| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2715 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name. |
|
2 |
CVE-2013-2566 |
310 |
|
|
2013-03-15 |
2013-04-19 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
|
3 |
CVE-2013-2548 |
310 |
|
+Info |
2013-03-15 |
2013-05-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. |
|
4 |
CVE-2013-2547 |
310 |
|
+Info |
2013-03-15 |
2013-05-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. |
|
5 |
CVE-2013-2546 |
310 |
|
+Info |
2013-03-15 |
2013-05-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability. |
|
6 |
CVE-2013-2488 |
20 |
|
DoS |
2013-03-07 |
2013-04-10 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location. |
|
7 |
CVE-2013-2481 |
189 |
|
DoS |
2013-03-07 |
2013-04-10 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
Integer signedness error in the dissect_mount_dirpath_call function in epan/dissectors/packet-mount.c in the Mount dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6, when nfs_file_name_snooping is enabled, allows remote attackers to cause a denial of service (application crash) via a negative length value. |
|
8 |
CVE-2013-2415 |
|
|
|
2013-04-17 |
2013-04-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows local users to affect confidentiality via vectors related to JAX-WS. |
|
9 |
CVE-2013-1956 |
264 |
|
Bypass |
2013-04-24 |
2013-05-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call. |
|
10 |
CVE-2013-1940 |
264 |
|
+Info |
2013-05-13 |
2013-05-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly restrict access to input events when adding a new hot-plug device, which might allow physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty. |
|
11 |
CVE-2013-1897 |
264 |
|
+Info |
2013-05-13 |
2013-05-14 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search. |
|
12 |
CVE-2013-1887 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields. |
|
13 |
CVE-2013-1845 |
119 |
|
DoS Overflow |
2013-05-02 |
2013-05-06 |
2.1 |
None |
Remote |
High |
Single system |
None |
None |
Partial |
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. |
|
14 |
CVE-2013-1787 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
15 |
CVE-2013-1786 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
16 |
CVE-2013-1785 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
17 |
CVE-2013-1784 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
18 |
CVE-2013-1783 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
19 |
CVE-2013-1782 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. |
|
20 |
CVE-2013-1781 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
21 |
CVE-2013-1780 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. |
|
22 |
CVE-2013-1779 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. |
|
23 |
CVE-2013-1778 |
79 |
|
XSS |
2013-03-27 |
2013-03-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. |
|
24 |
CVE-2013-1590 |
119 |
|
DoS Overflow |
2013-02-02 |
2013-03-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
25 |
CVE-2013-1589 |
399 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
Double free vulnerability in epan/proto.c in the dissection engine in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
26 |
CVE-2013-1588 |
119 |
|
DoS Overflow |
2013-02-02 |
2013-03-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
Multiple buffer overflows in the dissect_pft_fec_detailed function in the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
27 |
CVE-2013-1587 |
|
|
DoS |
2013-02-02 |
2013-02-04 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c in the ROHC dissector in Wireshark 1.8.x before 1.8.5 does not properly handle unknown profiles, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
28 |
CVE-2013-1586 |
|
|
DoS |
2013-02-02 |
2013-03-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly determine the length of a reassembled packet for the DTLS dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
29 |
CVE-2013-1585 |
20 |
|
DoS |
2013-02-02 |
2013-02-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly validate certain length values for the MS-MMC dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
30 |
CVE-2013-1584 |
20 |
|
DoS |
2013-02-02 |
2013-02-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_version_5_and_6_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
31 |
CVE-2013-1583 |
20 |
|
DoS |
2013-02-02 |
2013-02-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_version_4_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
32 |
CVE-2013-1582 |
189 |
|
DoS |
2013-02-02 |
2013-03-06 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly manage an offset variable, which allows remote attackers to cause a denial of service (infinite loop or application crash) via a malformed packet. |
|
33 |
CVE-2013-1581 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-etsi.c in the DCP-ETSI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle fragment gaps, which allows remote attackers to cause a denial of service (loop) via a malformed packet. |
|
34 |
CVE-2013-1580 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c in the DOCSIS CM-STATUS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a position variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
35 |
CVE-2013-1579 |
399 |
|
DoS |
2013-02-02 |
2013-02-04 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in the RTPS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly implement certain nested loops for processing bitmap data, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
36 |
CVE-2013-1578 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle apparent Ethernet address values at the beginning of MPLS data, which allows remote attackers to cause a denial of service (loop) via a malformed packet. |
|
37 |
CVE-2013-1577 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_sip_p_charging_func_addresses function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle offset data associated with a quoted string, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
38 |
CVE-2013-1576 |
310 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
39 |
CVE-2013-1575 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-assa_r3.c in the R3 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a certain alarm length, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
40 |
CVE-2013-1572 |
20 |
|
DoS |
2013-02-02 |
2013-02-11 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_oampdu_event_notification function in epan/dissectors/packet-slowprotocols.c in the IEEE 802.3 Slow Protocols dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle certain short lengths, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
41 |
CVE-2013-1560 |
|
|
|
2013-04-17 |
2013-04-17 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 4.1.0 allows remote authenticated users to affect confidentiality via vectors related to BASE, a different vulnerability than CVE-2013-2385. |
|
42 |
CVE-2013-1517 |
|
|
|
2013-04-17 |
2013-04-17 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Diagnostics. |
|
43 |
CVE-2013-1506 |
|
|
|
2013-04-17 |
2013-04-17 |
2.8 |
None |
Remote |
Medium |
Multiple systems |
None |
None |
Partial |
|
Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 and earlier, and 5.6.10 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Locking. |
|
44 |
CVE-2013-0980 |
264 |
|
Bypass |
2013-03-20 |
2013-03-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The Passcode Lock implementation in Apple iOS before 6.1.3 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement by leveraging an error in the emergency-call feature. |
|
45 |
CVE-2013-0978 |
200 |
|
Bypass +Info |
2013-03-20 |
2013-03-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The ARM prefetch abort handler in the kernel in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not ensure that it has been invoked in an abort context, which makes it easier for local users to bypass the ASLR protection mechanism via crafted code. |
|
46 |
CVE-2013-0963 |
20 |
|
Bypass |
2013-01-29 |
2013-03-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID. |
|
47 |
CVE-2013-0962 |
79 |
|
XSS |
2013-01-29 |
2013-03-15 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 6.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted content that is not properly handled during a copy-and-paste operation. |
|
48 |
CVE-2013-0572 |
79 |
|
XSS |
2013-04-26 |
2013-05-01 |
2.3 |
None |
Local Network |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors. |
|
49 |
CVE-2013-0571 |
79 |
|
XSS |
2013-04-26 |
2013-04-29 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Document Connect for Application Support Facility (aka DC4ASF) before 1.0.0.1218 in Application Support Facility (ASF) 3.4 for z/OS on Windows, Linux, and AIX allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
50 |
CVE-2013-0466 |
79 |
|
XSS |
2013-02-20 |
2013-02-20 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Message Broker 7.0 before 7.0.0.6 and 8.0 before 8.0.0.2, when wsdl support is enabled on a SOAPInput node, allows remote attackers to inject arbitrary web script or HTML via a wsdl request that is not properly handled during construction of an error message. |
