| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
45201 |
CVE-2013-4705 |
79 |
|
XSS |
2013-09-13 |
2013-09-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows remote attackers to inject arbitrary web script or HTML by leveraging UTF-8 encoding. |
|
45202 |
CVE-2013-4704 |
79 |
|
XSS |
2013-09-16 |
2013-10-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ChamaNet ChamaCargo 7.0000 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
45203 |
CVE-2013-4703 |
79 |
|
XSS |
2013-09-10 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the top-page customization feature in Cybozu Office before 9.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
45204 |
CVE-2013-4702 |
22 |
|
Dir. Trav. |
2013-08-30 |
2013-09-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple directory traversal vulnerabilities in the doApiAction function in data/class/api/SC_Api_Operation.php in LOCKON EC-CUBE 2.12.0 through 2.12.5 on Windows allow remote attackers to read arbitrary files via vectors involving a (1) Operation, (2) Service, (3) Style, (4) Validate, or (5) Version value. |
|
45205 |
CVE-2013-4700 |
310 |
|
+Info |
2013-08-21 |
2014-03-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Yahoo! Japan Shopping application 1.4 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
45206 |
CVE-2013-4699 |
310 |
|
+Info |
2013-08-21 |
2014-03-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
45207 |
CVE-2013-4698 |
200 |
|
+Info |
2013-08-15 |
2013-10-07 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Cybozu Mailwise 5.0.4 and 5.0.5 allows remote authenticated users to obtain sensitive e-mail content intended for different persons in opportunistic circumstances by reading Subject header lines within the user's own mailbox. |
|
45208 |
CVE-2013-4690 |
399 |
|
+Info |
2013-07-11 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before 12.1R5-S3, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on the SRX1400, SRX3400, and SRX3600 does not properly initialize memory locations used during padding of Ethernet packets, which allows remote attackers to obtain sensitive information by reading packet data, aka PR 829536, a related issue to CVE-2003-0001. |
|
45209 |
CVE-2013-4689 |
352 |
|
Bypass CSRF |
2013-10-17 |
2013-10-25 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R before 12.1R6, 12.1X44 before 12.1X44-D15, 12.1x45 before 12.1X45-D10, 12.2 before 12.2R3, 12.3 before 12.3R2, and 13.1 before 13.1R3 allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism and hijack the authentication of administrators for requests that (1) create new administrator accounts or (2) have other unspecified impacts. |
|
45210 |
CVE-2013-4680 |
|
|
|
2013-06-25 |
2017-08-28 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Maag Form Captcha extension 2.0.0 and earlier for TYPO3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
45211 |
CVE-2013-4679 |
119 |
|
Overflow +Priv |
2013-08-05 |
2013-10-07 |
6.6 |
None |
Local |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Symantec Workspace Virtualization before 6.x before 6.4.1953.0, when a virtual application layer is configured, allows local users to gain privileges via an application that performs crafted interaction with the operating system. |
|
45212 |
CVE-2013-4678 |
200 |
|
+Info |
2013-08-05 |
2013-08-09 |
2.7 |
None |
Local Network |
Low |
Single system |
Partial |
None |
None |
|
The NDMP protocol implementation in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote authenticated users to obtain sensitive host-version information via unspecified vectors. |
|
45213 |
CVE-2013-4677 |
264 |
|
+Info |
2013-08-05 |
2013-08-22 |
4.3 |
None |
Local |
Low |
Single system |
Partial |
Partial |
Partial |
|
Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive information or modify the outcome of a restore via direct access to these files. |
|
45214 |
CVE-2013-4676 |
79 |
|
XSS |
2013-08-05 |
2013-08-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) custom-reports generation page, (2) Storage Devices creation page, or (3) jobs creation page in the management console; or (4) a Backup Exec server-management page in the beutility console. |
|
45215 |
CVE-2013-4674 |
79 |
|
XSS |
2013-07-31 |
2017-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web Email Protection component in Symantec Encryption Management Server (formerly Symantec PGP Universal Server) before 3.3.0 MP2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted encrypted e-mail attachment. |
|
45216 |
CVE-2013-4673 |
20 |
|
Exec Code |
2013-08-01 |
2017-11-17 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 does not properly implement RADIUS authentication, which allows remote attackers to execute arbitrary code by leveraging access to the login prompt. |
|
45217 |
CVE-2013-4671 |
352 |
|
CSRF |
2013-08-01 |
2014-01-17 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. |
|
45218 |
CVE-2013-4670 |
79 |
|
XSS |
2013-08-01 |
2014-01-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
45219 |
CVE-2013-4669 |
255 |
|
+Info |
2013-06-25 |
2015-11-04 |
5.4 |
None |
Remote |
High |
Not required |
Complete |
None |
None |
|
FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem. |
|
45220 |
CVE-2013-4668 |
22 |
|
Dir. Trav. |
2013-07-18 |
2013-08-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3.8.x before 3.8.3, and 3.9.x before 3.9.3, when libarchive is used, allows remote attackers to create arbitrary files via a crafted archive that is not properly handled in a "Keep directory structure" action, related to fr-archive-libarchive.c and fr-window.c. |
|
45221 |
CVE-2013-4662 |
89 |
|
Sql Bypass |
2014-01-29 |
2014-02-21 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick. |
|
45222 |
CVE-2013-4661 |
264 |
|
Bypass |
2014-01-29 |
2014-02-21 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission. |
|
45223 |
CVE-2013-4660 |
20 |
|
Exec Code |
2013-06-28 |
2013-07-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation. |
|
45224 |
CVE-2013-4653 |
79 |
|
XSS |
2013-08-19 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the signin functionality of ics in MyTeamwork services in Alcatel-Lucent Omnitouch 8660 My Teamwork before 6.7, Omnitouch 8670 Automated Message Delivery System (AMDS) before 6.7, Omnitouch 8460 Advanced Communication Server before 9.1, and OmniTouch 8400 Instant Communications Suite before 6.7.3 (1) allow remote attackers to inject arbitrary web script or HTML via a crafted URL that results in a reflected XSS or (2) allow user-assisted remote attackers to inject arbitrary web script or HTML via a user's personal bookmark entry that results in a stored XSS via unspecified vectors. |
|
45225 |
CVE-2013-4651 |
255 |
|
|
2013-08-01 |
2013-08-01 |
6.6 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Complete |
|
Siemens Scalance W7xx devices with firmware before 4.5.4 use the same hardcoded X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate's trust relationship. |
|
45226 |
CVE-2013-4650 |
264 |
|
|
2013-07-04 |
2013-07-05 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database. |
|
45227 |
CVE-2013-4649 |
79 |
|
XSS |
2014-03-12 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI. |
|
45228 |
CVE-2013-4636 |
20 |
|
DoS |
2013-06-21 |
2013-06-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object. |
|
45229 |
CVE-2013-4635 |
189 |
|
DoS Overflow |
2013-06-21 |
2013-09-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. |
|
45230 |
CVE-2013-4628 |
200 |
|
+Info |
2013-06-20 |
2013-06-21 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The firewall module on the Huawei Quidway Service Process Unit (SPU) board S7700, S9300, and S9700 on Huawei Campus Switch devices allows remote authenticated users to obtain sensitive information from the high-priority security zone by leveraging access to the low-priority security zone. |
|
45231 |
CVE-2013-4627 |
|
|
DoS |
2013-08-02 |
2013-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in bitcoind and Bitcoin-Qt 0.8.x allows remote attackers to cause a denial of service (memory consumption) via a large amount of tx message data. |
|
45232 |
CVE-2013-4626 |
79 |
|
XSS |
2013-09-26 |
2013-10-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php. |
|
45233 |
CVE-2013-4625 |
79 |
|
XSS |
2013-08-09 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. |
|
45234 |
CVE-2013-4624 |
79 |
|
XSS |
2013-11-27 |
2013-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Jahia xCM 6.6.1.0 before hotfix 7 allow remote attackers to inject arbitrary web script or HTML via (1) the site parameter to engines/manager.jsp, (2) the searchString parameter to administration/ in a search action, or the (3) username, (4) firstName, (5) lastName, (6) email, or (7) organization field to administration/ in a users action. |
|
45235 |
CVE-2013-4623 |
20 |
|
DoS |
2013-09-30 |
2013-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 and 1.2.x before 1.2.8 does not properly parse certificate messages during the SSL/TLS handshake, which allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certificate message that contains a PEM encoded certificate. |
|
45236 |
CVE-2013-4620 |
79 |
|
XSS |
2013-08-09 |
2013-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter. |
|
45237 |
CVE-2013-4619 |
89 |
|
Exec Code Sql |
2013-08-09 |
2013-08-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php. |
|
45238 |
CVE-2013-4617 |
200 |
|
+Info |
2013-11-27 |
2013-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Jahia xCM before 6.6.2 does not include the HTTPOnly flag in a Set-Cookie header for the JSESSIONID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
45239 |
CVE-2013-4616 |
255 |
|
|
2013-06-18 |
2013-10-25 |
5.8 |
User |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The WifiPasswordController generateDefaultPassword method in Preferences in Apple iOS 6 and earlier relies on the UITextChecker suggestWordInLanguage method for selection of Wi-Fi hotspot WPA2 PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack that leverages the insufficient number of possible passphrases. |
|
45240 |
CVE-2013-4615 |
20 |
|
DoS |
2013-06-21 |
2013-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers allow remote attackers to cause a denial of service (device hang) via a crafted LAN_TXT24 parameter to English/pages_MacUS/cgi_lan.cgi followed by a direct request to English/pages_MacUS/lan_set_content.html. NOTE: the vendor has apparently responded by stating "Canon believes that its printers will not have to deal with unauthorized access to the network from an external location as long as the printers are used in a secured environment." |
|
45241 |
CVE-2013-4614 |
255 |
|
+Info |
2013-06-21 |
2013-06-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive information by reading the screen of an unattended workstation. |
|
45242 |
CVE-2013-4612 |
79 |
|
XSS |
2013-06-17 |
2013-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules. |
|
45243 |
CVE-2013-4609 |
264 |
|
Bypass |
2013-06-17 |
2013-06-17 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call. |
|
45244 |
CVE-2013-4608 |
79 |
|
XSS |
2013-06-17 |
2013-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page. |
|
45245 |
CVE-2013-4604 |
264 |
|
|
2013-06-25 |
2013-06-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Fortinet FortiOS before 5.0.3 on FortiGate devices does not properly restrict Guest capabilities, which allows remote authenticated users to read, modify, or delete the records of arbitrary users by leveraging the Guest role. |
|
45246 |
CVE-2013-4600 |
79 |
|
XSS |
2013-08-09 |
2013-08-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html. |
|
45247 |
CVE-2013-4599 |
399 |
|
DoS |
2014-06-09 |
2014-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Misery module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.2 for Drupal, when the "delay misery" configuration is set to a high value, allows remote attackers to cause a denial of service (process consumption) via multiple requests. |
|
45248 |
CVE-2013-4598 |
264 |
|
|
2014-05-27 |
2017-07-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors. |
|
45249 |
CVE-2013-4597 |
264 |
|
+Info |
2014-06-09 |
2014-06-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Revisioning module 7.x-1.x before 7.x-1.6 for Drupal does not properly check node access permissions for content marked unpublished by the Scheduled module, which allows remote authenticated users to obtain sensitive information via unspecified vectors. |
|
45250 |
CVE-2013-4596 |
264 |
|
Bypass |
2014-06-02 |
2014-06-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote attackers to bypass access restrictions via a node listing. |
