Weekly Vulnerabilities Reports > March 25 to 31, 2013
Overview
88 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 86 products from 47 vendors including Drupal, IBM, Devsaran, Cisco, and Moodle. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Information Exposure", and "Cross-Site Request Forgery (CSRF)".
- 83 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 37 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 58 reported vulnerabilities are exploitable by an anonymous user.
- Drupal has the most reported vulnerabilities, with 29 reported vulnerabilities.
- Novell has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-03-29 | CVE-2013-1083 | Novell | Unspecified vulnerability in Novell Identity Manager Roles Based Provisioning Module 4.0.2 Unspecified vulnerability in the login functionality in the Reporting Module in Novell Identity Manager (aka IDM) Roles Based Provisioning Module 4.0.2 before Field Patch C has unknown impact and attack vectors. | 10.0 |
2013-03-29 | CVE-2013-1080 | Novell | Improper Authentication vulnerability in Novell Zenworks Configuration Management 10.3/11.2 The web server in Novell ZENworks Configuration Management (ZCM) 10.3 and 11.2 before 11.2.4 does not properly perform authentication for zenworks/jsp/index.jsp, which allows remote attackers to conduct directory traversal attacks, and consequently upload and execute arbitrary programs, via a request to TCP port 443. | 10.0 |
2013-03-27 | CVE-2013-0318 | Banckle Chat Project Drupal | Permissions, Privileges, and Access Controls vulnerability in Banckle Chat Project Banckle Chat The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors. | 10.0 |
2013-03-29 | CVE-2013-1085 | Novell | Buffer Errors vulnerability in Novell Groupwise Messenger and Messenger Stack-based buffer overflow in the nim: protocol handler in Novell GroupWise Messenger 2.04 and earlier, and Novell Messenger 2.1.x and 2.2.x before 2.2.2, allows remote attackers to execute arbitrary code via an import command containing a long string in the filename parameter. | 9.3 |
2013-03-28 | CVE-2013-2717 | EMC | Security vulnerability in EMC Smarts Network Configuration Manager 9.1/9.2 Multiple unspecified vulnerabilities in the System Management (aka SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM) through 9.2 have unknown impact and attack vectors, a different issue than CVE-2013-0935. | 9.3 |
2013-03-28 | CVE-2013-0935 | EMC | Improper Authentication vulnerability in EMC Smarts Network Configuration Manager 9.1 EMC Smarts Network Configuration Manager (NCM) before 9.2 does not require authentication for all Java RMI method calls, which allows remote attackers to execute arbitrary code via unspecified vectors. | 9.3 |
15 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-03-27 | CVE-2013-0487 | IBM | Improper Authentication vulnerability in IBM Lotus Domino The Java Console in IBM Domino 8.5.x allows remote authenticated users to hijack temporary credentials by leveraging knowledge of configuration details, aka SPR KLYH8TNNDN. | 8.5 |
2013-03-28 | CVE-2012-5879 | Mcafee | Permissions, Privileges, and Access Controls vulnerability in Mcafee products An ActiveX control in McHealthCheck.dll in McAfee Virtual Technician (MVT) and ePO-MVT 6.5.0.2101 and earlier allows remote attackers to modify or create arbitrary files via a full pathname argument to the Save method. | 8.2 |
2013-03-28 | CVE-2013-1148 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS and IOS XE The General Responder implementation in the IP Service Level Agreement (SLA) feature in Cisco IOS 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S allows remote attackers to cause a denial of service (device reload) via crafted (1) IPv4 or (2) IPv6 IP SLA packets on UDP port 1167, aka Bug ID CSCuc72594. | 7.8 |
2013-03-28 | CVE-2013-1147 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS The Protocol Translation (PT) functionality in Cisco IOS 12.3 through 12.4 and 15.0 through 15.3, when one-step port-23 translation or a Telnet-to-PAD ruleset is configured, does not properly validate TCP connection information, which allows remote attackers to cause a denial of service (device reload) via an attempted connection to a PT resource, aka Bug ID CSCtz35999. | 7.8 |
2013-03-28 | CVE-2013-1146 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS The Smart Install client functionality in Cisco IOS 12.2 and 15.0 through 15.3 on Catalyst switches allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in Smart Install packets, aka Bug ID CSCub55790. | 7.8 |
2013-03-28 | CVE-2013-1145 | Cisco | Resource Management Errors vulnerability in Cisco IOS Memory leak in Cisco IOS 12.2, 12.4, 15.0, and 15.1, when Zone-Based Policy Firewall SIP application layer gateway inspection is enabled, allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed SIP messages, aka Bug ID CSCtl99174. | 7.8 |
2013-03-28 | CVE-2013-1144 | Cisco | Resource Management Errors vulnerability in Cisco IOS 15.1 Memory leak in the IKEv1 implementation in Cisco IOS 15.1 allows remote attackers to cause a denial of service (memory consumption) via unspecified (1) IPv4 or (2) IPv6 IKE packets, aka Bug ID CSCth81055. | 7.8 |
2013-03-28 | CVE-2013-1142 | Cisco | Race Condition vulnerability in Cisco IOS Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 allows remote attackers to cause a denial of service (memory consumption) via IPv4 packets, aka Bug IDs CSCtg47129 and CSCtz96745. | 7.8 |
2013-03-28 | CVE-2013-2266 | ISC | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ISC Bind libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process. | 7.8 |
2013-03-29 | CVE-2013-1082 | Novell | Path Traversal vulnerability in Novell Zenworks Mobile Management 2.6.1 Directory traversal vulnerability in DUSAP.php in Novell ZENworks Mobile Management before 2.7.1 allows remote attackers to include and execute arbitrary local files via the language parameter. | 7.5 |
2013-03-28 | CVE-2013-2690 | Synchroweb | SQL Injection vulnerability in Synchroweb Synconnect 2.0 SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action. | 7.5 |
2013-03-28 | CVE-2013-1492 | Mysql Oracle | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553. | 7.5 |
2013-03-28 | CVE-2012-0553 | Mysql Oracle | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492. | 7.5 |
2013-03-29 | CVE-2013-0513 | IBM | Local Privilege Escalation vulnerability in Multiple IBM Products IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 create a service that lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program, related to an "Unquoted Service Path Enumeration" vulnerability. | 7.2 |
2013-03-28 | CVE-2013-1143 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS and IOS XE The RSVP protocol implementation in Cisco IOS 12.2 and 15.0 through 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S, when MPLS-TE is enabled, allows remote attackers to cause a denial of service (incorrect memory access and device reload) via a traffic engineering PATH message in an RSVP packet, aka Bug ID CSCtg39957. | 7.1 |
48 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-03-29 | CVE-2013-1079 | Novell | Path Traversal vulnerability in Novell Zenworks Configuration Management Directory traversal vulnerability in the ISCreateObject method in an ActiveX control in InstallShield\ISProxy.dll in AdminStudio in Novell ZENworks Configuration Management (ZCM) 10.3 through 11.2 allows remote attackers to execute arbitrary local DLL files via a crafted web page that also calls the Initialize method. | 6.8 |
2013-03-29 | CVE-2013-0532 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Rational Policy Tester and Security Appscan Cross-site request forgery (CSRF) vulnerability in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that cause a denial of service via malformed HTTP data. | 6.8 |
2013-03-29 | CVE-2013-0452 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Software USE Analysis and Tivoli Endpoint Manager Cross-site request forgery (CSRF) vulnerability in the Software Use Analysis (SUA) application before 1.3.3 in IBM Tivoli Endpoint Manager 8.2 allows remote attackers to hijack the authentication of arbitrary users via a web site that contains crafted Flash Action Message Format (AMF) messages. | 6.8 |
2013-03-28 | CVE-2012-5216 | HP | Cross-Site Request Forgery (CSRF) vulnerability in HP products Cross-site request forgery (CSRF) vulnerability on HP ProCurve 1700-8 (aka J9079A) switches with software before VA.02.09 and 1700-24 (aka J9080A) switches with software before VB.02.09 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
2013-03-27 | CVE-2013-0258 | Google Authenticator Login Project Drupal | Improper Authentication vulnerability in Google Authenticator Login Project GA Login 7.X1.0/7.X1.1/7.X1.2 The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username. | 6.8 |
2013-03-26 | CVE-2013-1609 | Symantec | Local Privilege Escalation vulnerability in Symantec Enterprise Vault for File System Archiving 10.0.0 Multiple unquoted Windows search path vulnerabilities in the (1) File Collector and (2) File PlaceHolder services in Symantec Enterprise Vault (EV) for File System Archiving before 9.0.4 and 10.x before 10.0.1 allow local users to gain privileges via a Trojan horse program. | 6.8 |
2013-03-26 | CVE-2013-1608 | Symantec | Path Traversal vulnerability in Symantec Netbackup Appliance 2.0.0 Directory traversal vulnerability in the Management Console on the Symantec NetBackup (NBU) appliance 2.0.x allows remote attackers to read arbitrary files via unspecified vectors. | 6.7 |
2013-03-29 | CVE-2013-0511 | IBM | SQL Injection vulnerability in IBM Security Appscan Multiple SQL injection vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified parameters. | 6.5 |
2013-03-25 | CVE-2013-1836 | Moodle | Permissions, Privileges, and Access Controls vulnerability in Moodle Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. | 6.5 |
2013-03-27 | CVE-2013-1859 | Chris Desautels Drupal | Permissions, Privileges, and Access Controls vulnerability in Chris Desautels Node Parameter Control 6.X1.0 The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors. | 6.4 |
2013-03-26 | CVE-2013-1161 | Cisco | Improper Input Validation vulnerability in Cisco Jabber IM The XML parser in the Cisco Jabber IM application for Android allows remote authenticated users to cause a denial of service (blocked connection) by leveraging an entry on a Buddy list and sending a crafted XMPP presence update message, aka Bug ID CSCue38383. | 6.3 |
2013-03-27 | CVE-2013-0489 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Lotus Domino Cross-site request forgery (CSRF) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote authenticated users to hijack the authentication of administrators. | 6.0 |
2013-03-29 | CVE-2013-1299 | Microsoft | Spoofing vulnerability in Microsoft Windows Modern Mail Microsoft Windows Modern Mail allows remote attackers to spoof link targets via a crafted HTML e-mail message. | 5.8 |
2013-03-29 | CVE-2013-0130 | Coreftp | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Coreftp Multiple buffer overflows in Core FTP before 2.2 build 1769 allow remote FTP servers to execute arbitrary code or cause a denial of service (application crash) via a long directory name in a (1) DELE, (2) LIST, or (3) VIEW command. | 5.1 |
2013-03-27 | CVE-2013-0320 | Mattias Hutterer Drupal | Cross-Site Request Forgery (CSRF) vulnerability in Mattias Hutterer Taxonomy Manager Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors. | 5.1 |
2013-03-28 | CVE-2013-1861 | Mariadb Oracle Redhat Debian Canonical Suse Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error. | 5.0 |
2013-03-27 | CVE-2013-0316 | Drupal | Resource Management Errors vulnerability in Drupal The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests. | 5.0 |
2013-03-27 | CVE-2013-0257 | David Alkire Drupal | Permissions, Privileges, and Access Controls vulnerability in David Alkire Email2Image 6.X1.X/6.X2.X The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields. | 5.0 |
2013-03-27 | CVE-2013-0182 | Bart Feenstra Drupal | Permissions, Privileges, and Access Controls vulnerability in Bart Feenstra Payment The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments. | 5.0 |
2013-03-27 | CVE-2013-2300 | PM9 | Permissions, Privileges, and Access Controls vulnerability in PM9 Flickwnn The FlickWnn (aka OpenWnn/Flick support) application 2.02 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. | 5.0 |
2013-03-27 | CVE-2013-0720 | COB S Products | Permissions, Privileges, and Access Controls vulnerability in Cob'S products Cobime 0.9.2/0.9.3 The COBIME application before 0.9.4 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. | 5.0 |
2013-03-27 | CVE-2013-0719 | Codedesign | Permissions, Privileges, and Access Controls vulnerability in Codedesign Artime Japanese Input 1.1.2 The ArtIME Japanese Input application 1.1.2 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. | 5.0 |
2013-03-27 | CVE-2013-0718 | Simeji | Permissions, Privileges, and Access Controls vulnerability in Simeji 4.8 The Simeji application 4.8.1 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. | 5.0 |
2013-03-26 | CVE-2013-1162 | Cisco | Improper Input Validation vulnerability in Cisco IOS XR The traffic engineering (TE) processing subsystem in Cisco IOS XR allows remote attackers to cause a denial of service (process restart) via crafted TE packets, aka Bug ID CSCue04000. | 5.0 |
2013-03-25 | CVE-2013-1831 | Moodle | Information Exposure vulnerability in Moodle lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. | 5.0 |
2013-03-25 | CVE-2013-1830 | Fedoraproject Moodle | Permissions, Privileges, and Access Controls vulnerability in multiple products user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. | 5.0 |
2013-03-28 | CVE-2013-2494 | ISC | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ISC Dhcp libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause a denial of service (memory consumption) via vectors involving a regular expression, as demonstrated by a memory-exhaustion attack against a machine running a dhcpd process, a related issue to CVE-2013-2266. | 4.9 |
2013-03-29 | CVE-2013-2301 | Omron | Permissions, Privileges, and Access Controls vulnerability in Omron Openwnn The OMRON OpenWnn application before 1.3.6 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. | 4.3 |
2013-03-29 | CVE-2013-0512 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Rational Policy Tester and Security Appscan Stack-based buffer overflow in the Manual Explore browser plug-in for Firefox in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to cause a denial of service (plug-in crash) via a crafted web page. | 4.3 |
2013-03-29 | CVE-2013-0510 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Security Appscan IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 includes a security test that sends session cookies to a specific external server, which allows man-in-the-middle attackers to hijack the test account by capturing these cookies. | 4.3 |
2013-03-29 | CVE-2013-0474 | IBM | Information Exposure vulnerability in IBM Rational Policy Tester and Security Appscan The Manual Explore browser plug-in in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to discover test Platform Authentication credentials via a crafted web site. | 4.3 |
2013-03-29 | CVE-2013-0473 | IBM | Cross-Site Scripting vulnerability in IBM Rational Policy Tester and Security Appscan Multiple cross-site scripting (XSS) vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allow remote attackers to inject arbitrary web script or HTML via a crafted report. | 4.3 |
2013-03-29 | CVE-2012-6534 | Novell | Permissions, Privileges, and Access Controls vulnerability in Novell Sentinel LOG Manager Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to create data retention policies via a crafted text/x-gwt-rpc request to novelllogmanager/datastorageservice.rpc, and allows remote authenticated Report Administrators to create data retention policies via a search-results "Save Query As" "Save As Retention Policy" action. | 4.3 |
2013-03-28 | CVE-2013-2290 | Arubanetworks | Cross-Site Scripting vulnerability in Arubanetworks Arubaos Cross-site scripting (XSS) vulnerability in the dashboard of the ArubaOS Administration WebUI in Aruba Networks ArubaOS 6.2.x before 6.2.0.3, 6.1.3.x before 6.1.3.7, 6.1.x-FIPS before 6.1.4.3-FIPS, and 6.1.x-AirGroup before 6.1.3.6-AirGroup, as used by Mobility Controller, allows remote wireless access points to inject arbitrary web script or HTML via a crafted SSID. | 4.3 |
2013-03-28 | CVE-2013-0936 | EMC | Cross-Site Scripting vulnerability in EMC products Cross-site scripting (XSS) vulnerability in EMC Smarts IP Manager, Smarts Service Assurance Manager, Smarts Server Manager, Smarts VoIP Availability Manager, Smarts Network Protocol Manager, and Smarts MPLS Manager before 9.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2013-03-27 | CVE-2013-0325 | Varnish Http Accelerator Integration Project Drupal | Cross-Site Scripting vulnerability in Varnish Http Accelerator Integration Project Varnish Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting. | 4.3 |
2013-03-27 | CVE-2013-0323 | Display Suite Project Drupal | Cross-Site Scripting vulnerability in Display Suite Project DS Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field. | 4.3 |
2013-03-27 | CVE-2013-0322 | Ubercart Drupal | Cross-Site Scripting vulnerability in Ubercart Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field. | 4.3 |
2013-03-27 | CVE-2013-0321 | Ubercart Views Project Drupal | Cross-Site Scripting vulnerability in Ubercart Views Project UC Views Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field. | 4.3 |
2013-03-27 | CVE-2013-0319 | Yandex Metrics Project Drupal | Cross-Site Scripting vulnerability in Yandex.Metrics Project Yandex Metrics Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data. | 4.3 |
2013-03-27 | CVE-2013-0317 | JOE Haskins Drupal | Cross-Site Scripting vulnerability in JOE Haskins OG Manager Change 7.X2.0/7.X2.X Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field. | 4.3 |
2013-03-27 | CVE-2013-0488 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Domino Cross-site scripting (XSS) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-03-27 | CVE-2013-0486 | IBM | Resource Management Errors vulnerability in IBM Lotus Domino Memory leak in the HTTP server in IBM Domino 8.5.x allows remote attackers to cause a denial of service (memory consumption and daemon crash) via GET requests, aka SPR KLYH92NKZY. | 4.3 |
2013-03-26 | CVE-2012-5943 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Inotes Cross-site scripting (XSS) vulnerability in IBM iNotes 8.5.x before 8.5.3 FP4 allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving mail, aka SPR JDOE8ZZS9. | 4.3 |
2013-03-26 | CVE-2013-0454 | Canonical Samba IBM | Permissions, Privileges, and Access Controls vulnerability in multiple products The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly other products, does not properly enforce CIFS share attributes, which allows remote authenticated users to (1) write to a read-only share; (2) trigger data-integrity problems related to the oplock, locking, coherency, or leases attribute; or (3) have an unspecified impact by leveraging incorrect handling of the browseable or "hide unreadable" parameter. | 4.0 |
2013-03-25 | CVE-2013-1834 | Moodle | Permissions, Privileges, and Access Controls vulnerability in Moodle notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. | 4.0 |
2013-03-25 | CVE-2013-1832 | Moodle | Information Exposure vulnerability in Moodle repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. | 4.0 |
2013-03-25 | CVE-2013-1829 | Moodle | Information Exposure vulnerability in Moodle 2.4.0/2.4.1 calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role. | 4.0 |
19 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-03-25 | CVE-2013-1835 | Moodle | Information Exposure vulnerability in Moodle Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. | 3.5 |
2013-03-25 | CVE-2013-1833 | Moodle | Cross-Site Scripting vulnerability in Moodle Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. | 3.5 |
2013-03-27 | CVE-2013-0181 | Thomas Seidl Drupal | Cross-Site Scripting vulnerability in Thomas Seidl Search API Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. | 2.6 |
2013-03-27 | CVE-2013-1887 | Views Project Drupal | Cross-Site Scripting vulnerability in Views Project Views Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields. | 2.1 |
2013-03-27 | CVE-2013-2715 | Thomas Seidl Drupal | Cross-Site Scripting vulnerability in Thomas Seidl Search API Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name. | 2.1 |
2013-03-27 | CVE-2013-1787 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Corporate Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1786 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Company Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1785 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Responsive Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1784 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Clean Theme 7.X1.0/7.X1.1/7.X1.2 Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1783 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Business Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1782 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Responsive Blog Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. | 2.1 |
2013-03-27 | CVE-2013-1781 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Professional Theme Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1780 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Best Responsive 7.X1.0 Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. | 2.1 |
2013-03-27 | CVE-2013-1779 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Fresh Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-03-27 | CVE-2013-1778 | Devsaran Drupal | Cross-Site Scripting vulnerability in Devsaran Creative 7.X1.0/7.X1.1 Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. | 2.1 |
2013-03-27 | CVE-2013-0324 | Tomasbarej Drupal | Cross-Site Scripting vulnerability in Tomasbarej Menu Reference 7.X1.X Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web script or HTML via the menu link title. | 2.1 |
2013-03-27 | CVE-2013-0260 | Elliot Pahl Drupal | Unspecified vulnerability in Elliot Pahl Drush Debian Packaging Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors. | 2.1 |
2013-03-27 | CVE-2013-0259 | Boxes Project Drupal | Cross-Site Scripting vulnerability in Boxes Project Boxes 7.X1.0/7.X1.X Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter. | 2.1 |
2013-03-26 | CVE-2013-0525 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Inotes Multiple cross-site scripting (XSS) vulnerabilities in IBM iNotes 8.5.x allow local users to inject arbitrary web script or HTML via a shared mail file, aka SPR DKEN8PDNTX. | 1.5 |