CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2013-0488 79 XSS 2013-03-27 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
252 CVE-2013-0487 287 2013-03-27 2017-08-29
8.5
None Remote Medium ??? Complete Complete Complete
The Java Console in IBM Domino 8.5.x allows remote authenticated users to hijack temporary credentials by leveraging knowledge of configuration details, aka SPR KLYH8TNNDN.
253 CVE-2013-0486 399 DoS 2013-03-27 2017-08-29
4.3
None Remote Medium Not required None None Partial
Memory leak in the HTTP server in IBM Domino 8.5.x allows remote attackers to cause a denial of service (memory consumption and daemon crash) via GET requests, aka SPR KLYH92NKZY.
254 CVE-2013-0474 200 +Info 2013-03-29 2017-08-29
4.3
None Remote Medium Not required Partial None None
The Manual Explore browser plug-in in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to discover test Platform Authentication credentials via a crafted web site.
255 CVE-2013-0473 79 XSS 2013-03-29 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allow remote attackers to inject arbitrary web script or HTML via a crafted report.
256 CVE-2013-0454 264 2013-03-26 2017-08-29
4.0
None Remote Low ??? None Partial None
The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly other products, does not properly enforce CIFS share attributes, which allows remote authenticated users to (1) write to a read-only share; (2) trigger data-integrity problems related to the oplock, locking, coherency, or leases attribute; or (3) have an unspecified impact by leveraging incorrect handling of the browseable or "hide unreadable" parameter.
257 CVE-2013-0453 79 XSS 2013-03-21 2017-08-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Web Reports in IBM Tivoli Endpoint Manager (TEM) before 8.2.1372 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
258 CVE-2013-0452 352 CSRF 2013-03-29 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Software Use Analysis (SUA) application before 1.3.3 in IBM Tivoli Endpoint Manager 8.2 allows remote attackers to hijack the authentication of arbitrary users via a web site that contains crafted Flash Action Message Format (AMF) messages.
259 CVE-2013-0402 119 Exec Code Overflow 2013-03-08 2017-09-19
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013.
260 CVE-2013-0401 94 Exec Code Bypass 2013-03-08 2017-09-19
10.0
None Remote Low Not required Complete Complete Complete
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
261 CVE-2013-0335 264 2013-03-22 2013-06-05
6.0
None Remote Medium ??? Partial Partial Partial
OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port.
262 CVE-2013-0332 22 Dir. Trav. 2013-03-20 2013-03-21
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter.
263 CVE-2013-0331 20 DoS 2013-03-19 2016-06-13
4.0
None Remote Low ??? None None Partial
Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.
264 CVE-2013-0330 2013-03-19 2016-06-13
4.0
None Remote Low ??? None Partial None
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.
265 CVE-2013-0329 Bypass CSRF 2013-03-19 2016-06-13
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.
266 CVE-2013-0328 352 XSS 2013-03-19 2016-06-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
267 CVE-2013-0327 352 CSRF 2013-03-19 2016-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.
268 CVE-2013-0325 79 XSS 2013-03-27 2013-03-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting.
269 CVE-2013-0324 79 XSS 2013-03-27 2013-04-04
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web script or HTML via the menu link title.
270 CVE-2013-0323 79 XSS 2013-03-27 2013-04-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field.
271 CVE-2013-0322 79 XSS 2013-03-27 2013-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
272 CVE-2013-0321 79 XSS 2013-03-27 2013-03-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
273 CVE-2013-0320 352 CSRF 2013-03-27 2013-03-28
5.1
None Remote High Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors.
274 CVE-2013-0319 79 XSS 2013-03-27 2013-04-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data.
275 CVE-2013-0318 264 Bypass 2013-03-27 2013-03-28
10.0
None Remote Low Not required Complete Complete Complete
The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors.
276 CVE-2013-0317 79 XSS 2013-03-27 2013-04-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field.
277 CVE-2013-0316 399 DoS 2013-03-27 2013-03-28
5.0
None Remote Low Not required None None Partial
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
278 CVE-2013-0312 189 DoS 2013-03-13 2013-03-19
5.0
None Remote Low Not required None None Partial
389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence.
279 CVE-2013-0308 20 2013-03-08 2021-01-26
4.3
None Remote Medium Not required None Partial None
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
280 CVE-2013-0292 20 1 +Priv 2013-03-05 2017-08-29
7.2
None Local Low Not required Complete Complete Complete
The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
281 CVE-2013-0288 119 DoS Exec Code Overflow 2013-03-05 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
nss-pam-ldapd before 0.7.18 and 0.8.x before 0.8.11 allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code by performing a name lookup on an application with a large number of open file descriptors, which triggers a stack-based buffer overflow related to incorrect use of the FD_SET macro.
282 CVE-2013-0287 264 Bypass 2013-03-21 2013-05-15
4.9
None Remote Medium ??? Partial Partial None
The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions.
283 CVE-2013-0275 79 XSS 2013-03-14 2013-03-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Ganglia Web before 3.5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
284 CVE-2013-0266 362 2013-03-08 2013-03-18
2.1
None Local Low Not required Partial None None
manifests/base.pp in the puppetlabs-cinder module, as used in PackStack, uses world-readable permissions for the (1) cinder.conf and (2) api-paste.ini configuration files, which allows local users to read OpenStack administrative passwords by reading the files.
285 CVE-2013-0261 264 2013-03-08 2013-03-18
4.4
None Local Medium Not required Partial Partial Partial
(1) installer/basedefs.py and (2) modules/ospluginutils.py in PackStack allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
286 CVE-2013-0260 2013-03-27 2013-03-28
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.
287 CVE-2013-0259 79 XSS 2013-03-27 2013-07-03
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.
288 CVE-2013-0258 287 Bypass 2013-03-27 2013-04-05
6.8
None Remote Medium Not required Partial Partial Partial
The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username.
289 CVE-2013-0257 264 2013-03-27 2013-03-28
5.0
None Remote Low Not required Partial None None
The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.
290 CVE-2013-0256 79 XSS 2013-03-01 2021-09-09
4.3
None Remote Medium Not required None Partial None
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
291 CVE-2013-0252 20 Bypass 2013-03-12 2013-12-05
5.0
None Remote Low Not required None Partial None
boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.
292 CVE-2013-0251 119 DoS Exec Code Overflow 2013-03-19 2013-03-21
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in llogincircuit.cc in latd 1.25 through 1.30 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the llogin version.
293 CVE-2013-0249 119 1 DoS Exec Code Overflow 2013-03-08 2016-12-08
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
294 CVE-2013-0248 264 2013-03-15 2021-07-17
3.3
None Local Medium Not required None Partial Partial
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
295 CVE-2013-0239 287 Bypass 2013-03-12 2021-06-16
5.0
None Remote Low Not required None Partial None
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
296 CVE-2013-0232 1 Exec Code 2013-03-20 2013-08-29
7.5
None Remote Low Not required Partial Partial Partial
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
297 CVE-2013-0228 189 +Priv 2013-03-01 2013-08-22
6.2
None Local High Not required Complete Complete Complete
The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.
298 CVE-2013-0227 79 XSS 2013-03-19 2013-03-21
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Search API Sorts module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified field labels.
299 CVE-2013-0226 264 2013-03-19 2013-03-21
6.0
None Remote Medium ??? Partial Partial Partial
The Keyboard Shortcut Utility module 7.x-1.x before 7.x-1.1 for Drupal does not properly check node restrictions, which allows (1) remote authenticated users with the "view shortcuts" permission to read nodes or (2) remote authenticated users with the "admin shortcuts" permission to read, edit, or delete nodes via unspecified vectors.
300 CVE-2013-0225 79 XSS 2013-03-19 2013-03-21
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary web script or HTML via a relationship name.
Total number of vulnerabilities : 430   Page : 1 2 3 4 5 6 (This Page)7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.