| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
201 |
CVE-2013-7294 |
20 |
|
DoS |
2014-01-16 |
2018-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in libreswan before 3.7 allows remote attackers to cause a denial of service (restart) via an IKEv2 I1 notification without a KE payload. |
|
202 |
CVE-2013-7293 |
16 |
|
|
2014-01-15 |
2016-12-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The ASUS WL-330NUL router has a configuration process that relies on accessing the 192.168.1.1 IP address, but the documentation advises users to instead access a DNS hostname that does not always resolve to 192.168.1.1, which makes it easier for remote attackers to hijack the configuration traffic by controlling the server associated with that hostname. |
|
203 |
CVE-2013-7289 |
79 |
|
XSS |
2014-01-10 |
2014-02-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name, (2) last_name, (3) email, or (4) username parameter. |
|
204 |
CVE-2013-7288 |
79 |
|
XSS |
2014-01-10 |
2014-02-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs. |
|
205 |
CVE-2013-7283 |
362 |
|
|
2014-01-09 |
2014-01-10 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the libreswan.spec files for Red Hat Enterprise Linux (RHEL) and Fedora packages in libreswan 3.6 has unspecified impact and attack vectors, involving the /var/tmp/libreswan-nss-pwd temporary file. |
|
206 |
CVE-2013-7282 |
287 |
|
Bypass |
2014-01-10 |
2014-01-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The management web interface on the Nisuta NS-WIR150NE router with firmware 5.07.41 and Nisuta NS-WIR300N router with firmware 5.07.36_NIS01 allows remote attackers to bypass authentication via a "Cookie: :language=en" HTTP header. |
|
207 |
CVE-2013-7281 |
200 |
|
+Info |
2014-01-08 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
208 |
CVE-2013-7280 |
119 |
2
|
DoS Overflow |
2014-01-08 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in HansoTools Hanso Player 2.1.0, 2.5.0, and earlier allows remote attackers to cause a denial of service (crash) via a long string in a .m3u file. |
|
209 |
CVE-2013-7279 |
79 |
|
XSS |
2014-01-08 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter. |
|
210 |
CVE-2013-7278 |
89 |
|
Exec Code Sql |
2014-01-08 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Naxtech CMS Afroditi 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to default.asp. |
|
211 |
CVE-2013-7277 |
79 |
|
XSS |
2014-01-08 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Knowledgebase (Aphpkb) before 0.95.8 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP Referer header to saa.php, (2) username parameter to login.php, or (3) keyword_list parameter to keysearch.php. |
|
212 |
CVE-2013-7276 |
79 |
|
XSS |
2014-01-08 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter. |
|
213 |
CVE-2013-7275 |
79 |
|
XSS |
2014-01-08 |
2014-02-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup. |
|
214 |
CVE-2013-7271 |
20 |
|
+Info |
2014-01-06 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
215 |
CVE-2013-7270 |
20 |
|
+Info |
2014-01-06 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
216 |
CVE-2013-7269 |
20 |
|
+Info |
2014-01-06 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
217 |
CVE-2013-7268 |
20 |
|
+Info |
2014-01-06 |
2014-03-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
218 |
CVE-2013-7267 |
20 |
|
+Info |
2014-01-06 |
2014-03-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
219 |
CVE-2013-7266 |
20 |
|
+Info |
2014-01-06 |
2014-03-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
220 |
CVE-2013-7265 |
20 |
|
+Info |
2014-01-06 |
2017-12-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
221 |
CVE-2013-7264 |
20 |
|
+Info |
2014-01-06 |
2017-12-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. |
|
222 |
CVE-2013-7263 |
20 |
|
+Info |
2014-01-06 |
2017-12-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. |
|
223 |
CVE-2013-7262 |
89 |
|
Exec Code Sql |
2014-01-05 |
2021-06-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter. |
|
224 |
CVE-2013-7260 |
119 |
1
|
Exec Code Overflow |
2014-01-03 |
2020-05-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877. |
|
225 |
CVE-2013-7258 |
79 |
|
XSS |
2014-01-03 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in web2ldap 1.1.x before 1.1.49 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "displaying group DN and entry data in group administration UI." |
|
226 |
CVE-2013-7257 |
79 |
|
XSS |
2014-01-03 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Codiad 2.0.7 allows remote attackers to inject arbitrary web script or HTML via the Project Name field. |
|
227 |
CVE-2013-7256 |
352 |
|
CSRF |
2014-01-03 |
2014-02-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
228 |
CVE-2013-7255 |
20 |
|
|
2014-01-03 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Opsview before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
229 |
CVE-2013-7254 |
79 |
|
XSS |
2014-01-03 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Opsview before 4.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
230 |
CVE-2013-7251 |
352 |
|
CSRF |
2014-01-02 |
2016-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in ProjectForge before 5.3 allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) web/admin/, (2) web/core/, (3) web/dialog/, (4) web/fibu/, (5) web/mobile/, (6) web/task/, or (7) web/wicket/. |
|
231 |
CVE-2013-7249 |
200 |
|
+Info |
2014-01-02 |
2014-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224. |
|
232 |
CVE-2013-7248 |
255 |
|
+Priv |
2014-01-26 |
2014-01-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows remote attackers to gain root privileges, as demonstrated using a cmdWebCheckRole action in a TSA_REQUEST. |
|
233 |
CVE-2013-7247 |
264 |
|
|
2014-01-26 |
2014-01-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cgi-bin/tsaws.cgi in Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 allows remote attackers to discover sensitive information (user names and password hashes) via the cmdWebGetConfiguration action in a TSA_REQUEST. |
|
234 |
CVE-2013-7246 |
119 |
1
|
Exec Code Overflow |
2014-01-30 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the IconCreate method in an ActiveX control in the DaumGame ActiveX plugin 1.1.0.4 and 1.1.0.5 allows remote attackers to execute arbitrary code via a long string, as exploited in the wild in January 2014. |
|
235 |
CVE-2013-7243 |
79 |
|
XSS |
2014-01-17 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1.2 and 3.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) post-menu field to edit.php or (2) Display name field to settings.php. NOTE: The Custom Permalink Structure and Email Address fields are already covered by CVE-2012-6621. |
|
236 |
CVE-2013-7240 |
22 |
|
Dir. Trav. |
2014-01-03 |
2014-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. |
|
237 |
CVE-2013-7239 |
287 |
|
Bypass |
2014-01-13 |
2018-03-25 |
4.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
None |
|
memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. |
|
238 |
CVE-2013-7225 |
89 |
|
Exec Code Sql |
2014-01-02 |
2014-01-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature. |
|
239 |
CVE-2013-7224 |
200 |
|
+Info |
2014-01-02 |
2014-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json. |
|
240 |
CVE-2013-7223 |
352 |
|
CSRF |
2014-01-02 |
2014-01-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb. |
|
241 |
CVE-2013-7222 |
310 |
|
|
2014-01-02 |
2014-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code. |
|
242 |
CVE-2013-7219 |
89 |
|
Exec Code Sql |
2014-01-21 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in vote.php in the 2Glux Sexy Polling (com_sexypolling) component before 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the answer_id[] parameter. |
|
243 |
CVE-2013-7205 |
119 |
|
DoS Overflow +Info |
2014-01-15 |
2018-12-25 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read. |
|
244 |
CVE-2013-7204 |
352 |
1
|
CSRF |
2014-01-17 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Conceptronic CIPCAMPTIWL Camera 1.0 with firmware 21.37.2.49 allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users. |
|
245 |
CVE-2013-7184 |
119 |
1
|
DoS Overflow Mem. Corr. |
2014-01-24 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Gretech GOM Media Player 2.2.56.5158 and earlier allows remote attackers to cause a denial of service (memory corruption) via a crafted AVI file. |
|
246 |
CVE-2013-7175 |
89 |
|
Exec Code Sql |
2014-01-24 |
2016-12-31 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Avanset Visual CertExam Manager 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) Title, (2) File name, or (3) Candidate Name field. |
|
247 |
CVE-2013-7174 |
22 |
|
Dir. Trav. |
2014-01-09 |
2016-12-31 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Absolute path traversal vulnerability in cgi-bin/jc.cgi in QNAP QTS before 4.1.0 allows remote attackers to read arbitrary files via a full pathname in the f parameter. |
|
248 |
CVE-2013-7143 |
79 |
|
XSS |
2014-01-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule. |
|
249 |
CVE-2013-7142 |
79 |
|
XSS |
2014-01-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions. |
|
250 |
CVE-2013-7141 |
79 |
|
XSS |
2014-01-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags. |
