[ei: Strategic Approach go Governance, Risk, and Compliance]
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
| High Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| 3ds -- push2rss_3ds | SQL injection vulnerability in the RSS feed from records extension 1.0.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-27 | 7.5 | CVE-2013-4721 |
| bas_van_beek -- multishop | SQL injection vulnerability in the Multishop extension before 2.0.39 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-25 | 7.5 | CVE-2013-4682 |
| canon -- mg3100_printer | The default configuration of the administrative interface on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers does not require authentication, which allows remote attackers to modify the configuration by visiting the Advanced page. NOTE: the vendor has apparently responded by stating "for user convenience, the default setting does not require a password. However, if a user has a particular concern about third parties accessing the user's home printer, the default setting can be changed to add a password." | 2013-06-21 | 7.5 | CVE-2013-4613 |
| christophe_balisky -- meta_feedit | SQL injection vulnerability in the meta_feedit extension 0.1.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-25 | 7.5 | CVE-2013-4683 |
| cisco -- adaptive_security_appliance | The Next-Generation Firewall (aka NGFW, formerly CX Context-Aware Security) module 9.x before 9.1.1.9 and 9.1.2.x before 9.1.2.12 for Cisco Adaptive Security Appliances (ASA) devices allows remote attackers to cause a denial of service (device reload or traffic-processing outage) via fragmented (1) IPv4 or (2) IPv6 traffic, aka Bug ID CSCue88387. | 2013-06-26 | 7.8 | CVE-2013-3382 |
| cisco -- ironport_asyncos | The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL sent over IPv4, aka Bug ID CSCzv69294. | 2013-06-27 | 9.0 | CVE-2013-3383 |
| cisco -- ironport_asyncos | The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550; Email Security Appliance devices before 7.1.5-104, 7.3 before 7.3.2-026, 7.5 before 7.5.2-203, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.2.2-110, 7.7 before 7.7.0-213, and 7.8 and 7.9 before 7.9.1-102 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL, aka Bug IDs CSCzv85726, CSCzv44633, and CSCzv24579. | 2013-06-27 | 9.0 | CVE-2013-3384 |
| cisco -- ironport_asyncos | The management GUI in the web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-602; Email Security Appliance devices before 7.1.5-106 and 7.3, 7.5, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.9.1-102 and 8.0 before 8.0.0-404 allows remote attackers to cause a denial of service (system hang) via a series of (1) HTTP or (2) HTTPS requests to a management interface, aka Bug IDs CSCzv58669, CSCzv63329, and CSCzv78669. | 2013-06-27 | 7.8 | CVE-2013-3385 |
| cisco -- ironport_asyncos | The IronPort Spam Quarantine (ISQ) component in the web framework in IronPort AsyncOS on Cisco Email Security Appliance devices before 7.1.5-106 and 7.3, 7.5, and 7.6 before 7.6.3-019 and Content Security Management Appliance devices before 7.9.1-102 and 8.0 before 8.0.0-404 allows remote attackers to cause a denial of service (service crash or hang) via a high rate of TCP connection attempts, aka Bug IDs CSCzv25573 and CSCzv81712. | 2013-06-27 | 7.8 | CVE-2013-3386 |
| ibm -- lotus_inotes | ntmulti.exe in the Multi User Profile Cleanup service in IBM Notes 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3 before FP5, and 9.0 before IF2 allows local users to gain privileges via vectors that arrange for code to be executed during the next login session of a different user, aka SPR PJOK959J24. | 2013-06-21 | 7.2 | CVE-2013-0536 |
| ibm -- aix | The IPv6 implementation in the inet subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allows remote attackers to cause a denial of service (system hang) via a crafted packet to an IPv6 interface. | 2013-06-21 | 7.1 | CVE-2013-3035 |
| lina_wolf -- seo_pack_for_tt_news | SQL injection vulnerability in the SEO Pack for tt_news extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-27 | 7.5 | CVE-2013-4719 |
| michael_staatz -- sofortueberweisung2commerce | SQL injection vulnerability in the sofortueberweisung2commerce extension before 2.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-25 | 7.5 | CVE-2013-4681 |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2013-06-25 | 10.0 | CVE-2013-1682 |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 22.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2013-06-25 | 10.0 | CVE-2013-1683 |
| mozilla -- firefox | Use-after-free vulnerability in the mozilla::dom::HTMLMediaElement::LookupMediaElementURITable function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted web site. | 2013-06-25 | 9.3 | CVE-2013-1684 |
| mozilla -- firefox | Use-after-free vulnerability in the nsIDocument::GetRootElement function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted web site. | 2013-06-25 | 9.3 | CVE-2013-1685 |
| mozilla -- firefox | Use-after-free vulnerability in the mozilla::ResetDir function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. | 2013-06-25 | 10.0 | CVE-2013-1686 |
| mozilla -- firefox | The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site. | 2013-06-25 | 9.3 | CVE-2013-1687 |
| mozilla -- firefox | The Profiler implementation in Mozilla Firefox before 22.0 parses untrusted data during UI rendering, which allows user-assisted remote attackers to execute arbitrary JavaScript code via a crafted web site. | 2013-06-25 | 9.3 | CVE-2013-1688 |
| mozilla -- firefox | Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location. | 2013-06-25 | 9.3 | CVE-2013-1690 |
| mozilla -- firefox | The PreserveWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by leveraging unintended clearing of the wrapper cache's preserved-wrapper flag. | 2013-06-25 | 7.5 | CVE-2013-1694 |
| mozilla -- firefox | The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method. | 2013-06-25 | 9.3 | CVE-2013-1697 |
| mozilla -- firefox | The Mozilla Maintenance Service in Mozilla Firefox before 22.0 on Windows does not properly handle inability to launch the Mozilla Updater executable file, which allows local users to gain privileges via vectors involving placement of a Trojan horse executable file at an arbitrary location. | 2013-06-25 | 7.2 | CVE-2013-1700 |
| webempoweredchurch -- wec_discussion | SQL injection vulnerability in the WEC Discussion Forum extension before 2.1.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-06-27 | 7.5 | CVE-2013-4720 |
| Medium Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| alejandro_garza -- apache_solr_autocomplete | Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving autocomplete results. | 2013-06-25 | 4.3 | CVE-2012-6573 |
| alexey_sukhotin -- elfinder | Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete files via unknown vectors. | 2013-06-24 | 4.3 | CVE-2013-1972 |
| antti_alamaki -- prh_search | Cross-site scripting (XSS) vulnerability in the PRH Search module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors. | 2013-06-27 | 4.3 | CVE-2012-6576 |
| canon -- mg3100_printer | The Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers allow remote attackers to cause a denial of service (device hang) via a crafted LAN_TXT24 parameter to English/pages_MacUS/cgi_lan.cgi followed by a direct request to English/pages_MacUS/lan_set_content.html. NOTE: the vendor has apparently responded by stating "Canon believes that its printers will not have to deal with unauthorized access to the network from an external location as long as the printers are used in a secured environment." | 2013-06-21 | 5.0 | CVE-2013-4615 |
| cisco -- webex_social | Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco WebEx Social allow remote attackers to hijack the authentication of arbitrary users via unspecified vectors, aka Bug IDs CSCuh10405 and CSCuh10355. | 2013-06-21 | 4.3 | CVE-2013-3392 |
| cisco -- jabber | The Precision Video Engine component in Cisco Jabber for Windows and Cisco Virtualization Experience Media Engine allows remote attackers to cause a denial of service (process crash and call disconnection) via crafted RTP packets, aka Bug IDs CSCuh60706 and CSCue21117. | 2013-06-26 | 5.0 | CVE-2013-3393 |
| cisco -- content_security_management_appliance | Cross-site scripting (XSS) vulnerability in the web framework in Cisco Content Security Management on Security Management Appliance (SMA) devices allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuh24749. | 2013-06-26 | 4.3 | CVE-2013-3396 |
| cisco -- unified_communications_manager | Cross-site request forgery (CSRF) vulnerability in the Unified Serviceability component in Cisco Unified Communications Manager (CUCM) allows remote attackers to hijack the authentication of arbitrary users for requests that perform Unified Serviceability actions, aka Bug ID CSCuh10298. | 2013-06-26 | 4.3 | CVE-2013-3397 |
| cisco -- prime_central_for_hosted_collaboration_solution | The web framework in Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance provides different responses to requests for arbitrary pathnames depending on whether the pathname exists, which allows remote attackers to enumerate directories and files via a series of crafted requests, aka Bug ID CSCuh64574. | 2013-06-26 | 5.0 | CVE-2013-3398 |
| fortinet -- fortios | Fortinet FortiOS before 5.0.3 on FortiGate devices does not properly restrict Guest capabilities, which allows remote authenticated users to read, modify, or delete the records of arbitrary users by leveraging the Guest role. | 2013-06-25 | 6.5 | CVE-2013-4604 |
| fortinet -- forticlient | FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem. | 2013-06-25 | 5.4 | CVE-2013-4669 |
| ibm -- websphere_commerce | IBM WebSphere Commerce Enterprise 5.6.x through 5.6.1.5, 6.0.x through 6.0.0.11, and 7.0.x through 7.0.0.7 does not use a suitable encryption algorithm for storefront web requests, which allows remote attackers to obtain sensitive information via a padding oracle attack that targets certain UTF-8 processing of the krypto parameter, and leverages unspecified browser access or traffic-log access. | 2013-06-21 | 4.3 | CVE-2013-0523 |
| ibm -- sterling_connect_direct_user_interface | The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 2013-06-21 | 5.0 | CVE-2013-0529 |
| ibm -- application_manager_for_smart_business | Multiple cross-site scripting (XSS) vulnerabilities in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-06-21 | 4.3 | CVE-2013-0548 |
| ibm -- application_manager_for_smart_business | The Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to cause a denial of service (abend) via a crafted URL. | 2013-06-21 | 5.0 | CVE-2013-0551 |
| ibm -- application_manager_for_smart_business | Buffer overflow in KDSMAIN in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to cause a denial of service (segmentation fault) via a crafted http URL. | 2013-06-21 | 5.0 | CVE-2013-2960 |
| ibm -- application_manager_for_smart_business | The internal web server in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to perform unspecified redirection of HTTP requests, and bypass the proxy-server configuration, via crafted HTTP traffic. | 2013-06-21 | 4.3 | CVE-2013-2961 |
| jordan_de_laune -- mp3_player | Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file. | 2013-06-25 | 4.3 | CVE-2013-1971 |
| kong -- inf08 | Cross-site scripting (XSS) vulnerability in the phptemplate_preprocess_node function in template.php in the Inf08 theme 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary name. | 2013-06-21 | 4.3 | CVE-2012-6572 |
| kristof_de_jaeger -- display_suite | Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via an entity bundle label. | 2013-06-25 | 4.3 | CVE-2013-2177 |
| mobile4social -- exposed_filter_data | Cross-site scripting (XSS) vulnerability in the Exposed Filter Data module 6.x-1.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-06-27 | 4.3 | CVE-2012-6575 |
| mozilla -- firefox | Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not prevent the inclusion of body data in an XMLHttpRequest HEAD request, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web site. | 2013-06-25 | 4.3 | CVE-2013-1692 |
| mozilla -- firefox | The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to read pixel values, and possibly bypass the Same Origin Policy and read text from a different domain, by observing timing differences in execution of filter code. | 2013-06-25 | 4.3 | CVE-2013-1693 |
| mozilla -- firefox | Mozilla Firefox before 22.0 does not properly implement certain DocShell inheritance behavior for the sandbox attribute of an IFRAME element, which allows remote attackers to bypass intended access restrictions via a FRAME element within an IFRAME element. | 2013-06-25 | 5.0 | CVE-2013-1695 |
| mozilla -- firefox | Mozilla Firefox before 22.0 does not properly enforce the X-Frame-Options protection mechanism, which allows remote attackers to conduct clickjacking attacks via a crafted web site that uses the HTTP server push feature with multipart responses. | 2013-06-25 | 4.0 | CVE-2013-1696 |
| mozilla -- firefox | The getUserMedia permission implementation in Mozilla Firefox before 22.0 references the URL of a top-level document instead of the URL of a specific page, which makes it easier for remote attackers to trick users into permitting camera or microphone access via a crafted web site that uses IFRAME elements. | 2013-06-25 | 4.3 | CVE-2013-1698 |
| mozilla -- firefox | The Internationalized Domain Name (IDN) display algorithm in Mozilla Firefox before 22.0 does not properly handle the .com, .name, and .net top-level domains, which allows remote attackers to spoof the address bar via unspecified homograph characters. | 2013-06-25 | 5.0 | CVE-2013-1699 |
| nathan_haug -- webform | Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.19 for Drupal allows remote authenticated users with the "edit own webform content" or "edit all webform content" permissions to inject arbitrary web script or HTML via a component label. | 2013-06-24 | 4.3 | CVE-2013-2129 |
| php -- php | Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function. | 2013-06-21 | 5.0 | CVE-2013-2110 |
| php -- php | Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. | 2013-06-21 | 5.0 | CVE-2013-4635 |
| php -- php | The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object. | 2013-06-21 | 4.3 | CVE-2013-4636 |
| soprano -- fonecta_verify | Cross-site scripting (XSS) vulnerability in the Fonecta verify module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors. | 2013-06-27 | 4.3 | CVE-2012-6574 |
| typoheads -- formhandler | SQL injection vulnerability in the Formhandler extension before 1.4.1 for TYPO3 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via unspecified vectors. | 2013-06-27 | 6.5 | CVE-2012-6577 |
| urs_maag -- maag_form_captcha | Open redirect vulnerability in Maag Form Captcha extension 2.0.0 and earlier for TYPO3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2013-06-25 | 6.4 | CVE-2013-4680 |
| wolfgang_ziegler -- rules | Cross-site scripting (XSS) vulnerability in the Rules module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "administer rules" permission to inject arbitrary web script or HTML via a rule tag. | 2013-06-24 | 4.3 | CVE-2013-1906 |
| wordpress -- wp_maintenance_mode_plugin | Cross-site request forgery (CSRF) vulnerability in the WP Maintenance Mode plugin before 1.8.8 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings. | 2013-06-21 | 6.8 | CVE-2013-3250 |
| yoran_brault -- filebrowser | Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "lists of files." | 2013-06-24 | 4.3 | CVE-2013-2036 |
| Low Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| canon -- mg3100_printer | English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive information by reading the screen of an unattended workstation. | 2013-06-21 | 2.1 | CVE-2013-4614 |
| ibm -- sterling_connect_direct_user_interface | The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not close pages upon the timeout of a session, which allows physically proximate attackers to obtain sensitive administrative-console information by reading the screen of an unattended workstation. | 2013-06-21 | 1.9 | CVE-2013-0527 |
| ibm -- lotus_sametime | The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and 8.5.2.1, as used in the Lotus Notes client and separately, might allow local users to obtain sensitive information by leveraging the persistence of cleartext password strings within process memory. | 2013-06-21 | 1.9 | CVE-2013-0534 |
-자세한 내용 확인하기: US-CERT: Bulletin (SB13-182)
