CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5051 CVE-2013-2030 264 2013-12-27 2014-05-05
2.1
None Local Low Not required None Partial None
keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.
5052 CVE-2013-2013 200 +Info 2013-10-01 2017-09-19
2.1
None Local Low Not required Partial None None
The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.
5053 CVE-2013-2006 200 +Info 2013-05-21 2014-05-05
2.1
None Local Low Not required Partial None None
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.
5054 CVE-2013-1977 264 +Info 2013-05-21 2013-05-22
2.1
None Local Low Not required Partial None None
OpenStack devstack uses world-readable permissions for keystone.conf, which allows local users to obtain sensitive information such as the LDAP password and admin_token secret by reading the file.
5055 CVE-2013-1971 79 XSS 2013-06-25 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.
5056 CVE-2013-1956 264 Bypass 2013-04-24 2013-05-01
2.1
None Local Low Not required None Partial None
The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.
5057 CVE-2013-1945 829 2019-10-31 2019-11-06
2.1
None Local Low Not required None Partial None
ruby193 uses an insecure LD_LIBRARY_PATH setting.
5058 CVE-2013-1940 264 +Info 2013-05-13 2013-06-21
2.1
None Local Low Not required Partial None None
X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly restrict access to input events when adding a new hot-plug device, which might allow physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty.
5059 CVE-2013-1897 264 +Info 2013-05-13 2013-05-14
2.6
None Remote High Not required Partial None None
The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.
5060 CVE-2013-1888 59 2013-08-17 2021-03-15
2.1
None Local Low Not required None Partial None
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.
5061 CVE-2013-1887 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.
5062 CVE-2013-1853 310 +Info 2014-01-24 2014-02-25
2.1
None Local Low Not required Partial None None
Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database.
5063 CVE-2013-1845 119 DoS Overflow 2013-05-02 2018-10-30
2.1
None Remote High ??? None None Partial
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory.
5064 CVE-2013-1822 79 XSS 2014-03-14 2014-03-25
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administrator privileges to inject arbitrary web script or HTML via the (1) quota parameter to /core/settings/ajax/setquota.php, or remote authenticated users with group admin privileges to inject arbitrary web script or HTML via the (2) group field to settings.php or (3) "share with" field.
5065 CVE-2013-1810 79 XSS 2014-05-15 2014-05-16
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_print_by_category function or (2) project name in the summary_print_by_project function.
5066 CVE-2013-1787 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5067 CVE-2013-1786 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5068 CVE-2013-1785 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5069 CVE-2013-1784 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5070 CVE-2013-1783 79 XSS 2013-03-27 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5071 CVE-2013-1782 79 XSS 2013-03-27 2015-11-24
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
5072 CVE-2013-1781 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5073 CVE-2013-1780 79 XSS 2013-03-27 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
5074 CVE-2013-1779 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
5075 CVE-2013-1778 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
5076 CVE-2013-1764 264 2014-04-16 2014-04-17
2.1
None Local Low Not required None Partial None
The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method.
5077 CVE-2013-1729 200 +Info 2013-09-18 2013-10-03
2.6
None Remote High Not required Partial None None
The WebGL implementation in Mozilla Firefox before 24.0, when NVIDIA graphics drivers are used on Mac OS X, allows remote attackers to obtain desktop-screenshot data by reading from a CANVAS element.
5078 CVE-2013-1650 264 +Info 2013-09-05 2013-09-26
2.1
None Local Low Not required Partial None None
Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain sensitive information via standard filesystem operations.
5079 CVE-2013-1615 200 +Info 2013-07-08 2013-07-08
2.9
None Local Network Medium Not required Partial None None
The management console (aka Java console) on the Symantec Security Information Manager (SSIM) appliance 4.7.x and 4.8.x before 4.8.1 allows remote attackers to obtain sensitive information via unspecified web-GUI API calls.
5080 CVE-2013-1590 119 DoS Overflow 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5081 CVE-2013-1589 399 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
Double free vulnerability in epan/proto.c in the dissection engine in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5082 CVE-2013-1588 119 DoS Overflow 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
Multiple buffer overflows in the dissect_pft_fec_detailed function in the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote attackers to cause a denial of service (application crash) via a malformed packet.
5083 CVE-2013-1587 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c in the ROHC dissector in Wireshark 1.8.x before 1.8.5 does not properly handle unknown profiles, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5084 CVE-2013-1586 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly determine the length of a reassembled packet for the DTLS dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5085 CVE-2013-1585 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly validate certain length values for the MS-MMC dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5086 CVE-2013-1584 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_version_5_and_6_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5087 CVE-2013-1583 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_version_4_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
5088 CVE-2013-1582 189 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly manage an offset variable, which allows remote attackers to cause a denial of service (infinite loop or application crash) via a malformed packet.
5089 CVE-2013-1581 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-etsi.c in the DCP-ETSI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle fragment gaps, which allows remote attackers to cause a denial of service (loop) via a malformed packet.
5090 CVE-2013-1580 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c in the DOCSIS CM-STATUS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a position variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5091 CVE-2013-1579 399 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in the RTPS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly implement certain nested loops for processing bitmap data, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5092 CVE-2013-1578 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle apparent Ethernet address values at the beginning of MPLS data, which allows remote attackers to cause a denial of service (loop) via a malformed packet.
5093 CVE-2013-1577 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_sip_p_charging_func_addresses function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle offset data associated with a quoted string, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5094 CVE-2013-1576 310 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5095 CVE-2013-1575 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-assa_r3.c in the R3 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a certain alarm length, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5096 CVE-2013-1574 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_bthci_eir_ad_data function in epan/dissectors/packet-bthci_cmd.c in the Bluetooth HCI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a counter variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5097 CVE-2013-1573 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a large number of padding bits, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5098 CVE-2013-1572 20 DoS 2013-02-03 2017-09-19
2.9
None Local Network Medium Not required None None Partial
The dissect_oampdu_event_notification function in epan/dissectors/packet-slowprotocols.c in the IEEE 802.3 Slow Protocols dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle certain short lengths, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
5099 CVE-2013-1560 2013-04-17 2017-09-09
2.1
None Remote High ??? Partial None None
Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality via vectors related to BASE, a different vulnerability than CVE-2013-2385.
5100 CVE-2013-1517 2013-04-17 2013-10-11
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Diagnostics.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.