CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2013

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2013-2717 2013-03-28 2013-03-29
9.3
None Remote Medium Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the System Management (aka SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM) through 9.2 have unknown impact and attack vectors, a different issue than CVE-2013-0935. NOTE: this might overlap CVEs for open-source server components or other third-party components.
2 CVE-2013-2715 79 XSS 2013-03-27 2013-03-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name.
3 CVE-2013-2690 89 1 Exec Code Sql 2013-03-28 2013-08-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action.
4 CVE-2013-2640 264 XSS 2013-03-22 2013-04-05
5.0
None Remote Low Not required None Partial None
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731.
5 CVE-2013-2636 399 +Info 2013-03-22 2013-04-05
1.9
None Local Medium Not required Partial None None
net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.
6 CVE-2013-2635 399 +Info 2013-03-22 2014-02-06
1.9
None Local Medium Not required Partial None None
The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
7 CVE-2013-2634 399 +Info 2013-03-22 2014-02-06
1.9
None Local Medium Not required Partial None None
net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
8 CVE-2013-2633 20 +Info 2013-03-21 2013-04-09
5.0
None Remote Low Not required Partial None None
Piwik before 1.11 accepts input from a POST request instead of a GET request in unspecified circumstances, which might allow attackers to obtain sensitive information by leveraging the logging of parameters.
9 CVE-2013-2632 DoS 2013-03-21 2013-04-09
6.8
None Remote Medium Not required Partial Partial Partial
Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code, as demonstrated by the Bejeweled game.
10 CVE-2013-2617 94 Exec Code 2013-03-20 2013-03-21
7.5
None Remote Low Not required Partial Partial Partial
lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
11 CVE-2013-2616 94 Exec Code 2013-03-20 2013-03-21
7.5
None Remote Low Not required Partial Partial Partial
lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
12 CVE-2013-2615 94 Exec Code 2013-03-20 2013-03-21
7.5
None Remote Low Not required Partial Partial Partial
lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
13 CVE-2013-2566 310 2013-03-15 2014-07-18
2.6
None Remote High Not required Partial None None
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
14 CVE-2013-2560 22 Dir. Trav. 2013-03-15 2013-03-20
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi credentials.
15 CVE-2013-2558 DoS 2013-03-12 2013-03-16
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Microsoft Windows 8 allows remote attackers to cause a denial of service (reboot) or possibly have unknown other impact via a crafted TrueType Font (TTF) file, as demonstrated by the 120612-69701-01.dmp error report.
16 CVE-2013-2557 119 DoS Overflow Mem. Corr. 2013-03-11 2013-03-16
7.5
None Remote Low Not required Partial Partial Partial
The sandbox protection mechanism in Microsoft Internet Explorer 9 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, as demonstrated against Adobe Flash Player by VUPEN during a Pwn2Own competition at CanSecWest 2013.
17 CVE-2013-2556 Bypass 2013-03-11 2013-11-02
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 through SP1 allows attackers to bypass the ASLR protection mechanism via unknown vectors, as demonstrated against Adobe Flash Player by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "ASLR Security Feature Bypass Vulnerability."
18 CVE-2013-2555 189 Exec Code Overflow 2013-03-11 2014-03-26
10.0
None Remote Low Not required Complete Complete Complete
Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on Windows and Mac OS X, before 10.3.183.75 and 11.x before 11.2.202.280 on Linux, before 11.1.111.50 on Android 2.x and 3.x, and before 11.1.115.54 on Android 4.x; Adobe AIR before 3.7.0.1530; and Adobe AIR SDK & Compiler before 3.7.0.1530 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013.
19 CVE-2013-2554 Bypass 2013-03-11 2013-03-16
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Microsoft Windows 7 allows attackers to bypass the ASLR and DEP protection mechanisms via unknown vectors, as demonstrated against Firefox by VUPEN during a Pwn2Own competition at CanSecWest 2013, a different vulnerability than CVE-2013-0787.
20 CVE-2013-2553 +Priv 2013-03-11 2013-03-16
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in the kernel in Microsoft Windows 7 allows local users to gain privileges via unknown vectors, as demonstrated by Nils and Jon of MWR Labs during a Pwn2Own competition at CanSecWest 2013, a different vulnerability than CVE-2013-0912.
21 CVE-2013-2552 Bypass 2013-03-11 2013-03-16
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Microsoft Internet Explorer 10 on Windows 8 allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a Medium integrity process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013.
22 CVE-2013-2551 Exec Code 2013-03-11 2013-12-30
9.3
None Remote Medium Not required Complete Complete Complete
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
23 CVE-2013-2550 Bypass 2013-03-11 2013-11-02
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Adobe Reader 11.0.02 allows attackers to bypass the sandbox protection mechanism via unknown vectors, as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.
24 CVE-2013-2549 94 Exec Code 2013-03-11 2013-11-02
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.
25 CVE-2013-2548 310 +Info 2013-03-15 2014-01-03
2.1
None Local Low Not required Partial None None
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
26 CVE-2013-2547 310 +Info 2013-03-15 2014-01-03
2.1
None Local Low Not required Partial None None
The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.
27 CVE-2013-2546 310 +Info 2013-03-15 2014-01-03
2.1
None Local Low Not required Partial None None
The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.
28 CVE-2013-2506 264 2013-03-08 2013-03-18
4.0
None Remote Low Single system None Partial None
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
29 CVE-2013-2503 20 2013-03-11 2013-04-10
5.8
None Remote Medium Not required Partial Partial None
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
30 CVE-2013-2501 79 XSS 2013-03-22 2013-03-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field.
31 CVE-2013-2496 119 DoS Overflow 2013-03-09 2013-04-10
7.5
None Remote Low Not required Partial Partial Partial
The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in FFmpeg through 1.1.3 does not properly determine certain end pointers, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted Microsoft RLE data.
32 CVE-2013-2495 189 DoS Overflow 2013-03-09 2013-04-10
7.5
None Remote Low Not required Partial Partial Partial
The iff_read_header function in iff.c in libavformat in FFmpeg through 1.1.3 does not properly handle data sizes for Interchange File Format (IFF) data during operations involving a CMAP chunk or a video codec, which allows remote attackers to cause a denial of service (integer overflow, out-of-bounds array access, and application crash) or possibly have unspecified other impact via a crafted header.
33 CVE-2013-2494 119 DoS Overflow 2013-03-28 2013-03-29
4.9
None Remote High Single system None None Complete
libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause a denial of service (memory consumption) via vectors involving a regular expression, as demonstrated by a memory-exhaustion attack against a machine running a dhcpd process, a related issue to CVE-2013-2266.
34 CVE-2013-2493 DoS 2013-03-07 2013-03-07
0.0
None ??? ??? ??? ??? ??? ???
The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in the Google Chrome Frame plugin before 26.0.1410.28 for Internet Explorer does not properly handle attach tab requests, which allows user-assisted remote attackers to cause a denial of service (application crash) via an _blank value for the target attribute of an A element.
35 CVE-2013-2492 119 Exec Code Overflow 2013-03-15 2013-05-14
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information.
36 CVE-2013-2488 20 DoS 2013-03-07 2013-11-02
5.0
None Remote Low Not required None None Partial
The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location.
37 CVE-2013-2487 189 DoS 2013-03-07 2013-12-05
7.8
None Remote Low Not required None None Complete
epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486.
38 CVE-2013-2486 189 DoS 2013-03-07 2013-12-05
6.1
None Local Network Low Not required None None Complete
The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet.
39 CVE-2013-2485 DoS 2013-03-07 2013-11-02
6.1
None Local Network Low Not required None None Complete
The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
40 CVE-2013-2484 DoS 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The CIMD dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
41 CVE-2013-2483 189 DoS 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The acn_add_dmp_data function in epan/dissectors/packet-acn.c in the ACN dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via an invalid count value in ACN_DMP_ADT_D_RE DMP data.
42 CVE-2013-2482 DoS 2013-03-07 2013-11-02
6.1
None Local Network Low Not required None None Complete
The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
43 CVE-2013-2481 189 DoS 2013-03-07 2013-11-02
2.9
None Local Network Medium Not required None None Partial
Integer signedness error in the dissect_mount_dirpath_call function in epan/dissectors/packet-mount.c in the Mount dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6, when nfs_file_name_snooping is enabled, allows remote attackers to cause a denial of service (application crash) via a negative length value.
44 CVE-2013-2480 DoS 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The RTPS and RTPS2 dissectors in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allow remote attackers to cause a denial of service (application crash) via a malformed packet.
45 CVE-2013-2479 DoS 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data.
46 CVE-2013-2478 189 DoS Overflow 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The dissect_server_info function in epan/dissectors/packet-ms-mms.c in the MS-MMS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not properly manage string lengths, which allows remote attackers to cause a denial of service (application crash) via a malformed packet that (1) triggers an integer overflow or (2) has embedded '\0' characters in a string.
47 CVE-2013-2477 119 DoS Overflow 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
48 CVE-2013-2476 399 DoS 2013-03-07 2013-11-02
6.1
None Local Network Low Not required None None Complete
The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short.
49 CVE-2013-2475 DoS 2013-03-07 2013-11-02
3.3
None Local Network Low Not required None None Partial
The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet.
50 CVE-2013-2373 264 +Info 2013-03-15 2013-03-18
6.4
None Remote Low Not required Partial Partial None
The Engine in TIBCO Spotfire Web Player 3.3.x before 3.3.3, 4.0.x before 4.0.3, 4.5.x before 4.5.1, and 5.0.x before 5.0.1 does not properly implement access control, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
Total number of vulnerabilities : 430   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.