CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2002-2443 20 DoS 2013-05-29 2021-02-02
5.0
None Remote Low Not required None None Partial
schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103.
2 CVE-2007-6746 20 2013-05-21 2013-06-21
5.8
None Remote Medium Not required Partial Partial None
telepathy-idle before 0.1.15 does not verify (1) that the issuer is a trusted CA, (2) that the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
3 CVE-2009-5029 189 DoS Exec Code Overflow 2013-05-02 2013-05-03
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.
4 CVE-2009-5135 20 1 2013-05-02 2018-10-10
5.0
None Remote Low Not required Partial None None
The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5 CVE-2011-4518 22 Dir. Trav. 2013-05-23 2013-06-03
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the PmWebDir object in the web server in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to read arbitrary files via unspecified vectors.
6 CVE-2011-4519 119 DoS Overflow 2013-05-23 2013-05-24
4.3
None Remote Medium Not required None None Partial
Stack-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page.
7 CVE-2011-4520 119 DoS Overflow 2013-05-23 2013-05-24
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page.
8 CVE-2011-4609 399 DoS 2013-05-02 2013-05-03
5.0
None Remote Low Not required None None Partial
The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.
9 CVE-2012-0864 189 Overflow Bypass 2013-05-02 2013-05-03
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments.
10 CVE-2012-4481 264 2013-05-02 2014-02-12
4.3
None Remote Medium Not required None Partial None
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
11 CVE-2012-4697 255 2013-05-23 2013-06-24
10.0
None Remote Low Not required Complete Complete Complete
TURCK BL20 Programmable Gateway and BL67 Programmable Gateway have hardcoded accounts, which allows remote attackers to obtain administrative access via an FTP session.
12 CVE-2012-4952 255 +Info 2013-05-01 2013-05-21
5.0
None Remote Low Not required Partial None None
Henry Schein Dentrix G5 before 15.1.294 has a single internal-database password that is shared across different customers' installations, which allows remote attackers to obtain sensitive information about patients by leveraging knowledge of this password from another installation.
13 CVE-2012-5222 200 +Info 2013-05-02 2019-10-09
5.0
None Remote Low Not required Partial None None
HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows remote attackers to obtain sensitive information via unspecified vectors.
14 CVE-2012-5657 200 DoS +Info 2013-05-02 2013-05-03
5.0
None Remote Low Not required Partial None None
The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
15 CVE-2012-6137 255 +Info 2013-05-21 2017-08-29
4.3
None Remote Medium Not required None Partial None
rhn-migrate-classic-to-rhsm tool in Red Hat subscription-manager does not verify the Red Hat Network Classic server's X.509 certificate when migrating to a Certificate-based Red Hat Network, which allows remote man-in-the-middle attackers to obtain sensitive information such as user credentials.
16 CVE-2012-6399 20 2013-05-27 2013-05-28
5.8
None Remote Medium Not required Partial Partial None
Cisco WebEx 4.1 on iOS does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, aka Bug ID CSCud94176.
17 CVE-2012-6552 2013-05-10 2013-05-13
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in admin/action.php in phpVMS 2.1.x before 2.1.935 has unknown impact and attack vectors.
18 CVE-2012-6553 119 Exec Code Overflow 2013-05-23 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in Resource Hacker 3.6.0.92 allows remote attackers to execute arbitrary code via a Portable Executable (PE) file with a resource section containing a string that has many tab or line feed characters.
19 CVE-2012-6554 20 1 Exec Code 2013-05-23 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the message[message_text] parameter to chat/add_messag, which is not properly handled when executing the preg_replace function with the eval switch.
20 CVE-2012-6555 79 1 XSS 2013-05-23 2021-11-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title.
21 CVE-2012-6556 79 1 XSS 2013-05-23 2020-06-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page. NOTE: some of these details are obtained from third party information.
22 CVE-2012-6557 79 1 XSS 2013-05-23 2020-06-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) AboutMe/Emp, (6) AboutMe/JobTit, (7) AboutMe/HS, (8) AboutMe/Col, (9) AboutMe/Bio, (10) AboutMe/Inter, (11) AboutMe/Mus, (12) AboutMe/Gam, (13) AboutMe/Mov, (14) AboutMe/FTV, or (15) AboutMe/Bks parameter to the Edit My Details page. NOTE: some of these details are obtained from third party information.
23 CVE-2012-6558 119 Exec Code Overflow 2013-05-23 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in HeavenTools PE Explorer 1.99 R6 allows remote attackers to execute arbitrary code via the size value for a string in the resource section of a Portable Executable (PE) file.
24 CVE-2012-6559 79 1 XSS 2013-05-23 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in FreeNAC 3.02 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) mac, (3) graphtype, (4) name, or (5) type parameter to stats.php; or (6) comment parameter to deviceadd.php.
25 CVE-2012-6560 20 1 Exec Code Sql 2013-05-23 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in deviceadd.php in FreeNAC 3.02 allows remote attackers to execute arbitrary SQL commands via the status parameter.
26 CVE-2012-6561 79 XSS 2013-05-23 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in engine/lib/views.php in Elgg before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the view parameter to index.php. NOTE: some of these details are obtained from third party information.
27 CVE-2012-6562 264 2013-05-23 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
engine/lib/users.php in Elgg before 1.8.5 does not properly specify permissions for the useradd action, which allows remote attackers to create arbitrary accounts.
28 CVE-2012-6563 264 2013-05-23 2017-08-29
4.3
None Remote Medium Not required Partial None None
engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors.
29 CVE-2013-0096 264 Bypass 2013-05-15 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Writer in Microsoft Windows Essentials 2011 and 2012 allows remote attackers to bypass proxy settings and overwrite arbitrary files via crafted URL parameters, aka "Windows Essentials Improper URI Handling Vulnerability."
30 CVE-2013-0127 264 Exec Code Bypass 2013-05-01 2017-08-29
5.8
None Remote Medium Not required Partial Partial None
IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 does not block APPLET elements in HTML e-mail, which allows remote attackers to bypass intended restrictions on Java code execution and X-Confirm-Reading-To functionality via a crafted message, aka SPRs JMOY95BLM6 and JMOY95BN49.
31 CVE-2013-0140 89 Exec Code Sql 2013-05-01 2017-11-16
7.9
None Local Network Medium Not required Complete Complete Complete
SQL injection vulnerability in the Agent-Handler component in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to execute arbitrary SQL commands via a crafted request over the Agent-Server communication channel.
32 CVE-2013-0141 22 Dir. Trav. 2013-05-01 2017-11-16
4.3
None Local Network Medium Not required Partial Partial None
Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing to the Software/ directory.
33 CVE-2013-0145 119 DoS Exec Code Overflow 2013-05-20 2013-05-23
5.0
None Remote Low Not required None None Partial
Buffer overflow in the TFTPD service in Serva32 2.1.0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in a read request.
34 CVE-2013-0305 200 +Info 2013-05-02 2013-05-15
4.0
None Remote Low ??? Partial None None
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
35 CVE-2013-0306 189 DoS Bypass 2013-05-02 2013-05-15
5.0
None Remote Low Not required None None Partial
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
36 CVE-2013-0482 2013-05-29 2017-08-29
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 through 8.5.0.2 and WebSphere Message Broker 6.1, 7.0 through 7.0.0.5, and 8.0 through 8.0.0.2, when WS-Security is used, allows remote attackers to spoof the signatures of messages via a crafted SOAP message, related to a "Signature Wrap attack," a different vulnerability than CVE-2011-1377 and CVE-2013-0489.
37 CVE-2013-0499 79 XSS 2013-05-28 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.
38 CVE-2013-0518 20 2013-05-10 2017-08-29
4.3
None Remote Medium Not required None Partial None
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 does not refuse to be rendered in different-origin frames, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
39 CVE-2013-0519 200 +Info 2013-05-10 2017-08-29
5.0
None Remote Low Not required Partial None None
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 provides web-server version data in (1) an unspecified page title and (2) an unspecified HTTP header field, which allows remote attackers to obtain potentially sensitive information by reading a version string.
40 CVE-2013-0520 20 +Info 2013-05-10 2017-08-29
4.0
None Remote Low ??? Partial None None
IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fix 1, 3.4.0 before 3.4.0.6 Interim Fix 1, and 3.4.1 before 3.4.1.7 allows remote authenticated users to obtain sensitive Java stack-trace information by providing invalid input data.
41 CVE-2013-0535 79 XSS 2013-05-02 2017-08-29
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Classic Meeting Server in IBM Sametime 7.5.1.2 through 8.5.2.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
42 CVE-2013-0538 79 XSS 2013-05-01 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in an HTML e-mail message, aka SPRs JMOY95BLM6 and JMOY95BN49.
43 CVE-2013-0576 79 XSS 2013-05-28 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Tivoli Enterprise Portal browser client in IBM Tivoli Monitoring 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
44 CVE-2013-0578 287 +Info 2013-05-10 2017-08-29
3.5
None Remote Medium ??? Partial None None
The Sterling Order Management APIs in IBM Sterling Multi-Channel Fulfillment Solution 8.0 before HF128 and IBM Sterling Selling and Fulfillment Foundation 8.5 before HF93, 9.0 before HF73, 9.1.0 before FP45, and 9.2.0 before FP17, when the API tester is enabled, do not require administrative credentials, which allows remote authenticated users to obtain sensitive database information via a request to the API tester URI.
45 CVE-2013-0582 79 XSS 2013-05-02 2013-05-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a SAML 2.0 response.
46 CVE-2013-0599 200 +Info 2013-05-28 2017-08-29
5.0
None Remote Low Not required Partial None None
IBM Eclipse Help System (IEHS), as used in IBM Rational Directory Server 5.1.1 through 5.1.1.2 and 5.2 through 5.2.1 and other products, allows remote attackers to obtain sensitive information by providing a crafted parameter path and then reading the debug information associated with the 500 HTTP status code.
47 CVE-2013-0600 Bypass 2013-05-09 2013-05-09
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability on IBM WebSphere DataPower XC10 Appliance devices 2.0 and 2.1 through 2.1 FP3 allows remote attackers to bypass authentication and perform administrative actions via unknown vectors.
48 CVE-2013-0666 399 DoS 2013-05-01 2013-05-01
5.0
None Remote Low Not required None None Partial
The configuration utility in MatrikonOPC Security Gateway 1.0 allows remote attackers to cause a denial of service (unhandled exception and application crash) via a TCP RST packet.
49 CVE-2013-0673 22 Dir. Trav. 2013-05-01 2013-05-01
9.4
None Remote Low Not required Complete None Complete
Directory traversal vulnerability in the web interface in the Health Monitor service in MatrikonOPC A&E Historian 1.0.0.0 allows remote attackers to read and delete arbitrary files via a crafted URL.
50 CVE-2013-0684 89 Exec Code Sql 2013-05-09 2013-05-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Total number of vulnerabilities : 357   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.