CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2013-4790 255 2013-09-05 2013-09-26
3.5
None Remote Medium ??? Partial None None
Open-Xchange AppSuite before 7.0.2 rev14, 7.2.0 before rev11, 7.2.1 before rev10, and 7.2.2 before rev9 relies on user-supplied data to predict the IMAP server hostname for an external domain name, which allows remote authenticated users to discover e-mail credentials of other users in opportunistic circumstances via a manual-mode association of a personal e-mail address with the hostname of a crafted IMAP server.
152 CVE-2013-4777 264 +Priv 2013-09-25 2016-12-07
6.9
None Local Medium Not required Complete Complete Complete
A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object.
153 CVE-2013-4766 200 +Info 2013-09-17 2013-09-18
4.3
None Remote Medium Not required Partial None None
The gather log service in Eucalyptus before 3.3.1 allows remote attackers to read log files via an unspecified request to the (1) Cluster Controller (CC) or (2) Node Controller (NC) component.
154 CVE-2013-4709 119 Exec Code Overflow 2013-09-20 2015-03-05
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 with firmware before 2.82, SEIL/X1 with firmware before 4.32, SEIL/X2 with firmware before 4.32, SEIL/B1 with firmware before 4.32, SEIL/Turbo with firmware before 2.16, and SEIL/neu 2FE Plus with firmware before 2.16 allows remote attackers to execute arbitrary code via a crafted L2TP message.
155 CVE-2013-4707 264 DoS 2013-09-20 2013-09-23
6.3
None Remote Medium ??? None None Complete
The SSH implementation on D-Link Japan DES-3810 devices with firmware before R2.20.011 allows remote authenticated users to cause a denial of service (device hang) by leveraging login access.
156 CVE-2013-4706 264 DoS 2013-09-20 2013-09-23
6.3
None Remote Medium ??? None None Complete
The SSH implementation on the D-Link Japan DWL-2100AP with firmware before R252JP-RC572 allows remote authenticated users to cause a denial of service (reboot) by leveraging login access.
157 CVE-2013-4705 79 XSS 2013-09-13 2013-09-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows remote attackers to inject arbitrary web script or HTML by leveraging UTF-8 encoding.
158 CVE-2013-4704 79 XSS 2013-09-16 2013-10-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ChamaNet ChamaCargo 7.0000 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
159 CVE-2013-4703 79 XSS 2013-09-10 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the top-page customization feature in Cybozu Office before 9.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
160 CVE-2013-4626 79 XSS 2013-09-26 2013-10-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.
161 CVE-2013-4623 20 DoS 2013-09-30 2013-10-31
4.3
None Remote Medium Not required None None Partial
The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 and 1.2.x before 1.2.8 does not properly parse certificate messages during the SSL/TLS handshake, which allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certificate message that contains a PEM encoded certificate.
162 CVE-2013-4378 79 XSS 2013-09-30 2013-10-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.
163 CVE-2013-4372 79 XSS 2013-09-30 2016-12-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page.
164 CVE-2013-4362 264 +Priv 2013-09-30 2017-07-01
7.2
None Local Low Not required Complete Complete Complete
WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain privileges via unknown attack vectors in (1) kernel_interface.c and (2) mount_davfs.c, related to the "system" function.
165 CVE-2013-4359 189 DoS Overflow 2013-09-30 2016-12-31
5.0
None Remote Low Not required None None Partial
Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation.
166 CVE-2013-4350 310 +Info 2013-09-25 2014-01-04
5.0
None Remote Low Not required Partial None None
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.
167 CVE-2013-4343 399 +Priv 2013-09-25 2019-05-31
6.9
None Local Medium Not required Complete Complete Complete
Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.
168 CVE-2013-4341 79 XSS 2013-09-16 2022-05-01
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed.
169 CVE-2013-4340 264 2013-09-12 2013-10-02
3.5
None Remote Medium ??? None Partial None
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter.
170 CVE-2013-4339 20 Bypass 2013-09-12 2013-12-31
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string.
171 CVE-2013-4338 94 Exec Code 2013-09-12 2013-10-02
7.5
None Remote Low Not required Partial Partial Partial
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.
172 CVE-2013-4329 264 DoS +Priv 2013-09-12 2017-01-07
6.5
None Local Network High ??? Complete Complete Complete
The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction.
173 CVE-2013-4325 264 Bypass 2013-09-23 2014-01-14
6.9
None Local Medium Not required Complete Complete Complete
The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process.
174 CVE-2013-4316 16 2013-09-30 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
175 CVE-2013-4315 22 Dir. Trav. 2013-09-16 2013-12-10
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
176 CVE-2013-4314 20 2013-09-30 2013-12-08
4.3
None Remote Medium Not required None Partial None
The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
177 CVE-2013-4313 89 Sql 2013-09-16 2020-12-01
7.5
None Remote Low Not required Partial Partial Partial
Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.
178 CVE-2013-4310 264 Bypass 2013-09-30 2014-05-05
5.8
None Remote Medium Not required Partial Partial None
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
179 CVE-2013-4308 79 XSS 2013-09-12 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject.
180 CVE-2013-4307 79 XSS 2013-09-12 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.
181 CVE-2013-4300 264 +Priv 2013-09-25 2013-10-31
7.2
None Local Low Not required Complete Complete Complete
The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.
182 CVE-2013-4298 119 DoS Overflow Mem. Corr. 2013-09-10 2013-09-18
4.3
None Remote Medium Not required None None Partial
The ReadGIFImage function in coders/gif.c in ImageMagick before 6.7.8-8 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted comment in a GIF image.
183 CVE-2013-4297 119 DoS Overflow 2013-09-30 2015-01-02
4.0
None Remote Low ??? None None Partial
The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via unspecified vectors.
184 CVE-2013-4296 119 DoS Overflow 2013-09-30 2019-04-22
4.0
None Remote Low ??? None None Partial
The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0.10.2.x before 0.10.2.8, 1.0.x before 1.0.5.6, and 1.1.x before 1.1.2 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a crafted RPC call.
185 CVE-2013-4294 264 Bypass 2013-09-23 2013-10-31
5.0
None Remote Low Not required None Partial None
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.
186 CVE-2013-4292 399 DoS 2013-09-30 2015-01-02
2.1
None Local Low Not required None None Partial
libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a large number of domain migrate parameters in certain RPC calls in (1) daemon/remote.c and (2) remote/remote_driver.c.
187 CVE-2013-4291 264 +Priv 2013-09-30 2013-10-01
6.9
None Local Medium Not required Complete Complete Complete
The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the domain has read an uid:gid label, does not properly set group memberships, which allows local users to gain privileges.
188 CVE-2013-4283 20 DoS 2013-09-10 2013-09-11
5.0
None Remote Low Not required None None Partial
ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request.
189 CVE-2013-4278 264 2013-09-16 2013-09-25
3.5
None Remote Medium ??? Partial None None
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.
190 CVE-2013-4277 264 2013-09-16 2017-09-19
3.3
None Local Medium Not required None Partial Partial
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.
191 CVE-2013-4276 119 DoS Overflow 2013-09-28 2018-09-21
4.3
None Remote Medium Not required None None Partial
Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcms) 1.19 and earlier allow remote attackers to cause a denial of service (crash) via a crafted (1) ICC color profile to the icctrans utility or (2) TIFF image to the tiffdiff utility.
192 CVE-2013-4260 264 2013-09-16 2018-10-30
3.3
None Local Medium Not required None Partial Partial
lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/.
193 CVE-2013-4259 264 2013-09-16 2018-10-30
1.9
None Local Medium Not required Partial None None
runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.
194 CVE-2013-4244 119 DoS Exec Code Overflow 2013-09-28 2014-03-06
6.8
None Remote Medium Not required Partial Partial Partial
The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image.
195 CVE-2013-4243 119 DoS Exec Code Overflow 2013-09-10 2017-07-01
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.
196 CVE-2013-4239 119 DoS Overflow Mem. Corr. 2013-09-30 2013-10-01
4.0
None Remote Low ??? None None Partial
The xenDaemonListDefinedDomains function in xen/xend_internal.c in libvirt 1.1.1 allows remote authenticated users to cause a denial of service (memory corruption and crash) via vectors involving the virConnectListDefinedDomains API function.
197 CVE-2013-4234 119 DoS Exec Code Overflow Mem. Corr. 2013-09-16 2016-12-31
6.8
None Remote Medium Not required Partial Partial Partial
Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) abc_MIDI_gchord functions in load_abc.cpp in libmodplug 0.8.8.4 and earlier allow remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via a crafted ABC.
198 CVE-2013-4233 189 DoS Exec Code Overflow 2013-09-16 2013-09-25
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the abc_set_parts function in load_abc.cpp in libmodplug 0.8.8.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted P header in an ABC file, which triggers a heap-based buffer overflow.
199 CVE-2013-4232 399 DoS Exec Code 2013-09-10 2017-06-30
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image.
200 CVE-2013-4222 522 2013-09-30 2020-06-02
6.5
None Remote Low ??? Partial Partial Partial
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
Total number of vulnerabilities : 456   Page : 1 2 3 4 (This Page)5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.