| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-7242 |
89 |
|
Exec Code Sql |
2013-12-31 |
2016-12-31 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter. |
|
2 |
CVE-2013-7241 |
79 |
|
XSS |
2013-12-31 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the export function in zp-core/zp-extensions/mergedRSS.php in Zenphoto before 1.4.5.4 allows remote attackers to inject arbitrary web script or HTML via the URI. |
|
3 |
CVE-2013-7233 |
352 |
|
CSRF |
2013-12-30 |
2013-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. |
|
4 |
CVE-2013-7232 |
89 |
|
Exec Code Sql |
2013-12-30 |
2013-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service. |
|
5 |
CVE-2013-7231 |
79 |
|
XSS |
2013-12-30 |
2013-12-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-5222. |
|
6 |
CVE-2013-7217 |
|
|
|
2013-12-26 |
2017-08-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Zimbra Collaboration Server 7.2.5 and earlier, and 8.0.x through 8.0.5, has "critical" impact and unspecified vectors, a different vulnerability than CVE-2013-7091. |
|
7 |
CVE-2013-7216 |
89 |
|
Exec Code Sql |
2013-12-24 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Classifieds Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to demo/classifieds/product.asp, or (2) UserID or (3) Password field to demo/classifieds/admin.asp. |
|
8 |
CVE-2013-7209 |
352 |
|
CSRF |
2013-12-30 |
2013-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in admBase/login.page in the Admin module in JForum allows remote attackers to hijack the authentication of administrators for requests that change the user group permissions of arbitrary users via a groupsSave action. |
|
9 |
CVE-2013-7194 |
79 |
1
|
XSS |
2013-12-21 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course name field. |
|
10 |
CVE-2013-7193 |
89 |
|
Exec Code Sql |
2013-12-21 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in C2C Forward Auction Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) pa parameter to auction/asp/list.asp, or the (2) UserID or (3) Password to auction/casp/admin.asp. |
|
11 |
CVE-2013-7192 |
89 |
|
Exec Code Sql |
2013-12-21 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Dynamic Biz Website Builder (QuickWeb) allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/news-events/newdetail.asp, or the (2) UserID or (3) Password to login.asp. |
|
12 |
CVE-2013-7191 |
79 |
|
XSS |
2013-12-21 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Tenmiles Helpdesk Pilot allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI for a ticket. |
|
13 |
CVE-2013-7190 |
22 |
|
Dir. Trav. |
2013-12-20 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php; or (4) have an unspecified impact via unspecified vectors in support/parser/main_smtp.php. |
|
14 |
CVE-2013-7189 |
89 |
|
Exec Code Sql |
2013-12-20 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php. |
|
15 |
CVE-2013-7188 |
79 |
|
XSS |
2013-12-20 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in KBKP Software HostBill before 2013-12-14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
16 |
CVE-2013-7187 |
89 |
1
|
Exec Code Sql |
2013-12-20 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
17 |
CVE-2013-7186 |
119 |
1
|
Exec Code Overflow |
2013-12-20 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in Steinberg MyMp3PRO 5.0 (Build 5.1.0.21) allows remote attackers to execute arbitrary code via a long string in a .m3u file. |
|
18 |
CVE-2013-7149 |
89 |
|
Exec Code Sql |
2013-12-28 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method. |
|
19 |
CVE-2013-7136 |
310 |
1
|
|
2013-12-19 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The UPC Ireland Cisco EPC 2425 router (aka Horizon Box) does not have a sufficiently large number of possible WPA-PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack. |
|
20 |
CVE-2013-7129 |
79 |
|
XSS |
2013-12-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the jQuery parameter to assets/js/jplayer.swf. |
|
21 |
CVE-2013-7128 |
310 |
|
+Info |
2013-12-17 |
2013-12-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file. |
|
22 |
CVE-2013-7127 |
310 |
|
+Info |
2013-12-17 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file. |
|
23 |
CVE-2013-7114 |
119 |
|
DoS Overflow |
2013-12-19 |
2014-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple buffer overflows in the create_ntlmssp_v2_key function in epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote attackers to cause a denial of service (application crash) via a long domain name in a packet. |
|
24 |
CVE-2013-7113 |
20 |
|
DoS |
2013-12-19 |
2014-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark 1.10.x before 1.10.4 incorrectly relies on a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
25 |
CVE-2013-7112 |
20 |
|
DoS |
2013-12-19 |
2014-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 does not check for empty lines, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
26 |
CVE-2013-7105 |
119 |
|
Overflow |
2013-12-14 |
2013-12-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the Interstage HTTP Server log functionality, as used in Fujitsu Interstage Application Server 9.0.0, 9.1.0, 9.2.0, 9.3.1, and 10.0.0; and Interstage Studio 9.0.0, 9.1.0, 9.2.0, and 10.0.0, has unspecified impact and attack vectors related to "ihsrlog/rotatelogs." |
|
27 |
CVE-2013-7104 |
78 |
|
Exec Code |
2013-12-14 |
2017-08-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. |
|
28 |
CVE-2013-7103 |
78 |
|
Exec Code |
2013-12-14 |
2017-08-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the value attribute in a (1) TestFile XML element or the (2) hostname. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. |
|
29 |
CVE-2013-7102 |
20 |
|
Exec Code |
2013-12-23 |
2013-12-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple unrestricted file upload vulnerabilities in (1) media-upload.php, (2) media-upload-lncthumb.php, and (3) media-upload-sq_button.php in lib/admin/ in the OptimizePress theme before 1.61 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images_comingsoon, images_lncthumbs, or images_optbuttons in wp-content/uploads/optpress/, as exploited in the wild in November 2013. |
|
30 |
CVE-2013-7100 |
119 |
|
DoS Overflow |
2013-12-19 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and 11.x before 11.2-cert3 allows remote attackers to cause a denial of service (daemon crash) via a 16-bit SMS message with an odd number of bytes, which triggers an infinite loop. |
|
31 |
CVE-2013-7096 |
89 |
|
Exec Code Sql |
2013-12-13 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
32 |
CVE-2013-7095 |
|
|
|
2013-12-13 |
2018-12-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue. |
|
33 |
CVE-2013-7094 |
89 |
|
Exec Code Sql |
2013-12-13 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
34 |
CVE-2013-7093 |
287 |
|
Bypass |
2013-12-13 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors. |
|
35 |
CVE-2013-7092 |
89 |
|
Exec Code Sql |
2013-12-13 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatus_order, or (6) emailstatus_col JSON keys. |
|
36 |
CVE-2013-7091 |
22 |
2
|
Exec Code Dir. Trav. |
2013-12-13 |
2020-06-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. NOTE: this can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API. |
|
37 |
CVE-2013-7086 |
94 |
|
Exec Code |
2013-12-19 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message. |
|
38 |
CVE-2013-7085 |
20 |
|
|
2013-12-14 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Uscan in devscripts 2.13.5, when USCAN_EXCLUSION is enabled, allows remote attackers to delete arbitrary files via a whitespace character in a filename. |
|
39 |
CVE-2013-7082 |
79 |
|
XSS |
2013-12-21 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) 1.1.x before 1.1.1 and 2.0.x before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. |
|
40 |
CVE-2013-7081 |
264 |
|
Bypass |
2013-12-23 |
2014-01-14 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors. |
|
41 |
CVE-2013-7080 |
|
|
|
2013-12-23 |
2014-01-14 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The creating record functionality in Extension table administration library (feuser_adminLib.inc) in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, and 6.0.0 through 6.0.11 allows remote attackers to write to arbitrary fields in the configuration database table via crafted links, aka "Mass Assignment." |
|
42 |
CVE-2013-7079 |
20 |
|
|
2013-12-23 |
2016-12-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the OpenID extension in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
43 |
CVE-2013-7077 |
79 |
|
XSS |
2013-12-21 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Backend User Administration Module in TYPO3 6.0.x before 6.0.12 and 6.1.x before 6.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
44 |
CVE-2013-7076 |
79 |
|
XSS |
2013-12-21 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Extension Manager in TYPO3 4.5.x before 4.5.32 and 4.7.x before 4.7.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
45 |
CVE-2013-7075 |
310 |
|
|
2013-12-23 |
2014-01-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature." |
|
46 |
CVE-2013-7074 |
79 |
|
XSS |
2013-12-21 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters. |
|
47 |
CVE-2013-7073 |
264 |
|
|
2013-12-23 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters. |
|
48 |
CVE-2013-7069 |
94 |
|
Exec Code |
2013-12-14 |
2014-03-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
ack 2.00 through 2.11_02 allows remote attackers to execute arbitrary code via a (1) --pager, (2) --regex, or (3) --output option in a .ackrc file in a directory to be searched. |
|
49 |
CVE-2013-7067 |
264 |
|
Bypass |
2013-12-19 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. |
|
50 |
CVE-2013-7050 |
94 |
|
Exec Code |
2013-12-13 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The get_main_source_dir function in scripts/uscan.pl in devscripts before 2.13.8, when using USCAN_EXCLUSION, allows remote attackers to execute arbitrary commands via shell metacharacters in a directory name. |
