CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2014 (CVSS score >= 4)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2013-7140 2014-01-26 2017-08-29
4.0
None Remote Low ??? Partial None None
XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.
252 CVE-2013-7139 89 Exec Code Sql 2014-01-09 2014-01-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in download.php in Horizon Quick Content Management System (QCMS) 4.0 and earlier allows remote to execute arbitrary SQL commands via the category parameter.
253 CVE-2013-7138 22 Dir. Trav. 2014-01-09 2014-06-27
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in lib/functions/d-load.php in Horizon Quick Content Management System (QCMS) 4.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the start parameter.
254 CVE-2013-7137 287 1 +Priv Bypass 2014-01-26 2022-04-06
7.5
None Remote Low Not required Partial Partial Partial
The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.
255 CVE-2013-7135 264 2014-01-28 2014-02-21
7.2
None Local Low Not required Complete Complete Complete
The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.
256 CVE-2013-7108 20 DoS +Info 2014-01-15 2018-12-25
5.5
None Remote Low ??? Partial None Partial
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
257 CVE-2013-7107 352 Bypass CSRF 2014-01-15 2014-03-06
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106.
258 CVE-2013-7106 119 DoS Exec Code Overflow 2014-01-15 2014-02-25
6.5
None Remote Low ??? Partial Partial Partial
Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107.
259 CVE-2013-7097 22 Dir. Trav. 2014-01-08 2014-02-25
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in 7 Media Web Solutions eduTrac before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the showmask parameter to installer/overview.php.
260 CVE-2013-6997 79 XSS 2014-01-09 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an HTML email with crafted CSS code containing wildcards or (2) office documents containing "crafted hyperlinks with script URL handlers."
261 CVE-2013-6993 79 XSS 2014-01-03 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.
262 CVE-2013-6992 352 XSS CSRF 2014-01-03 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the aafireadcode parameter to wp-admin/options-general.php.
263 CVE-2013-6991 79 XSS 2014-01-03 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php.
264 CVE-2013-6982 20 DoS 2014-01-08 2017-08-29
4.3
None Remote Medium Not required None None Partial
The BGP implementation in Cisco NX-OS 6.2(2a) and earlier does not properly handle the interaction of UPDATE messages with IPv6, VPNv4, and VPNv6 labeled unicast-address families, which allows remote attackers to cause a denial of service (peer reset) via a crafted message, aka Bug ID CSCuj03174.
265 CVE-2013-6974 79 XSS 2014-01-10 2016-09-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud89431.
266 CVE-2013-6955 264 Exec Code 2014-01-09 2014-01-10
10.0
None Remote Low Not required Complete Complete Complete
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
267 CVE-2013-6954 DoS 2014-01-12 2018-01-05
5.0
None Remote Low Not required None None Partial
The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.
268 CVE-2013-6953 200 +Info 2014-01-03 2014-02-25
5.0
None Remote Low Not required Partial None None
BlogEngine.NET 2.8.0.0 and earlier allows remote attackers to read usernames and password hashes via a request for the sioc.axd file.
269 CVE-2013-6934 189 DoS Exec Code Overflow 2014-01-23 2019-09-12
7.5
None Remote Low Not required Partial Partial Partial
The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2013.11.26, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a space character at the beginning of an RTSP message, which triggers an integer underflow, infinite loop, and buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6933.
270 CVE-2013-6933 119 DoS Exec Code Overflow 2014-01-23 2019-09-12
7.5
None Remote Low Not required Partial Partial Partial
The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2011.08.13 through 2013.11.25, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a (1) space or (2) tab character at the beginning of an RTSP message, which triggers an integer underflow, infinite loop, and buffer overflow.
271 CVE-2013-6931 89 Exec Code Sql 2014-01-29 2014-02-21
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6929.
272 CVE-2013-6930 89 Exec Code Sql 2014-01-29 2014-02-21
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the page-navigation implementation in Cybozu Garoon 2.0.0 through 2.0.6, 2.1.0 through 2.1.3, 2.5.0 through 2.5.4, 3.0.0 through 3.0.3, 3.5.0 through 3.5.5, and 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6929.
273 CVE-2013-6923 79 1 XSS 2014-01-09 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname parameter to admin/access_control_user_edit.php or (2) workname parameter to admin/network_workgroup_domain.php.
274 CVE-2013-6922 352 1 CSRF 2014-01-21 2014-01-22
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes.
275 CVE-2013-6888 Exec Code 2014-01-07 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Uscan in devscripts before 2.13.9 allows remote attackers to execute arbitrary code via a crafted tarball.
276 CVE-2013-6884 255 1 +Priv 2014-01-07 2014-02-25
10.0
None Remote Low Not required Complete Complete Complete
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges.
277 CVE-2013-6881 78 1 Exec Code 2014-01-07 2014-02-25
10.0
None Remote Low Not required Complete Complete Complete
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
278 CVE-2013-6872 89 1 Exec Code Sql 2014-01-21 2015-07-28
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in managetimetracker.php in Collabtive before 1.2 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a projectpdf action.
279 CVE-2013-6853 79 XSS 2014-01-26 2021-09-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim.
280 CVE-2013-6838 310 +Priv 2014-01-28 2014-01-31
10.0
None Remote Low Not required Complete Complete Complete
An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000) 9.0.3 (rel903), when using OpenVZ and fallback customization, uses the same SSH private key across different customers' installations, which allows remote attackers to gain privileges by leveraging knowledge of this key.
281 CVE-2013-6786 79 XSS Bypass 2014-01-16 2014-01-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.
282 CVE-2013-6749 119 Exec Code Overflow 2014-01-29 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different vulnerability than CVE-2013-6748.
283 CVE-2013-6748 119 Exec Code Overflow 2014-01-29 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr for Domino 8.5.1 before 8.5.1.42-001b allows remote attackers to execute arbitrary code via a crafted HTML document, a different vulnerability than CVE-2013-6749.
284 CVE-2013-6747 20 DoS 2014-01-27 2017-08-29
7.1
None Remote Medium Not required None None Complete
IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of service (application crash or hang) via a malformed X.509 certificate chain.
285 CVE-2013-6746 79 XSS 2014-01-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in FileNet P8 Platform Documentation Installable Info Center 4.5.1 through 5.2.0 in IBM FileNet Business Process Manager 4.5.1 through 5.1.0, FileNet Content Manager 4.5.1 through 5.2.0, and Case Foundation 5.2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
286 CVE-2013-6727 264 +Info 2014-01-31 2017-08-29
5.0
None Remote Low Not required Partial None None
The Connect client in IBM Sametime 8.5.2 through 8.5.2.1 and 9.0 before HF1 does not properly restrict unsigned Java plugins, which allows remote attackers to obtain sensitive information via unspecified vectors.
287 CVE-2013-6687 255 2014-01-16 2014-01-17
4.0
None Remote Low ??? Partial None None
The web portal in the Enterprise License Manager component in Cisco WebEx Meetings Server allows remote authenticated users to discover the cleartext administrative password by reading HTML source code, aka Bug ID CSCul33876.
288 CVE-2013-6650 20 DoS Mem. Corr. 2014-01-28 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Google V8 before 3.22.24.16, as used in Google Chrome before 32.0.1700.102, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors that trigger incorrect handling of "popular pages."
289 CVE-2013-6649 399 DoS 2014-01-28 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the RenderSVGImage::paint function in core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google Chrome before 32.0.1700.102, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a zero-size SVG image.
290 CVE-2013-6646 416 DoS 2014-01-16 2020-08-26
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the Web Workers implementation in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the shutting down of a worker process.
291 CVE-2013-6645 416 DoS 2014-01-16 2020-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the OnWindowRemovingFromRootWindow function in content/browser/web_contents/web_contents_view_aura.cc in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving certain print-preview and tab-switch actions that interact with a speech input element.
292 CVE-2013-6644 416 DoS 2014-01-16 2020-08-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
293 CVE-2013-6643 287 2014-01-16 2020-08-26
7.5
None Remote Low Not required Partial Partial Partial
The OneClickSigninBubbleView::WindowClosing function in browser/ui/views/sync/one_click_signin_bubble_view.cc in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux allows attackers to trigger a sync with an arbitrary Google account by leveraging improper handling of the closing of an untrusted signin confirm dialog.
294 CVE-2013-6642 2014-01-16 2014-02-25
5.0
None Remote Low Not required None Partial None
Google Chrome through 32.0.1700.23 on Android allows remote attackers to spoof the address bar via unspecified vectors.
295 CVE-2013-6641 416 DoS 2014-01-16 2020-08-27
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the FormAssociatedElement::formRemovedFromTree function in core/html/FormAssociatedElement.cpp in Blink, as used in Google Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac OS X and Linux, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of the past names map of a FORM element.
296 CVE-2013-6467 DoS 2014-01-26 2017-08-29
5.0
None Remote Low Not required None None Partial
Libreswan 3.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.
297 CVE-2013-6466 DoS 2014-01-26 2019-07-29
5.0
None Remote Low Not required None None Partial
Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.
298 CVE-2013-6462 119 DoS Exec Code Overflow 2014-01-09 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
299 CVE-2013-6458 362 DoS 2014-01-24 2015-01-03
6.8
None Local Network High Not required Complete Complete Complete
Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.
300 CVE-2013-6457 264 DoS Exec Code 2014-01-24 2015-01-03
5.2
None Local Network Low ??? Partial Partial Partial
The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command.
Total number of vulnerabilities : 482   Page : 1 2 3 4 5 6 (This Page)7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.