page parameter to api/page/get. |
|
43869 |
CVE-2013-7447 |
|
|
DoS Overflow |
2016-02-17 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c in GTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, and possibly other applications, allows remote attackers to cause a denial of service (crash) via a large image file, which triggers a large memory allocation. |
|
43870 |
CVE-2013-7446 |
|
|
DoS Bypass |
2015-12-28 |
2018-08-13 |
5.4 |
None |
Local |
Medium |
Not required |
None |
Partial |
Complete |
|
Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls. |
|
43871 |
CVE-2013-7444 |
200 |
|
+Info |
2015-09-01 |
2015-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text. |
|
43872 |
CVE-2013-7443 |
119 |
|
DoS Overflow |
2015-08-12 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements. |
|
43873 |
CVE-2013-7440 |
19 |
|
|
2016-06-07 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate. |
|
43874 |
CVE-2013-7437 |
189 |
|
DoS Overflow |
2015-03-29 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow. |
|
43875 |
CVE-2013-7436 |
310 |
|
|
2015-04-10 |
2015-05-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
noVNC before 0.5 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. |
|
43876 |
CVE-2013-7435 |
200 |
|
+Info |
2018-02-01 |
2018-02-16 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml. |
|
43877 |
CVE-2013-7433 |
79 |
|
XSS |
2017-08-29 |
2017-09-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla!. |
|
43878 |
CVE-2013-7432 |
264 |
|
Bypass |
2017-08-29 |
2017-09-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to bypass an intended protection mechanism. |
|
43879 |
CVE-2013-7431 |
200 |
|
+Info |
2017-08-29 |
2017-09-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Full path disclosure in the Googlemaps plugin before 3.1 for Joomla!. |
|
43880 |
CVE-2013-7430 |
79 |
|
XSS |
2017-08-28 |
2017-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the xmlns parameter. |
|
43881 |
CVE-2013-7428 |
400 |
|
DoS |
2017-09-07 |
2017-09-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to cause a denial of service via the url parameter to plugin_googlemap2_proxy.php. |
|
43882 |
CVE-2013-7424 |
17 |
|
DoS Exec Code |
2015-08-26 |
2016-11-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6. |
|
43883 |
CVE-2013-7423 |
17 |
|
|
2015-02-24 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function. |
|
43884 |
CVE-2013-7421 |
264 |
|
|
2015-03-02 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644. |
|
43885 |
CVE-2013-7419 |
79 |
|
XSS |
2015-01-09 |
2015-01-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in includes/refreshDate.php in the Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the roomid parameter. |
|
43886 |
CVE-2013-7418 |
77 |
|
Exec Code XSS |
2015-01-02 |
2015-01-05 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. NOTE: this can be exploited remotely by leveraging a separate cross-site scripting (XSS) vulnerability. |
|
43887 |
CVE-2013-7417 |
79 |
|
XSS Bypass CSRF |
2015-01-02 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in IPCop (aka IPCop Firewall) before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. NOTE: this can be used to bypass the cross-site request forgery (CSRF) protection mechanism by setting the Referer. |
|
43888 |
CVE-2013-7407 |
352 |
|
CSRF |
2014-10-22 |
2014-10-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
43889 |
CVE-2013-7402 |
|
|
DoS |
2014-12-17 |
2015-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request. |
|
43890 |
CVE-2013-7401 |
119 |
|
DoS Overflow |
2014-12-19 |
2015-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method. |
|
43891 |
CVE-2013-7400 |
200 |
|
+Info |
2017-12-29 |
2018-01-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes. |
|
43892 |
CVE-2013-7398 |
345 |
|
|
2015-06-24 |
2019-04-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. |
|
43893 |
CVE-2013-7397 |
345 |
|
|
2015-06-24 |
2019-04-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. |
|
43894 |
CVE-2013-7395 |
255 |
|
DoS |
2014-08-12 |
2014-08-13 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
ZOLL Defibrillator / Monitor X Series has a default (1) supervisor password and (2) service password, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects). |
|
43895 |
CVE-2013-7393 |
59 |
|
+Priv |
2014-07-28 |
2016-10-17 |
2.4 |
None |
Local |
High |
Single system |
None |
Partial |
Partial |
|
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3). |
|
43896 |
CVE-2013-7391 |
264 |
|
|
2014-07-19 |
2015-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations. |
|
43897 |
CVE-2013-7389 |
79 |
|
XSS |
2014-07-07 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php. |
|
43898 |
CVE-2013-7387 |
|
|
|
2014-06-02 |
2014-06-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlier allows remote attackers to hijack web sessions via the PHPSESSID cookie. |
|
43899 |
CVE-2013-7386 |
134 |
|
DoS Exec Code |
2014-06-02 |
2014-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Format string vulnerability in the PROJECT::write_account_file function in client/cs_account.cpp in BOINC, possibly 7.2.33, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in the gui_urls item in an account file. |
|
43900 |
CVE-2013-7385 |
310 |
|
+Priv XSS +Info |
2014-05-19 |
2014-05-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LiveZilla 5.1.2.1 and earlier includes the MD5 hash of the operator password in plaintext in Javascript code that is generated by lz/mobile/chat.php, which allows remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7033. |
