| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-5965 |
264 |
|
+Info |
2013-09-30 |
2014-05-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. |
|
2 |
CVE-2013-5963 |
|
|
Exec Code |
2013-09-30 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in multi.php in Simple Dropbox Upload plugin before 1.8.8.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/wpdb/. |
|
3 |
CVE-2013-5962 |
|
1
|
Exec Code |
2013-09-30 |
2017-08-29 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in frames/upload-images.php in the Complete Gallery Manager plugin before 3.3.4 rev40279 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/[year]/[month]/. |
|
4 |
CVE-2013-5961 |
|
1
|
Exec Code |
2013-09-30 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO plugin 1.1.9 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in lazy-seo/. |
|
5 |
CVE-2013-5960 |
310 |
|
Bypass |
2013-09-30 |
2019-02-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679. |
|
6 |
CVE-2013-5959 |
119 |
|
DoS Overflow |
2013-09-28 |
2013-10-11 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Blue Coat ProxySG before 6.2.14.1, 6.3.x, 6.4.x, and 6.5 before 6.5.2 allows remote attackers to cause a denial of service (memory consumption and dropped connections) via a recursive href in an HTML page, which triggers a large number of HTTP RW pipeline pre-fetch requests. |
|
7 |
CVE-2013-5943 |
79 |
|
XSS |
2013-09-27 |
2013-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
8 |
CVE-2013-5942 |
94 |
|
Exec Code |
2013-09-27 |
2013-10-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093. |
|
9 |
CVE-2013-5938 |
79 |
|
XSS |
2013-09-25 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form. |
|
10 |
CVE-2013-5937 |
352 |
|
CSRF |
2013-09-25 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API. |
|
11 |
CVE-2013-5936 |
200 |
|
+Info |
2013-09-25 |
2013-09-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 allows remote attackers to obtain sensitive information about (1) runtime activity, (2) network configuration, (3) user sessions, (4) the memcache interface, and (5) the REST interface via API calls such as a hazelcast/rest/cluster/ call, a different vulnerability than CVE-2013-5200. |
|
12 |
CVE-2013-5935 |
200 |
|
+Info |
2013-09-25 |
2013-09-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 does not properly restrict the set of network interfaces that can receive API calls, which makes it easier for remote attackers to obtain access by sending network traffic from an unintended location, a different vulnerability than CVE-2013-5200. |
|
13 |
CVE-2013-5934 |
255 |
|
|
2013-09-25 |
2013-09-25 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password for node join operations, which allows remote attackers to expand a cluster by finding this password in the source code and then sending the password in a Hazelcast cluster API call, a different vulnerability than CVE-2013-5200. |
|
14 |
CVE-2013-5933 |
119 |
|
DoS Overflow +Priv Mem. Corr. |
2013-09-25 |
2013-09-25 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the sub_E110 function in init in a certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless allows local users to gain privileges or cause a denial of service (memory corruption) by writing a long string to the /dev/socket/init_runit socket that is inconsistent with a certain length value that was previously written to this socket. |
|
15 |
CVE-2013-5932 |
|
|
|
2013-09-23 |
2013-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in WebAdmin in Sophos UTM (aka Astaro Security Gateway) before 9.105 has unknown impact and attack vectors. |
|
16 |
CVE-2013-5931 |
89 |
|
Exec Code Sql |
2013-09-23 |
2013-10-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in property_listings_detail.php in Real Estate PHP Script allows remote attackers to execute arbitrary SQL commands via the listingid parameter. |
|
17 |
CVE-2013-5930 |
79 |
|
XSS |
2013-09-23 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in search_residential.php in Real Estate PHP Script allows remote attackers to inject arbitrary web script or HTML via the bos parameter. |
|
18 |
CVE-2013-5918 |
79 |
|
XSS |
2013-09-23 |
2013-09-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. |
|
19 |
CVE-2013-5917 |
89 |
|
Exec Code Sql |
2013-09-23 |
2013-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wp-comments-post.php in the NOSpam PTI plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the comment_post_ID parameter. |
|
20 |
CVE-2013-5911 |
79 |
|
XSS |
2013-09-24 |
2013-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in devform.php in Tenable SecurityCenter 4.6 through 4.7 allows remote attackers to inject arbitrary web script or HTML via the message parameter. |
|
21 |
CVE-2013-5903 |
79 |
|
XSS |
2013-09-23 |
2013-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
22 |
CVE-2013-5754 |
264 |
|
|
2013-09-17 |
2013-09-25 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which makes it easier for remote attackers to obtain administrative access and change the administrator password via requests involving (1) ActiveX, (2) a standalone client, or (3) unspecified other vectors, a different vulnerability than CVE-2013-3612. |
|
23 |
CVE-2013-5751 |
22 |
|
Dir. Trav. |
2013-09-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in SAP NetWeaver 7.x allows remote attackers to read arbitrary files via unspecified vectors. |
|
24 |
CVE-2013-5750 |
399 |
|
DoS |
2013-09-25 |
2013-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The login form in the FriendsOfSymfony FOSUserBundle bundle before 1.3.3 for Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation. |
|
25 |
CVE-2013-5740 |
|
|
Exec Code Bypass |
2013-09-12 |
2014-07-11 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) before 1.2, as used by the Intel QM77, QS77, Q77 Express, C216, Q67 Express, C202, C204, and C206 chipsets and Mobile Intel QM67 and QS67 chipsets, when the measured launch environment (MLE) is invoked, allows local users to bypass the Trusted Execution Technology protection mechanism and perform other unspecified SINIT ACM functions via unspecified vectors. |
|
26 |
CVE-2013-5739 |
79 |
|
XSS |
2013-09-12 |
2013-09-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. |
|
27 |
CVE-2013-5738 |
20 |
|
XSS |
2013-09-12 |
2013-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. |
|
28 |
CVE-2013-5723 |
89 |
|
Exec Code Sql |
2013-09-12 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE." |
|
29 |
CVE-2013-5722 |
|
|
DoS |
2013-09-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
30 |
CVE-2013-5721 |
20 |
|
DoS |
2013-09-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not properly determine when to enter a certain loop, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
31 |
CVE-2013-5720 |
119 |
|
DoS Overflow |
2013-09-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
32 |
CVE-2013-5719 |
399 |
|
DoS |
2013-09-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
33 |
CVE-2013-5718 |
264 |
|
DoS |
2013-09-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
34 |
CVE-2013-5717 |
20 |
|
DoS |
2013-09-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c. |
|
35 |
CVE-2013-5716 |
20 |
1
|
DoS |
2013-09-09 |
2013-10-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Gretech GOM Media Player 2.2.53.5169 and possibly earlier allows remote attackers to cause a denial of service (application crash) via a crafted WAV file. |
|
36 |
CVE-2013-5715 |
119 |
|
Overflow |
2013-09-09 |
2013-10-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in Gretech GOM Media Player before 2.2.53.5169 has unspecified impact and attack vectors. |
|
37 |
CVE-2013-5714 |
79 |
|
XSS |
2013-09-09 |
2013-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information. |
|
38 |
CVE-2013-5711 |
79 |
|
XSS |
2013-09-17 |
2013-09-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthrough.php in the Design Approval System plugin before 3.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter. |
|
39 |
CVE-2013-5710 |
264 |
|
Bypass |
2013-09-23 |
2013-10-24 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
|
The nullfs implementation in sys/fs/nullfs/null_vnops.c in the kernel in FreeBSD 8.3 through 9.2 allows local users with certain permissions to bypass access restrictions via a hardlink in a nullfs instance to a file in a different instance. |
|
40 |
CVE-2013-5709 |
189 |
|
|
2013-09-17 |
2020-02-10 |
8.3 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Complete |
|
The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value. |
|
41 |
CVE-2013-5708 |
352 |
|
CSRF |
2013-09-06 |
2013-09-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Coursemill Learning Management System (LMS) 6.8 constructs secret tokens based on time values, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via vectors related to cookies, a different vulnerability than CVE-2013-3605. |
|
42 |
CVE-2013-5707 |
79 |
|
XSS |
2013-09-06 |
2013-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Learning Management System (LMS) 6.8 allow remote attackers to inject arbitrary web script or HTML via crafted input containing a %22 sequence, a different issue than CVE-2013-3604. |
|
43 |
CVE-2013-5706 |
79 |
|
XSS |
2013-09-06 |
2013-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Learning Management System (LMS) 6.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to error messages and (1) crafted event attributes or (2) > (greater than) characters that are optional within a browser's HTML implementation, a different issue than CVE-2013-3603. |
|
44 |
CVE-2013-5700 |
189 |
|
DoS |
2013-09-10 |
2020-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Bloom Filter implementation in bitcoind and Bitcoin-Qt 0.8.x before 0.8.4rc1 allows remote attackers to cause a denial of service (divide-by-zero error and daemon crash) via a crafted sequence of messages. |
|
45 |
CVE-2013-5698 |
79 |
|
XSS |
2013-09-05 |
2013-09-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and Server before 6.22.0 rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allows remote authenticated users to inject arbitrary web script or HTML via a delivery=view action, aka Bug ID 26373, a different vulnerability than CVE-2013-3106. |
|
46 |
CVE-2013-5697 |
89 |
|
Exec Code Sql |
2013-09-30 |
2013-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header. |
|
47 |
CVE-2013-5696 |
352 |
|
Exec Code Sql CSRF |
2013-09-23 |
2013-09-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action. |
|
48 |
CVE-2013-5693 |
79 |
1
|
XSS |
2013-09-30 |
2013-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor. |
|
49 |
CVE-2013-5692 |
22 |
1
|
Dir. Trav. |
2013-09-30 |
2013-10-01 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager. |
|
50 |
CVE-2013-5691 |
264 |
|
DoS +Priv |
2013-09-23 |
2013-10-24 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in FreeBSD 8.3 through 9.2-STABLE do not validate SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR, and SIOCSIFNETMASK requests, which allows local users to perform link-layer actions, cause a denial of service (panic), or possibly gain privileges via a crafted application. |
