CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2013-6787 89 1 Exec Code Sql 2013-12-05 2013-12-27
6.0
None Remote Medium ??? Partial Partial Partial
SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL commands via the "password0" parameter.
152 CVE-2013-6767 119 1 DoS Exec Code Overflow 2013-12-20 2014-03-06
7.2
None Local Low Not required Complete Complete Complete
Stack-based buffer overflow in pepoly.dll in Quick Heal AntiVirus Pro 7.0.0.1 allows local users to execute arbitrary code or cause a denial of service (process crash) via a long *.text value in a PE file.
153 CVE-2013-6745 79 XSS 2013-12-22 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the IMS server before Ifix 6 in IBM Security Access Manager for Enterprise Single Sign-On (ISAM ESSO) 8.2 allows remote authenticated users to inject arbitrary web script or HTML via crafted input to an unspecified dynamic web form.
154 CVE-2013-6735 264 +Info 2013-12-22 2018-10-09
5.0
None Remote Low Not required Partial None None
IBM WebSphere Portal 6.0.0.x through 6.0.0.1, 6.0.1.x through 6.0.1.7, 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF26, and 8.0.0.x through 8.0.0.1 CF08 allows remote attackers to obtain sensitive Java Content Repository (JCR) information via a modified Web Content Manager (WCM) URL.
155 CVE-2013-6733 79 XSS 2013-12-17 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web Application in the Classic Meeting Server in IBM Sametime 7.5.1.2 through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
156 CVE-2013-6723 264 +Info 2013-12-22 2017-08-29
5.0
None Remote Low Not required Partial None None
IBM WebSphere Portal 8.0.0.1 before CF09 does not properly handle references in compute="always" Web Content Manager (WCM) navigator components, which allows remote attackers to obtain sensitive component information via unspecified vectors.
157 CVE-2013-6721 79 XSS 2013-12-17 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Service Registry and Repository (WSRR) 7.5.x before 7.5.0.4 and 8.x through 8.0.0.2 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving widgets.
158 CVE-2013-6718 310 2013-12-01 2017-08-29
6.4
None Remote Low Not required Partial Partial None
The Advanced Management Module (AMM) with firmware 3.64B, 3.64C, and 3.64G for IBM BladeCenter systems allows remote attackers to discover account names and passwords via use of an unspecified interface.
159 CVE-2013-6717 DoS 2013-12-19 2018-09-25
4.0
None Remote Low ??? None None Partial
The OLAP query engine in IBM DB2 and DB2 Connect 9.7 through FP9, 9.8 through FP5, 10.1 through FP3, and 10.5 through FP2, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service (database outage and deactivation) via unspecified vectors.
160 CVE-2013-6711 79 XSS 2013-12-14 2016-09-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the product-creation administrative page in Cisco WebEx Sales Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul25540.
161 CVE-2013-6710 352 CSRF 2013-12-14 2016-09-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Training Center allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCul25567.
162 CVE-2013-6709 200 Bypass +Info 2013-12-14 2016-09-15
5.0
None Remote Low Not required Partial None None
The registration component in Cisco WebEx Training Center provides the training-session URL before payment is completed, which allows remote attackers to bypass intended access restrictions and join an audio conference by entering credential fields from this URL, aka Bug ID CSCul57111.
163 CVE-2013-6708 264 2013-12-10 2017-08-29
5.0
None Remote Low Not required Partial None None
Cisco Cloud Portal 9.4 allows remote attackers to read files of unspecified types via a direct request, aka Bug IDs CSCuj08426 and CSCui60889.
164 CVE-2013-6707 399 DoS 2013-12-07 2017-08-29
4.3
None Remote Medium Not required None None Partial
Memory leak in the connection-manager implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1(.3) and earlier allows remote attackers to cause a denial of service (multi-protocol management outage) by making multiple management session requests, aka Bug ID CSCug33233.
165 CVE-2013-6705 20 DoS 2013-12-03 2016-09-15
6.1
None Local Network Low Not required None None Complete
The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (IPDT AVL corruption and device reload) via a crafted sequence of ARP packets, aka Bug ID CSCuh38133.
166 CVE-2013-6704 399 DoS 2013-12-03 2016-09-15
7.1
None Remote Medium Not required None None Complete
Cisco IOS XE does not properly manage memory for TFTP UDP flows, which allows remote attackers to cause a denial of service (memory consumption) via TFTP (1) client or (2) server traffic, aka Bug IDs CSCuh09324 and CSCty42686.
167 CVE-2013-6703 20 DoS 2013-12-03 2016-09-15
7.1
None Remote Medium Not required None None Complete
The TLS/SSLv3 module on Cisco ONS 15454 controller cards allows remote attackers to cause a denial of service (card reset) via crafted (1) TLS or (2) SSLv3 packets, aka Bug ID CSCuh34787.
168 CVE-2013-6702 20 DoS 2013-12-04 2016-09-15
4.3
None Remote Medium Not required None None Partial
The management implementation on Cisco ONS 15454 controller cards with software 9.8 and earlier allows remote attackers to cause a denial of service (card reset) via crafted packets, aka Bug ID CSCtz50902.
169 CVE-2013-6701 20 DoS 2013-12-18 2016-09-15
5.0
None Remote Low Not required None None Partial
The tNetTaskLimit process on the Transport Node Controller (TNC) on Cisco ONS 15454 devices with software 9.6 and earlier does not properly prioritize health pings, which allows remote attackers to cause a denial of service (watchdog timeout and TNC reset) via a flood of network traffic, aka Bug ID CSCud97155.
170 CVE-2013-6696 20 DoS 2013-12-02 2014-03-04
7.1
None Remote Medium Not required None None Complete
Cisco Adaptive Security Appliance (ASA) Software does not properly handle errors during the processing of DNS responses, which allows remote attackers to cause a denial of service (device reload) via a malformed response, aka Bug ID CSCuj28861.
171 CVE-2013-6695 264 +Info 2013-12-02 2014-03-04
4.0
None Remote Low ??? Partial None None
The RBAC implementation in Cisco Secure Access Control System (ACS) does not properly verify privileges for support-bundle downloads, which allows remote authenticated users to obtain sensitive information via a download action, as demonstrated by obtaining read access to the user database, aka Bug ID CSCuj39274.
172 CVE-2013-6690 79 XSS 2013-12-03 2016-09-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in the Assurance component in Cisco Prime Collaboration allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCui92643, CSCui94038, and CSCui94161.
173 CVE-2013-6673 310 2013-12-11 2020-08-12
4.3
None Remote Medium Not required None Partial None
Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it easier for man-in-the-middle attackers to spoof SSL servers in opportunistic circumstances via a valid certificate that is unacceptable to the user.
174 CVE-2013-6672 200 +Info 2013-12-11 2020-08-21
4.3
None Remote Medium Not required Partial None None
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 on Linux allow user-assisted remote attackers to read clipboard data by leveraging certain middle-click paste operations.
175 CVE-2013-6671 94 Exec Code 2013-12-11 2020-08-12
10.0
None Remote Low Not required Complete Complete Complete
The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code via crafted use of JavaScript code for ordered list elements.
176 CVE-2013-6640 119 DoS Overflow 2013-12-07 2014-03-06
7.5
None Remote Low Not required Partial Partial Partial
The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index.
177 CVE-2013-6639 119 DoS Overflow 2013-12-07 2014-03-06
7.5
None Remote Low Not required Partial Partial Partial
The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via JavaScript code that sets the value of an array element with a crafted index.
178 CVE-2013-6638 119 DoS Overflow 2013-12-07 2014-03-06
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large typed array, related to the (1) Runtime_TypedArrayInitialize and (2) Runtime_TypedArrayInitializeFromArrayLike functions.
179 CVE-2013-6637 DoS 2013-12-07 2014-03-06
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 31.0.1650.63 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
180 CVE-2013-6636 20 2013-12-07 2014-03-06
4.3
None Remote Medium Not required None Partial None
The FrameLoader::notifyIfInitialDocumentAccessed function in core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 31.0.1650.63, makes an incorrect check for an empty document during presentation of a modal dialog, which allows remote attackers to spoof the address bar via vectors involving the document.write method.
181 CVE-2013-6635 399 DoS 2013-12-07 2016-12-08
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the editing implementation in Blink, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via JavaScript code that triggers removal of a node during processing of the DOM tree, related to CompositeEditCommand.cpp and ReplaceSelectionCommand.cpp.
182 CVE-2013-6634 287 2013-12-07 2014-03-06
6.8
None Remote Medium Not required Partial Partial Partial
The OneClickSigninHelper::ShowInfoBarIfPossible function in browser/ui/sync/one_click_signin_helper.cc in Google Chrome before 31.0.1650.63 uses an incorrect URL during realm validation, which allows remote attackers to conduct session fixation attacks and hijack web sessions by triggering improper sync after a 302 (aka Found) HTTP status code.
183 CVE-2013-6459 79 XSS 2013-12-31 2018-02-23
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.
184 CVE-2013-6449 310 DoS 2013-12-23 2018-10-09
4.3
None Remote Medium Not required None None Partial
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
185 CVE-2013-6439 287 2013-12-23 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors.
186 CVE-2013-6432 DoS 2013-12-09 2014-03-06
4.6
None Local Low ??? None None Complete
The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.
187 CVE-2013-6431 264 DoS 2013-12-09 2014-03-06
4.7
None Local Medium Not required None None Complete
The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.
188 CVE-2013-6428 264 Bypass 2013-12-14 2014-03-06
4.0
None Remote Low ??? None Partial None
The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.
189 CVE-2013-6427 94 Exec Code 2013-12-09 2014-03-06
6.8
None Remote Medium Not required Partial Partial Partial
upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing (HPLIP) 3.x through 3.13.11 launches a program from an http URL, which allows man-in-the-middle attackers to execute arbitrary code by gaining control over the client-server data stream.
190 CVE-2013-6426 264 Bypass 2013-12-14 2017-08-29
4.0
None Remote Low ??? None Partial None
The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.
191 CVE-2013-6422 20 2013-12-23 2016-04-07
4.0
None Remote High Not required Partial Partial None
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
192 CVE-2013-6421 94 Exec Code 2013-12-12 2013-12-20
7.5
None Remote Low Not required Partial Partial Partial
The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.
193 CVE-2013-6420 119 DoS Exec Code Overflow Mem. Corr. 2013-12-17 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
194 CVE-2013-6417 264 Bypass 2013-12-07 2019-08-08
6.4
None Remote Low Not required Partial Partial None
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
195 CVE-2013-6416 79 XSS 2013-12-07 2019-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
196 CVE-2013-6415 79 XSS 2013-12-07 2019-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
197 CVE-2013-6414 20 DoS 2013-12-07 2019-08-08
5.0
None Remote Low Not required None None Partial
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
198 CVE-2013-6411 119 DoS Overflow 2013-12-14 2017-08-29
5.0
None Remote Low Not required None None Partial
The HandleCrashedAircraft function in aircraft_cmd.cpp in OpenTTD 0.3.6 through 1.3.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) by crashing an aircraft outside of the map.
199 CVE-2013-6410 264 Bypass 2013-12-07 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
200 CVE-2013-6409 264 +Priv 2013-12-07 2013-12-09
6.2
None Local High Not required Complete Complete Complete
Debian adequate before 0.8.1, when run by root with the --user option, allows local users to hijack the tty and possibly gain privileges via the TIOCSTI ioctl.
Total number of vulnerabilities : 484   Page : 1 2 3 4 (This Page)5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.