[RESOLVERGRC.com: GRC Cloud]
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
| High Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| atlassian -- crowd | Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmetric backdoor." NOTE: as of 20130701, the vendor could not reproduce the issue, stating "We've been unable to substantiate the existence of [CVE-2013-3926]. The author of the article has not contacted Atlassian and has provided no detail, making it difficult to validate the claim... If we can confirm that there is a vulnerability, a patch will be issued." | 2013-07-01 | 7.5 | CVE-2013-3926 |
| choice_wireless -- wixfmr-111 | ajax.cgi in the web interface on the Choice Wireless Green Packet WIXFMR-111 4G WiMax modem allows remote attackers to obtain sensitive information via an Ajax (1) wmxState or (2) netState request. | 2013-07-01 | 9.3 | CVE-2013-3581 |
| choice_wireless -- wixfmr-111 | ajax.cgi in the web interface on the Choice Wireless Green Packet WIXFMR-111 4G WiMax modem allows remote attackers to execute arbitrary commands via shell metacharacters in the pip parameter in an Ajax tag_ipPing request, a different vulnerability than CVE-2013-3581. | 2013-06-30 | 9.3 | CVE-2013-4731 |
| digital_alert_systems -- dasdec_eas | The default configuration of the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 contains a known SSH private key, which makes it easier for remote attackers to obtain root access, and spoof alerts, via an SSH session. | 2013-06-30 | 10.0 | CVE-2013-0137 |
| digital_alert_systems -- dasdec_eas | ** DISPUTED ** The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding." | 2013-06-30 | 10.0 | CVE-2013-4732 |
| digital_alert_systems -- dasdec_eas | The web server on the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 allows remote attackers to obtain sensitive configuration and status information by reading log files. | 2013-06-30 | 7.8 | CVE-2013-4733 |
| digital_alert_systems -- dasdec_eas | dasdec_mkuser on the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 generates predictable passwords, which might make it easier for attackers to obtain non-administrative access via unspecified vectors. | 2013-06-30 | 7.5 | CVE-2013-4734 |
| digital_alert_systems -- dasdec_eas | The Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 have a default password for an administrative account, which makes it easier for remote attackers to obtain access via an IP network. | 2013-06-30 | 10.0 | CVE-2013-4735 |
| ds3 -- authentication_server | ServerAdmin/TestTelnetConnection.jsp in DS3 Authentication Server allows remote authenticated users to execute arbitrary commands via shell metacharacters in the HOST_NAME field. | 2013-06-28 | 9.0 | CVE-2013-4096 |
| georg_ringer -- news | SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-07-01 | 7.5 | CVE-2013-4748 |
| hp -- storeonce_d2d | The HP StoreOnce D2D backup system with software before 3.0.0 has a default password of badg3r5 for the HPSupport account, which allows remote attackers to obtain administrative access and delete data via an SSH session. | 2013-06-30 | 7.7 | CVE-2013-2342 |
| hp -- lefthand_p4000_virtual_san_appliance | Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1510. | 2013-07-02 | 10.0 | CVE-2013-2343 |
| ibm -- ims_enterprise_suite | Unspecified vulnerability in SOAP Gateway in IBM IMS Enterprise Suite 1.1, 2.1, and 2.2 allows remote authenticated users to execute arbitrary commands via unknown vectors. | 2013-07-02 | 9.0 | CVE-2013-3003 |
| imperva -- securesphere | The SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 does not have an off autocomplete attribute for the password (aka j_password) field on the secsphLogin.jsp login page, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | 2013-06-28 | 7.5 | CVE-2013-4091 |
| indra -- editran_communications_platform | Buffer overflow in the lsConnectionCached function in editcp in EDItran Communications Platform 4.1 R7 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 7777. | 2013-06-28 | 7.5 | CVE-2010-5288 |
| kurt_gusbeth -- myquizpoll | SQL injection vulnerability in the My quiz and poll (myquizpoll) extension before 2.0.6 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2013-07-01 | 7.5 | CVE-2013-4745 |
| lianja -- lianja_sql_server | Stack-based buffer overflow in db_netserver in Lianja SQL Server before 1.0.0RC5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted string to TCP port 8001. | 2013-07-04 | 7.5 | CVE-2013-3563 |
| lockon -- ec-cube | LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SC_CheckError.php and data/class/SC_FormParam.php. | 2013-06-30 | 7.5 | CVE-2013-3651 |
| remotesensing -- libtiff | Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. | 2013-07-03 | 9.3 | CVE-2013-1960 |
| remotesensing -- libtiff | Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file. | 2013-07-03 | 9.3 | CVE-2013-1961 |
| Medium Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| atlassian -- crowd | Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference. | 2013-07-01 | 5.8 | CVE-2013-3925 |
| cisco -- content_security_management_appliance | Cross-site request forgery (CSRF) vulnerability in the web framework on Cisco IronPort Web Security Appliance (WSA) devices, Email Security Appliance (ESA) devices, and Content Security Management Appliance (SMA) devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuh70263, CSCuh70323, and CSCuh26634. | 2013-07-01 | 6.8 | CVE-2013-3395 |
| cisco -- desktop_collaboration_experience | Buffer overflow in an unspecified Android API on the Cisco Desktop Collaboration Experience DX650 allows attackers to execute arbitrary code via vectors that leverage incorrect memory allocation, aka Bug IDs CSCuf93957, CSCug22352, and CSCug22462. | 2013-07-01 | 6.6 | CVE-2013-3399 |
| cisco -- telepresence_tc_software | The SIP implementation in Cisco TelePresence TC Software allows remote attackers to trigger unintended use of NOTIFY messages via unspecified vectors, aka Bug ID CSCud96080. | 2013-07-01 | 4.3 | CVE-2013-3401 |
| cisco -- identity_services_engine_software | Cross-site scripting (XSS) vulnerability in the search form in the administration/monitoring panel on the Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuh87036. | 2013-07-04 | 4.3 | CVE-2013-3413 |
| ds3 -- authentication_server | ServerAdmin/TestDRConnection.jsp in DS3 Authentication Server allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in a -REG-E-OPEN error message. | 2013-06-28 | 5.0 | CVE-2013-4097 |
| ds3 -- authentication_server | ServerAdmin/ErrorViewer.jsp in DS3 Authentication Server allow remote attackers to inject arbitrary error-page text via the message parameter. | 2013-06-28 | 5.0 | CVE-2013-4098 |
| freebsd -- freebsd | The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEASE-p4 does not properly determine whether a task should have write access to a memory location, which allows local users to bypass filesystem write permissions and consequently gain privileges via a crafted application that leverages read permissions, and makes mmap and ptrace system calls. | 2013-07-01 | 6.9 | CVE-2013-2171 |
| gnu -- gnutls | The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169. | 2013-07-03 | 5.0 | CVE-2013-2116 |
| hp -- nonstop_sql/mx | HP SQL/MX 3.0 through 3.2 on NonStop servers, when SQL/MP Objects are used, allows remote authenticated users to bypass intended access restrictions and modify data via unspecified vectors, aka the "SQL/MP tables" issue. | 2013-06-28 | 6.0 | CVE-2013-2323 |
| hp -- smart_zero_core | HP Smart Zero Core 4.3 and 4.3.1 on the t410 All-in-One Smart Zero Client, t410 Smart Zero Client, t510 Flexible Thin Client, t5565z Smart Client, t610 Flexible Thin Client, and t610 PLUS Flexible Thin Client allows local users to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. | 2013-06-30 | 4.6 | CVE-2013-2339 |
| ibm -- sterling_b2b_integrator | Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to execute arbitrary SQL commands via vectors involving the RNVisibility page and unspecified screens, a different vulnerability than CVE-2013-0560. | 2013-07-03 | 6.5 | CVE-2012-5766 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 do not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 2013-07-03 | 5.0 | CVE-2012-5936 |
| ibm -- sterling_b2b_integrator | Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2B Integrator 5.2.4 and Sterling File Gateway allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-02 | 4.3 | CVE-2013-0455 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to hijack sessions via a modified cookie path. | 2013-07-03 | 4.0 | CVE-2013-0456 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. | 2013-07-03 | 6.8 | CVE-2013-0463 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, and CVE-2013-0567. | 2013-07-03 | 4.0 | CVE-2013-0475 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote attackers to inject arbitrary FTP commands via unspecified vectors. | 2013-07-03 | 6.4 | CVE-2013-0476 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 do not properly restrict file types and extensions, which allows remote authenticated users to bypass intended access restrictions via a crafted filename. | 2013-07-03 | 4.0 | CVE-2013-0479 |
| ibm -- sterling_b2b_integrator | The console in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote attackers to read stack traces by triggering (1) an error or (2) an exception. | 2013-07-03 | 5.0 | CVE-2013-0481 |
| ibm -- sterling_b2b_integrator | An unspecified third-party component in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 uses short session ID values, which makes it easier for remote attackers to hijack sessions, and consequently obtain sensitive information, via a brute-force attack. | 2013-07-03 | 5.0 | CVE-2013-0539 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote attackers to obtain sensitive information about application implementation via unspecified vectors. | 2013-07-03 | 5.0 | CVE-2013-0558 |
| ibm -- sterling_b2b_integrator | Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2012-5766. | 2013-07-03 | 6.5 | CVE-2013-0560 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, and CVE-2013-0475. | 2013-07-03 | 4.0 | CVE-2013-0567 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-3020, CVE-2013-0475, and CVE-2013-0567. | 2013-07-03 | 4.0 | CVE-2013-0568 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to upload arbitrary files via unspecified vectors. | 2013-07-03 | 6.5 | CVE-2013-2982 |
| ibm -- sterling_b2b_integrator | Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling File Gateway 2.2 and Sterling B2B Integrator allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2013-0468. | 2013-07-02 | 4.3 | CVE-2013-2983 |
| ibm -- sterling_b2b_integrator | Directory traversal vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote authenticated users to read or modify files via unspecified vectors. | 2013-07-03 | 6.5 | CVE-2013-2984 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2987, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. | 2013-07-03 | 4.0 | CVE-2013-2985 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-3020, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. | 2013-07-03 | 4.0 | CVE-2013-2987 |
| ibm -- sterling_b2b_integrator | IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allow remote authenticated users to obtain sensitive information about application implementation via unspecified vectors, a different vulnerability than CVE-2013-0463, CVE-2013-2985, CVE-2013-2987, CVE-2013-0568, CVE-2013-0475, and CVE-2013-0567. | 2013-07-03 | 4.0 | CVE-2013-3020 |
| ibm -- websphere_mq | Multiple buffer overflows in mqm programs in IBM WebSphere MQ 7.0.x before 7.0.1.11, 7.1.x before 7.1.0.3, and 7.5.x before 7.5.0.2 on non-Windows platforms allow local users to gain privileges via unspecified vectors. | 2013-07-02 | 4.6 | CVE-2013-3028 |
| imperva -- securesphere | The SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 allows context-dependent attackers to obtain sensitive information by leveraging the presence of (1) a session ID in the jsessionid field to secsphLogin.jsp or (2) credentials in the j_password parameter to j_acegi_security_check, and reading (a) web-server access logs, (b) web-server Referer logs, or (c) the browser history. | 2013-06-28 | 5.0 | CVE-2013-4092 |
| imperva -- securesphere | The SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 allows remote attackers to obtain sensitive information via (1) a direct request to dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr, which reveals the installation path in the s0.filePath field, or (2) a T/keyManagement request to plain/settings.html, which reveals a temporary path in an error message. | 2013-06-28 | 5.0 | CVE-2013-4093 |
| imperva -- securesphere | The Key Management feature in the SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 allows remote authenticated users to upload executable files via the (1) private_key or (2) public_key parameter in a T/keyManagement request to plain/settings.html, as demonstrated by uploading a Linux ELF file and a shell script. | 2013-06-28 | 6.5 | CVE-2013-4094 |
| imperva -- securesphere | plain/actionsets.html in the SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 allows remote authenticated users to execute arbitrary commands via a task with a [command].value field in conjunction with an [arguments].value field. | 2013-06-28 | 6.5 | CVE-2013-4095 |
| js-yaml_project -- js-yaml | The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation. | 2013-06-28 | 6.8 | CVE-2013-4660 |
| kasper_skarhoj -- accessible_is_browse_results | Cross-site scripting (XSS) vulnerability in the Accessible browse results for indexed search (accessible_is_browse_results) extension 1.2.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 4.3 | CVE-2013-4747 |
| kent-web -- post-mail | Cross-site scripting (XSS) vulnerability in KENT-WEB POST-MAIL before 6.7, when Internet Explorer 7 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an unspecified form field. | 2013-06-28 | 4.3 | CVE-2013-3648 |
| kent-web -- clip-mail | Cross-site scripting (XSS) vulnerability in KENT-WEB CLIP-MAIL before 3.4, when Internet Explorer 7 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an unspecified form field. | 2013-06-28 | 4.3 | CVE-2013-3649 |
| kurt_gusbeth -- myquizpoll | Cross-site scripting (XSS) vulnerability in the My quiz and poll (myquizpoll) extension before 2.0.6 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 4.3 | CVE-2013-4746 |
| linux -- linux_kernel | The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. | 2013-07-04 | 5.4 | CVE-2013-2206 |
| linux -- linux_kernel | The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. | 2013-07-04 | 4.9 | CVE-2013-2232 |
| lockon -- ec-cube | Directory traversal vulnerability in the lfCheckFileName function in data/class/pages/LC_Page_ResizeImage.php in LOCKON EC-CUBE before 2.12.5 allows remote attackers to read arbitrary image files via vectors involving the image parameter to resize_image.php, a different vulnerability than CVE-2013-3654. | 2013-06-30 | 5.0 | CVE-2013-3650 |
| lockon -- ec-cube | Cross-site scripting (XSS) vulnerability in data/class/pages/products/LC_Page_Products_List.php in LOCKON EC-CUBE 2.11.0 through 2.12.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving the classcategory_id2 field, a different vulnerability than CVE-2013-3653. | 2013-06-30 | 4.3 | CVE-2013-3652 |
| lockon -- ec-cube | Multiple cross-site scripting (XSS) vulnerabilities in the RecommendSearch feature in the management screen in LOCKON EC-CUBE before 2.12.5 allow remote attackers to inject arbitrary web script or HTML via vectors involving the rank parameter, a different vulnerability than CVE-2013-3652. | 2013-06-30 | 4.3 | CVE-2013-3653 |
| lockon -- ec-cube | Directory traversal vulnerability in LOCKON EC-CUBE 2.12.0 through 2.12.4 allows remote attackers to read arbitrary image files via vectors related to data/class/SC_CheckError.php and data/class/SC_FormParam.php, a different vulnerability than CVE-2013-3650. | 2013-06-30 | 5.0 | CVE-2013-3654 |
| mongodb -- mongodb | MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authenticated users to obtain internal system privileges by leveraging a username of __system in an arbitrary database. | 2013-07-04 | 6.5 | CVE-2013-4650 |
| phpmyadmin -- phpmyadmin | import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request. | 2013-07-04 | 5.5 | CVE-2013-4729 |
| phpunit_project -- phpunit | Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 4.3 | CVE-2013-4744 |
| redhat -- enterprise_virtualization_manager | Red Hat Enterprise Virtualization Manager (RHEVM) before 3.2 does not properly check permissions for the target storage domain, which allows attackers to cause a denial of service (disk space consumption) by cloning a VM from a snapshot. | 2013-07-03 | 5.0 | CVE-2013-2144 |
| redhat -- enterprise_linux | A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows local users to cause a denial of service (invalid free operation and system crash) or possibly gain privileges via a sendmsg system call with the IP_RETOPTS option, as demonstrated by hemlock.c. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-3552. | 2013-07-04 | 6.9 | CVE-2013-2224 |
| services_project -- services | Cross-site request forgery (CSRF) vulnerability in the Services module 6.x-3.x and 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 2013-07-01 | 6.8 | CVE-2013-2158 |
| typo3 -- typo3 | SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to execute arbitrary SQL commands via unspecified vectors. | 2013-07-01 | 6.5 | CVE-2012-6144 |
| usertask_center_messaging_project -- usertask_center_messaging | Cross-site scripting (XSS) vulnerability in the UserTask Center, Messaging (sys_messages) extension 1.1.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 4.3 | CVE-2013-4749 |
| Low Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
| Back to top | ||||
| freedesktop -- dbus | The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message. | 2013-07-03 | 1.9 | CVE-2013-2168 |
| hp -- nonstop_sql/mx | HP SQL/MX 3.2 and earlier on NonStop servers, when SQL/MP Objects are used, allows remote authenticated users to obtain sensitive information via unspecified vectors, aka the "SQL/MP index" issue. | 2013-06-28 | 3.5 | CVE-2013-2322 |
| ibm -- sterling_b2b_integrator | Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-2983. | 2013-07-03 | 3.5 | CVE-2013-0468 |
| linux -- linux_kernel | The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. | 2013-07-04 | 2.1 | CVE-2013-2234 |
| linux -- linux_kernel | The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. | 2013-07-04 | 2.1 | CVE-2013-2237 |
| phpmyadmin -- phpmyadmin | Cross-site scripting (XSS) vulnerability in view_create.php (aka the Create View page) in phpMyAdmin 4.x before 4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via an invalid SQL CREATE VIEW statement with a crafted name that triggers an error message. | 2013-07-04 | 3.5 | CVE-2013-3742 |
| redhat -- enterprise_mrg | The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. | 2013-07-04 | 2.1 | CVE-2013-2164 |
| typo3 -- typo3 | Cross-site scripting (XSS) vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 3.5 | CVE-2012-6145 |
| typo3 -- typo3 | Cross-site scripting (XSS) vulnerability in the tree render API (TCA-Tree) in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 3.5 | CVE-2012-6147 |
| typo3 -- typo3 | Cross-site scripting (XSS) vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. | 2013-07-01 | 3.5 | CVE-2012-6148 |
- 자세한 내용 확인하기: US-CERT: Bulletin (SB13-189)
