CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2013-6408 2013-12-07 2014-07-17
6.4
None Remote Low Not required Partial None Partial
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
202 CVE-2013-6407 2013-12-07 2014-07-17
6.4
None Remote Low Not required Partial None Partial
The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
203 CVE-2013-6404 264 2013-12-09 2017-08-29
4.0
None Remote Low ??? Partial None None
Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
204 CVE-2013-6403 264 Bypass 2013-12-24 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
205 CVE-2013-6400 264 DoS +Priv 2013-12-13 2017-01-07
6.8
None Local Network High Not required Complete Complete Complete
Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors.
206 CVE-2013-6397 22 Dir. Trav. 2013-12-07 2015-10-23
4.3
None Remote Medium Not required Partial None None
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
207 CVE-2013-6395 79 XSS 2013-12-05 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web 3.5.8 and 3.5.10 allows remote attackers to inject arbitrary web script or HTML via the host_regex parameter to the default URI, which is processed by get_context.php.
208 CVE-2013-6394 310 2013-12-13 2018-10-30
2.1
None Local Low Not required None Partial None
Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.
209 CVE-2013-6391 269 +Priv 2013-12-14 2020-06-02
5.8
None Remote Medium Not required Partial Partial None
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
210 CVE-2013-6389 20 2013-12-07 2014-01-04
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
211 CVE-2013-6388 79 XSS 2013-12-24 2014-01-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
212 CVE-2013-6387 79 XSS 2013-12-24 2014-01-04
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
213 CVE-2013-6386 310 Bypass 2013-12-07 2014-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
214 CVE-2013-6385 94 Exec Code CSRF 2013-12-07 2014-01-14
5.1
None Remote High Not required Partial Partial Partial
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
215 CVE-2013-6376 189 DoS 2013-12-14 2014-03-16
5.2
None Local Network Medium ??? None None Complete
The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.
216 CVE-2013-6368 20 DoS +Priv 2013-12-14 2019-04-22
6.2
None Local High Not required Complete Complete Complete
The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.
217 CVE-2013-6367 189 DoS 2013-12-14 2018-01-09
5.7
None Local Network Medium Not required None None Complete
The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value.
218 CVE-2013-6359 20 DoS 2013-12-13 2014-03-06
4.3
None Remote Medium Not required None None Partial
Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name.
219 CVE-2013-6341 89 1 Exec Code Sql 2013-12-05 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Dokeos 2.2 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the language parameter to index.php.
220 CVE-2013-6329 310 DoS 2013-12-17 2017-08-29
7.8
None Remote Low Not required None None Complete
IBM Global Security Kit (aka GSKit), as used in Content Manager OnDemand 8.5 and 9.0 and other products, allows remote attackers to cause a denial of service via a crafted handshake during resumption of an SSLv2 session.
221 CVE-2013-6328 79 XSS 2013-12-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web Content Manager (WCM) UI in IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF26, and 8.0.0.x before 8.0.0.1 CF09 allows remote attackers to inject arbitrary web script or HTML via vectors involving IFRAME elements.
222 CVE-2013-6327 79 XSS 2013-12-17 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the HTTP Option in IBM Sterling Connect:Enterprise 1.3 before 1.3.0.2 iFix 1 and 1.4 before 1.4.0.0 iFix 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "cross-frame scripting" issue.
223 CVE-2013-6316 264 +Info 2013-12-22 2017-08-29
4.3
None Remote Medium Not required Partial None None
IBM WebSphere Portal 7.0.0.x before 7.0.0.2 CF26 and 8.0.0.x before 8.0.0.1 CF09 does not properly handle content-selection changes during Taxonomy component rendering, which allows remote attackers to obtain sensitive property information in opportunistic circumstances by leveraging an error in a Web Content Manager (WCM) context processor.
224 CVE-2013-6271 264 Bypass 2013-12-14 2013-12-18
8.8
None Remote Medium Not required Complete Complete None
Android 4.0 through 4.3 allows attackers to bypass intended access restrictions and remove device locks via a crafted application that invokes the updateUnlockMethodAndFinish method in the com.android.settings.ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED option.
225 CVE-2013-6267 79 XSS 2013-12-05 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.11.9 allow remote attackers to inject arbitrary web script or HTML via the (1) box parameter to messaging/messagebox.php, cidToEdit parameter to (2) adminregisteruser.php or (3) admin_user_course_settings.php in admin/, (4) module_id parameter to admin/module/module.php, or (5) offset parameter to admin/right/profile_list.php.
226 CVE-2013-6237 200 +Info 2013-12-10 2017-08-29
3.5
None Remote Medium ??? Partial None None
The ISL Desktop plugin for Windows before 1.4.7 for ISL Light 3.5.4 and earlier allows remote authenticated users to obtain sensitive information by pasting the clipboard contents that have been copied by another user in the session.
227 CVE-2013-6224 79 XSS 2013-12-10 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla before 5.1.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) a name in the call administrator feature, (2) unspecified vectors to the admins visitor information panel, or (3) a text message in a chat session, which is saved in the archive section.
228 CVE-2013-6198 79 XSS 2013-12-29 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
229 CVE-2013-6197 Exec Code 2013-12-29 2017-08-29
5.2
None Local Network Low ??? Partial Partial Partial
Unspecified vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote authenticated users to execute arbitrary code via unknown vectors.
230 CVE-2013-6196 79 XSS 2013-12-21 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in HP Autonomy Ultraseek 5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
231 CVE-2013-6193 DoS 2013-12-17 2014-01-08
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability on HP LaserJet M1522n and M2727; LaserJet Pro 100, 300, 400, CM1415fnw, CP1*, M121*, M1536dnf, and P1*; Color LaserJet CM* and CP*; and TopShot LaserJet Pro M275 printers allows remote attackers to cause a denial of service via unknown vectors.
232 CVE-2013-6192 352 CSRF 2013-12-17 2014-01-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP Operations Orchestration before 9 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
233 CVE-2013-6191 79 XSS 2013-12-17 2014-01-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in HP Operations Orchestration before 9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
234 CVE-2013-6189 Exec Code 2013-12-29 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Archive Query Server in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, and 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1666.
235 CVE-2013-6182 +Priv 2013-12-28 2014-01-08
7.2
None Local Low Not required Complete Complete Complete
Unquoted Windows search path vulnerability in EMC Replication Manager before 5.5 allows local users to gain privileges via a crafted application in a parent directory of an intended directory.
236 CVE-2013-6181 310 +Info 2013-12-28 2014-01-08
2.1
None Local Low Not required Partial None None
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.
237 CVE-2013-6180 264 Bypass 2013-12-09 2014-01-08
6.8
None Remote Medium Not required Partial Partial Partial
EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA NetWitness NextGen 9.8, does not ensure that SA Core requests originate from the SA REST UI, which allows remote attackers to bypass intended access restrictions by sending a Core request from a web browser or other unintended user agent.
238 CVE-2013-6178 79 XSS 2013-12-19 2014-01-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer GRC 5.x before 5.4 SP1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
239 CVE-2013-6171 287 Bypass 2013-12-09 2018-03-16
5.8
None Remote Medium Not required Partial Partial None
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
240 CVE-2013-6162 79 1 XSS 2013-12-21 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Code-Crafters Ability Mail Server 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the body of an email.
241 CVE-2013-6054 119 Overflow 2013-12-12 2020-09-09
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and remote vectors, a different vulnerability than CVE-2013-6045.
242 CVE-2013-6052 200 +Info 2013-12-12 2020-09-09
5.0
None Remote Low Not required Partial None None
OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based out-of-bounds read.
243 CVE-2013-6051 DoS 2013-12-14 2013-12-16
4.3
None Remote Medium Not required None None Partial
The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.
244 CVE-2013-6050 189 DoS Overflow 2013-12-07 2013-12-09
4.3
None Remote Medium Not required None None Partial
Integer overflow in Links before 2.8 allows remote attackers to cause a denial of service (crash) via crafted HTML tables.
245 CVE-2013-6048 20 DoS 2013-12-13 2014-03-06
5.0
None Remote Low Not required None None Partial
The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data.
246 CVE-2013-6045 119 Exec Code Overflow 2013-12-12 2020-09-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple heap-based buffer overflows in OpenJPEG 1.3 and earlier might allow remote attackers to execute arbitrary code via unspecified vectors.
247 CVE-2013-6039 79 XSS 2013-12-09 2013-12-13
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NagiosQL 3.2 SP2 allow remote attackers to inject arbitrary web script or HTML via the txtSearch parameter to (1) admin/hostdependencies.php, (2) admin/hosts.php, or other unspecified pages that allow search input, related to the search functionality in functions/content_class.php.
248 CVE-2013-6038 119 Exec Code Overflow 2013-12-17 2015-07-27
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Trimble SketchUp Viewer 13.0.4124 allows remote attackers to execute arbitrary code via a crafted .SKP file.
249 CVE-2013-6029 119 Exec Code Overflow 2013-12-04 2016-12-31
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in the AT&T Connect Participant Application before 9.5.51 on Windows allows remote attackers to execute arbitrary code via a malformed .SVT file.
250 CVE-2013-6006 287 Bypass 2013-12-28 2013-12-30
5.8
None Remote Medium Not required Partial Partial None
Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request.
Total number of vulnerabilities : 484   Page : 1 2 3 4 5 (This Page)6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.