| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
45301 |
CVE-2013-4508 |
310 |
|
+Info |
2013-11-07 |
2016-12-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. |
|
45302 |
CVE-2013-4507 |
79 |
|
XSS |
2013-11-20 |
2013-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in CollectiveAccess Providence and Pawtucket before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
45303 |
CVE-2013-4505 |
264 |
|
DoS Bypass |
2013-12-07 |
2013-12-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. |
|
45304 |
CVE-2013-4504 |
264 |
|
|
2014-05-13 |
2014-05-14 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. |
|
45305 |
CVE-2013-4503 |
79 |
|
XSS |
2014-05-13 |
2014-05-14 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Feed Element Mapper module for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via vectors related to options. |
|
45306 |
CVE-2013-4502 |
264 |
|
|
2014-05-13 |
2014-05-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. |
|
45307 |
CVE-2013-4501 |
264 |
|
|
2014-05-13 |
2014-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default views in the Quiz module 6.x-4.x before 6.x-4.5 for Drupal allows remote attackers to obtain sensitive quiz results via unspecified vectors. |
|
45308 |
CVE-2013-4500 |
264 |
|
|
2014-05-13 |
2014-05-14 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
The Quiz module 6.x-4.x before 6.x-4.5 for Drupal allows remote authenticated users with the "view any quiz results" or "view results for own quiz" permission to delete arbitrary results via the delete option. |
|
45309 |
CVE-2013-4499 |
79 |
|
XSS |
2014-02-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Bean module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the bean title. |
|
45310 |
CVE-2013-4498 |
264 |
|
+Info |
2014-05-17 |
2014-05-19 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
|
The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. |
|
45311 |
CVE-2013-4497 |
264 |
|
Bypass |
2013-11-05 |
2013-11-06 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions. |
|
45312 |
CVE-2013-4496 |
255 |
|
|
2014-03-14 |
2017-01-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. |
|
45313 |
CVE-2013-4494 |
20 |
|
DoS |
2013-11-02 |
2018-12-13 |
5.2 |
None |
Local Network |
Medium |
Single system |
None |
None |
Complete |
|
Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. |
|
45314 |
CVE-2013-4492 |
79 |
|
XSS |
2013-12-06 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. |
|
45315 |
CVE-2013-4491 |
79 |
|
XSS |
2013-12-06 |
2019-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. |
|
45316 |
CVE-2013-4490 |
|
|
Exec Code |
2014-05-13 |
2014-05-14 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands via shell metacharacters in the public key. |
|
45317 |
CVE-2013-4489 |
|
|
Exec Code |
2014-05-17 |
2014-05-19 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature. |
|
45318 |
CVE-2013-4488 |
310 |
|
|
2014-10-09 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libgadu before 1.12.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers. |
|
45319 |
CVE-2013-4487 |
189 |
|
DoS Mem. Corr. |
2013-11-20 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466. |
|
45320 |
CVE-2013-4485 |
20 |
|
DoS |
2013-11-23 |
2019-04-22 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request. |
|
45321 |
CVE-2013-4484 |
119 |
|
DoS Overflow |
2013-10-31 |
2013-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. |
|
45322 |
CVE-2013-4483 |
189 |
|
DoS |
2013-11-04 |
2015-03-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. |
|
45323 |
CVE-2013-4482 |
|
|
+Priv |
2013-11-23 |
2019-04-22 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the (1) current working directory or (2) its parent directories. |
|
45324 |
CVE-2013-4481 |
362 |
|
+Info |
2013-11-23 |
2019-04-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets." |
|
45325 |
CVE-2013-4479 |
94 |
|
Exec Code |
2013-12-07 |
2016-12-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment. |
|
45326 |
CVE-2013-4478 |
94 |
|
Exec Code |
2013-12-07 |
2013-12-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment. |
|
45327 |
CVE-2013-4477 |
264 |
|
+Priv |
2013-11-02 |
2014-03-05 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. |
|
45328 |
CVE-2013-4476 |
310 |
|
+Info |
2013-11-13 |
2015-03-02 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller. |
|
45329 |
CVE-2013-4475 |
264 |
|
Bypass |
2013-11-13 |
2017-01-06 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). |
|
45330 |
CVE-2013-4474 |
20 |
|
DoS |
2013-11-23 |
2016-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Format string vulnerability in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.3 allows remote attackers to cause a denial of service (crash) via format string specifiers in a destination filename. |
|
45331 |
CVE-2013-4472 |
59 |
|
|
2014-04-22 |
2014-04-23 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. |
|
45332 |
CVE-2013-4471 |
255 |
|
|
2014-05-14 |
2014-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. |
|
45333 |
CVE-2013-4470 |
264 |
|
DoS +Priv Mem. Corr. |
2013-11-04 |
2018-01-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. |
|
45334 |
CVE-2013-4469 |
399 |
|
DoS |
2013-11-02 |
2014-06-21 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096. |
|
45335 |
CVE-2013-4468 |
|
1
|
Exec Code |
2014-05-14 |
2014-05-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php. |
|
45336 |
CVE-2013-4467 |
89 |
1
|
Exec Code Sql |
2014-03-11 |
2014-05-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information. |
|
45337 |
CVE-2013-4466 |
119 |
|
DoS Overflow Mem. Corr. |
2013-11-20 |
2013-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. |
|
45338 |
CVE-2013-4465 |
|
|
Exec Code |
2013-10-25 |
2013-10-28 |
4.6 |
None |
Remote |
High |
Single system |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in the avatar upload functionality in Simple Machines Forum before 2.0.6 and 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. |
|
45339 |
CVE-2013-4463 |
399 |
|
DoS |
2014-02-06 |
2014-06-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix for CVE-2013-2096. |
|
45340 |
CVE-2013-4460 |
79 |
|
XSS |
2014-01-10 |
2014-01-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name. |
|
45341 |
CVE-2013-4459 |
264 |
|
Bypass |
2013-11-23 |
2013-11-25 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
LightDM 1.7.5 through 1.8.3 and 1.9.x before 1.9.2 does not apply the AppArmor profile to the Guest account, which allows local users to bypass intended restrictions by leveraging the Guest account. |
|
45342 |
CVE-2013-4458 |
119 |
|
DoS Overflow |
2013-12-12 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914. |
|
45343 |
CVE-2013-4457 |
78 |
|
Exec Code |
2013-11-02 |
2013-11-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation. |
|
45344 |
CVE-2013-4455 |
264 |
|
|
2014-05-14 |
2014-05-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Katello Installer before 0.0.18 uses world-readable permissions for /etc/pki/tls/private/katello-node.key when deploying a child Pulp node, which allows local users to obtain the private key by reading the file. |
|
45345 |
CVE-2013-4453 |
79 |
|
XSS |
2013-11-05 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in templates/login.php in LDAP Account Manager (LAM) 4.3 and 4.2.1 allows remote attackers to inject arbitrary web script or HTML via the language parameter. |
|
45346 |
CVE-2013-4452 |
264 |
|
+Info |
2013-12-24 |
2013-12-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Red Hat JBoss Operations Network 3.1.2 uses world-readable permissions for the (1) server and (2) agent configuration files, which allows local users to obtain authentication credentials and other unspecified sensitive information by reading these files. |
|
45347 |
CVE-2013-4450 |
20 |
|
DoS |
2013-10-21 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. |
|
45348 |
CVE-2013-4449 |
189 |
|
DoS |
2014-02-05 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. |
|
45349 |
CVE-2013-4447 |
79 |
|
XSS |
2013-11-01 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the API in the Simplenews module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an email address. |
|
45350 |
CVE-2013-4446 |
94 |
|
Exec Code |
2013-12-07 |
2013-12-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. |
