| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2717 |
|
|
|
2013-03-28 |
2013-03-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in the System Management (aka SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM) through 9.2 have unknown impact and attack vectors, a different issue than CVE-2013-0935. NOTE: this might overlap CVEs for open-source server components or other third-party components. |
|
2 |
CVE-2013-2715 |
79 |
|
XSS |
2013-03-27 |
2017-08-29 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name. |
|
3 |
CVE-2013-2690 |
89 |
1
|
Exec Code Sql |
2013-03-28 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action. |
|
4 |
CVE-2013-2640 |
264 |
|
XSS |
2013-03-22 |
2013-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731. |
|
5 |
CVE-2013-2636 |
399 |
|
+Info |
2013-03-22 |
2013-04-05 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
|
6 |
CVE-2013-2635 |
399 |
|
+Info |
2013-03-22 |
2014-02-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
7 |
CVE-2013-2634 |
399 |
|
+Info |
2013-03-22 |
2014-02-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
8 |
CVE-2013-2633 |
20 |
|
+Info |
2013-03-21 |
2019-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Piwik before 1.11 accepts input from a POST request instead of a GET request in unspecified circumstances, which might allow attackers to obtain sensitive information by leveraging the logging of parameters. |
|
9 |
CVE-2013-2632 |
|
|
DoS |
2013-03-21 |
2013-04-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code, as demonstrated by the Bejeweled game. |
|
10 |
CVE-2013-2617 |
94 |
|
Exec Code |
2013-03-20 |
2020-11-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. |
|
11 |
CVE-2013-2616 |
94 |
|
Exec Code |
2013-03-20 |
2017-11-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. |
|
12 |
CVE-2013-2615 |
94 |
|
Exec Code |
2013-03-20 |
2013-03-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. |
|
13 |
CVE-2013-2566 |
326 |
|
|
2013-03-15 |
2020-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
|
14 |
CVE-2013-2560 |
22 |
|
Dir. Trav. |
2013-03-15 |
2013-03-20 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi credentials. |
|
15 |
CVE-2013-2558 |
|
|
DoS |
2013-03-13 |
2013-03-16 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Microsoft Windows 8 allows remote attackers to cause a denial of service (reboot) or possibly have unknown other impact via a crafted TrueType Font (TTF) file, as demonstrated by the 120612-69701-01.dmp error report. |
|
16 |
CVE-2013-2557 |
119 |
|
DoS Overflow Mem. Corr. |
2013-03-11 |
2013-03-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The sandbox protection mechanism in Microsoft Internet Explorer 9 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, as demonstrated against Adobe Flash Player by VUPEN during a Pwn2Own competition at CanSecWest 2013. |
|
17 |
CVE-2013-2556 |
|
|
Bypass |
2013-03-11 |
2020-09-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 through SP1 allows attackers to bypass the ASLR protection mechanism via unknown vectors, as demonstrated against Adobe Flash Player by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "ASLR Security Feature Bypass Vulnerability." |
|
18 |
CVE-2013-2555 |
190 |
|
Exec Code Overflow |
2013-03-11 |
2021-09-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on Windows and Mac OS X, before 10.3.183.75 and 11.x before 11.2.202.280 on Linux, before 11.1.111.50 on Android 2.x and 3.x, and before 11.1.115.54 on Android 4.x; Adobe AIR before 3.7.0.1530; and Adobe AIR SDK & Compiler before 3.7.0.1530 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013. |
|
19 |
CVE-2013-2554 |
|
|
Bypass |
2013-03-11 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in Microsoft Windows 7 allows attackers to bypass the ASLR and DEP protection mechanisms via unknown vectors, as demonstrated against Firefox by VUPEN during a Pwn2Own competition at CanSecWest 2013, a different vulnerability than CVE-2013-0787. |
|
20 |
CVE-2013-2553 |
|
|
+Priv |
2013-03-11 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the kernel in Microsoft Windows 7 allows local users to gain privileges via unknown vectors, as demonstrated by Nils and Jon of MWR Labs during a Pwn2Own competition at CanSecWest 2013, a different vulnerability than CVE-2013-0912. |
|
21 |
CVE-2013-2552 |
|
|
Bypass |
2013-03-11 |
2013-03-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in Microsoft Internet Explorer 10 on Windows 8 allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a Medium integrity process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013. |
|
22 |
CVE-2013-2551 |
416 |
|
Exec Code |
2013-03-11 |
2018-10-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309. |
|
23 |
CVE-2013-2550 |
|
|
Bypass |
2013-03-11 |
2017-09-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in Adobe Reader 11.0.02 allows attackers to bypass the sandbox protection mechanism via unknown vectors, as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013. |
|
24 |
CVE-2013-2549 |
94 |
|
Exec Code |
2013-03-11 |
2017-09-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013. |
|
25 |
CVE-2013-2548 |
310 |
|
+Info |
2013-03-15 |
2014-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. |
|
26 |
CVE-2013-2547 |
310 |
|
+Info |
2013-03-15 |
2014-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. |
|
27 |
CVE-2013-2546 |
310 |
|
+Info |
2013-03-15 |
2014-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability. |
|
28 |
CVE-2013-2506 |
264 |
|
|
2013-03-08 |
2013-03-18 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves. |
|
29 |
CVE-2013-2503 |
20 |
|
|
2013-03-11 |
2013-04-11 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. |
|
30 |
CVE-2013-2501 |
79 |
|
XSS |
2013-03-22 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field. |
|
31 |
CVE-2013-2496 |
119 |
|
DoS Overflow |
2013-03-09 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in FFmpeg through 1.1.3 does not properly determine certain end pointers, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted Microsoft RLE data. |
|
32 |
CVE-2013-2495 |
189 |
|
DoS Overflow |
2013-03-09 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The iff_read_header function in iff.c in libavformat in FFmpeg through 1.1.3 does not properly handle data sizes for Interchange File Format (IFF) data during operations involving a CMAP chunk or a video codec, which allows remote attackers to cause a denial of service (integer overflow, out-of-bounds array access, and application crash) or possibly have unspecified other impact via a crafted header. |
|
33 |
CVE-2013-2494 |
119 |
|
DoS Overflow |
2013-03-28 |
2013-03-29 |
4.9 |
None |
Remote |
High |
??? |
None |
None |
Complete |
|
libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause a denial of service (memory consumption) via vectors involving a regular expression, as demonstrated by a memory-exhaustion attack against a machine running a dhcpd process, a related issue to CVE-2013-2266. |
|
34 |
CVE-2013-2493 |
119 |
|
DoS Overflow |
2013-03-07 |
2013-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in the Google Chrome Frame plugin before 26.0.1410.28 for Internet Explorer does not properly handle attach tab requests, which allows user-assisted remote attackers to cause a denial of service (application crash) via an _blank value for the target attribute of an A element. |
|
35 |
CVE-2013-2492 |
119 |
|
Exec Code Overflow |
2013-03-15 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information. |
|
36 |
CVE-2013-2488 |
20 |
|
DoS |
2013-03-07 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location. |
|
37 |
CVE-2013-2487 |
189 |
|
DoS |
2013-03-07 |
2018-10-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486. |
|
38 |
CVE-2013-2486 |
189 |
|
DoS |
2013-03-07 |
2018-10-30 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet. |
|
39 |
CVE-2013-2485 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
40 |
CVE-2013-2484 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The CIMD dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
41 |
CVE-2013-2483 |
189 |
|
DoS |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The acn_add_dmp_data function in epan/dissectors/packet-acn.c in the ACN dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via an invalid count value in ACN_DMP_ADT_D_RE DMP data. |
|
42 |
CVE-2013-2482 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
43 |
CVE-2013-2481 |
189 |
|
DoS |
2013-03-07 |
2018-10-30 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
Integer signedness error in the dissect_mount_dirpath_call function in epan/dissectors/packet-mount.c in the Mount dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6, when nfs_file_name_snooping is enabled, allows remote attackers to cause a denial of service (application crash) via a negative length value. |
|
44 |
CVE-2013-2480 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The RTPS and RTPS2 dissectors in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allow remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
45 |
CVE-2013-2479 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data. |
|
46 |
CVE-2013-2478 |
189 |
|
DoS Overflow |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The dissect_server_info function in epan/dissectors/packet-ms-mms.c in the MS-MMS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not properly manage string lengths, which allows remote attackers to cause a denial of service (application crash) via a malformed packet that (1) triggers an integer overflow or (2) has embedded '\0' characters in a string. |
|
47 |
CVE-2013-2477 |
119 |
|
DoS Overflow |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
48 |
CVE-2013-2476 |
399 |
|
DoS |
2013-03-07 |
2018-10-30 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short. |
|
49 |
CVE-2013-2475 |
|
|
DoS |
2013-03-07 |
2018-10-30 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
50 |
CVE-2013-2373 |
264 |
|
+Info |
2013-03-15 |
2013-03-18 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The Engine in TIBCO Spotfire Web Player 3.3.x before 3.3.3, 4.0.x before 4.0.3, 4.5.x before 4.5.1, and 5.0.x before 5.0.1 does not properly implement access control, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors. |
