CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Pidgin » Pidgin » 2.10.0 : Security Vulnerabilities

Cpe Name:cpe:/a:pidgin:pidgin:2.10.0
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-2640 787 Exec Code 2018-07-27 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process.
2 CVE-2016-1000030 295 Exec Code 2018-09-05 2018-11-14
7.5
None Remote Low Not required Partial Partial Partial
Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can result in code execution. This attack appear to be exploitable via custom X.509 certificate from another client. This vulnerability appears to have been fixed in 2.11.0.
3 CVE-2014-3698 200 +Info 2014-10-29 2018-01-04
5.0
None Remote Low Not required Partial None None
The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.
4 CVE-2014-3697 22 Dir. Trav. 2014-10-29 2014-11-19
6.4
None Remote Low Not required None Partial Partial
Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.
5 CVE-2014-3696 119 DoS Overflow 2014-10-29 2018-01-04
5.0
None Remote Low Not required None None Partial
nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.
6 CVE-2014-3695 119 DoS Overflow 2014-10-29 2018-01-04
5.0
None Remote Low Not required None None Partial
markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.
7 CVE-2014-3694 310 +Info 2014-10-29 2018-10-30
6.4
None Remote Low Not required Partial Partial None
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
8 CVE-2014-0020 20 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.
9 CVE-2013-6490 119 Overflow 2014-02-06 2014-03-08
10.0
None Remote Low Not required Complete Complete Complete
The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.
10 CVE-2013-6489 189 DoS Overflow 2014-02-06 2014-03-08
5.0
None Remote Low Not required None None Partial
Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow.
11 CVE-2013-6487 189 Overflow 2014-02-06 2016-12-21
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow.
12 CVE-2013-6486 20 Exec Code 2014-02-06 2014-03-16
9.3
None Remote Medium Not required Complete Complete Complete
gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185.
13 CVE-2013-6485 119 DoS Overflow 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data.
14 CVE-2013-6484 20 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a socket read error.
15 CVE-2013-6483 20 DoS 2014-02-06 2014-03-16
6.4
None Remote Low Not required None Partial Partial
The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply.
16 CVE-2013-6482 20 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header.
17 CVE-2013-6481 119 DoS Overflow 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read.
18 CVE-2013-6479 399 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
util.c in libpurple in Pidgin before 2.10.8 does not properly allocate memory for HTTP responses that are inconsistent with the Content-Length header, which allows remote HTTP servers to cause a denial of service (application crash) via a crafted response.
19 CVE-2013-6478 20 DoS 2014-02-06 2014-03-16
4.3
None Remote Medium Not required None None Partial
gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (application crash) via a long URL that is examined with a tooltip.
20 CVE-2013-6477 189 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
Multiple integer signedness errors in libpurple in Pidgin before 2.10.8 allow remote attackers to cause a denial of service (application crash) via a crafted timestamp value in an XMPP message.
21 CVE-2013-0274 DoS 2013-02-16 2017-09-18
2.9
None Local Network Medium Not required None None Partial
upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network.
22 CVE-2013-0273 DoS 2013-02-16 2017-09-18
5.0
None Remote Low Not required None None Partial
sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet.
23 CVE-2013-0272 119 Exec Code Overflow 2013-02-16 2017-09-18
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header.
24 CVE-2013-0271 2013-02-16 2017-09-18
5.0
None Remote Low Not required None Partial None
The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname.
25 CVE-2012-6152 20 DoS 2014-02-06 2014-03-16
5.0
None Remote Low Not required None None Partial
The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences.
26 CVE-2012-3374 119 Exec Code Overflow 2012-07-07 2017-11-30
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message.
27 CVE-2012-2318 20 DoS 2012-07-03 2017-12-28
5.0
None Remote Low Not required None None Partial
msg.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.4 does not properly handle crafted characters, which allows remote servers to cause a denial of service (application crash) by placing these characters in a text/plain message.
28 CVE-2012-2214 399 DoS 2012-07-03 2017-12-28
3.5
None Remote Medium Single system None None Partial
proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests.
29 CVE-2012-1178 399 DoS 2012-03-15 2018-01-17
5.0
None Remote Low Not required None None Partial
The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.
30 CVE-2011-4939 264 DoS 2012-03-15 2018-01-17
6.4
None Remote Low Not required None Partial Partial
The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room.
31 CVE-2011-4922 200 +Info 2012-08-08 2017-09-18
2.1
None Local Low Not required Partial None None
cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents.
32 CVE-2011-4603 20 DoS 2011-12-16 2017-09-18
5.0
None Remote Low Not required None None Partial
The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594.
33 CVE-2011-4602 20 DoS 2011-12-16 2017-09-18
5.0
None Remote Low Not required None None Partial
The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
34 CVE-2011-4601 20 DoS 2011-12-24 2017-09-18
5.0
None Remote Low Not required None None Partial
family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.
Total number of vulnerabilities : 34   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.