Weekly Vulnerabilities Reports > April 29 to May 5, 2013
Overview
69 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 6 high severity vulnerabilities. This weekly summary report vulnerabilities in 116 products from 27 vendors including Cisco, IBM, Joomla, Apache, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Permissions, Privileges, and Access Controls", and "Information Exposure".
- 61 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 17 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 52 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 18 reported vulnerabilities.
- IBM has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
10 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-05-02 | CVE-2013-1091 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint Stack-based buffer overflow in Novell iPrint Client before 5.90 allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2013-05-01 | CVE-2013-0673 | Matrikonopc | Path Traversal vulnerability in Matrikonopc A&E Historian 1.0.0.0 Directory traversal vulnerability in the web interface in the Health Monitor service in MatrikonOPC A&E Historian 1.0.0.0 allows remote attackers to read and delete arbitrary files via a crafted URL. | 9.4 |
2013-05-05 | CVE-2013-0726 | Hexagon | Buffer Errors vulnerability in Hexagon Erdas ER Viewer 11.04 Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to execute arbitrary code via a crafted pathname in an ERS file. | 9.3 |
2013-05-03 | CVE-2013-0945 | EMC | Improper Input Validation vulnerability in EMC Avamar EMC Avamar Client before 6.1.101-89 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 9.3 |
2013-05-02 | CVE-2013-1338 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1303 and CVE-2013-1304. | 9.3 |
2013-04-30 | CVE-2012-5947 | IBM | Buffer Errors vulnerability in IBM Spss Samplepower 3.0.0.0 Buffer overflow in the vsflex7l ActiveX control in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2013-04-30 | CVE-2012-5946 | IBM | Buffer Errors vulnerability in IBM Spss Samplepower 3.0.0.0 Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string. | 9.3 |
2013-04-30 | CVE-2012-5945 | IBM | Buffer Errors vulnerability in IBM Spss Samplepower 3.0.0.0 Multiple buffer overflows in the Vsflex8l ActiveX control in IBM SPSS SamplePower 3.0 before FP1 allow remote attackers to execute arbitrary code via a long (1) ComboList or (2) ColComboList property value. | 9.3 |
2013-05-01 | CVE-2013-3080 | Vmware | Permissions, Privileges, and Access Controls vulnerability in VMWare Vcenter Server Appliance 5.1 VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to create or overwrite arbitrary files, and consequently execute arbitrary code or cause a denial of service, by leveraging Virtual Appliance Management Interface (VAMI) web-interface access. | 9.0 |
2013-05-01 | CVE-2013-3079 | Vmware | Code Injection vulnerability in VMWare Vcenter Server Appliance 5.1 VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to execute arbitrary programs with root privileges by leveraging Virtual Appliance Management Interface (VAMI) access. | 9.0 |
6 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-05-05 | CVE-2013-1347 | Microsoft | Use After Free vulnerability in Microsoft Internet Explorer 8 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013. | 8.8 |
2013-05-01 | CVE-2013-0140 | Mcafee | SQL Injection vulnerability in Mcafee Epolicy Orchestrator SQL injection vulnerability in the Agent-Handler component in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to execute arbitrary SQL commands via a crafted request over the Agent-Server communication channel. | 7.9 |
2013-05-02 | CVE-2013-3266 | Freebsd | Improper Input Validation vulnerability in Freebsd The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a READDIR request is for a directory node, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by specifying a plain file instead of a directory. | 7.5 |
2013-05-05 | CVE-2013-1092 | Novell | Local Privilege Escalation vulnerability in Novell ZENworks Desktop Management 7/7.1 Multiple unquoted Windows search path vulnerabilities in Novell ZENworks Desktop Management (ZDM) 7 through 7.1 might allow local users to gain privileges via a Trojan horse "program" file in the C: folder, related to an attempted launch of (1) ZenRem32.exe or (2) wm.exe. | 7.2 |
2013-05-03 | CVE-2013-0940 | EMC | Permissions, Privileges, and Access Controls vulnerability in EMC Networker The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and 8.x before 8.0.1.4 sets weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors. | 7.2 |
2013-05-01 | CVE-2013-0699 | Galilmc | Improper Input Validation vulnerability in Galilmc Rio-47100 PLC The Galil RIO-47100 Pocket PLC allows remote attackers to cause a denial of service via a session that includes "repeated requests." | 7.1 |
50 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-05-05 | CVE-2013-2703 | Crunchify Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Crunchify Facebook Members Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings. | 6.8 |
2013-05-05 | CVE-2013-2702 | Thulasidas Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Thulasidas Easy-Adsense-Lite Cross-site request forgery (CSRF) vulnerability in the Easy AdSense Lite plugin before 6.10 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings. | 6.8 |
2013-04-29 | CVE-2013-1927 | Redhat Canonical Opensuse | Security Bypass vulnerability in IcedTea-Web The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." Per http://www.ubuntu.com/usn/USN-1804-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS" Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html "Affected Products: openSUSE 12.2" | 6.8 |
2013-04-29 | CVE-2013-1196 | Cisco | Improper Input Validation vulnerability in Cisco products The command-line interface in Cisco Secure Access Control System (ACS), Identity Services Engine Software, Context Directory Agent, Application Networking Manager (ANM), Prime Network Control System, Prime LAN Management Solution (LMS), Prime Collaboration, Unified Provisioning Manager, Network Services Manager, Prime Data Center Network Manager (DCNM), and Quad does not properly validate input, which allows local users to obtain root privileges via unspecified vectors, aka Bug IDs CSCug29384, CSCug13866, CSCug29400, CSCug29406, CSCug29411, CSCug29413, CSCug29416, CSCug29418, CSCug29422, CSCug29425, and CSCug29426, a different issue than CVE-2013-1125. | 6.8 |
2013-05-01 | CVE-2013-3062 | SAP | Permissions, Privileges, and Access Controls vulnerability in SAP Production Planning and Control The CP_RC_TRANSACTION_CALL_BY_SET function in the Engineering Workbench component in SAP Production Planning and Control allows remote authenticated users to bypass intended transaction restrictions via unspecified vectors. | 6.5 |
2013-04-29 | CVE-2013-1226 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products The Ethernet frame-forwarding implementation in Cisco NX-OS on Nexus 7000 devices allows remote attackers to cause a denial of service (forwarding loop and service outage) via a crafted frame, aka Bug ID CSCug47098. | 6.1 |
2013-05-01 | CVE-2013-3063 | SAP | Remote Command Execution vulnerability in SAP Basis Communication Services 4.6/7.30 SAP BASIS Communication Services 4.6B through 7.30 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | 6.0 |
2013-05-01 | CVE-2013-0127 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Lotus Notes IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 does not block APPLET elements in HTML e-mail, which allows remote attackers to bypass intended restrictions on Java code execution and X-Confirm-Reading-To functionality via a crafted message, aka SPRs JMOY95BLM6 and JMOY95BN49. | 5.8 |
2013-04-29 | CVE-2013-1926 | Redhat Canonical Opensuse | Security Bypass vulnerability in IcedTea-Web The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. | 5.8 |
2013-05-03 | CVE-2013-3242 | Joomla | Improper Input Validation vulnerability in Joomla Joomla! plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors. | 5.5 |
2013-05-04 | CVE-2013-1235 | Cisco | Remote Denial of Service vulnerability in Cisco Wireless LAN Controller Cisco Wireless LAN Controller (WLC) devices do not properly address the resource consumption of terminated TELNET sessions, which allows remote attackers to cause a denial of service (TELNET outage) by making many TELNET connections and improperly ending these connections, aka Bug ID CSCug35507. | 5.0 |
2013-05-04 | CVE-2013-1232 | Cisco | Improper Input Validation vulnerability in Cisco products The HTTP implementation in Cisco WebEx Node for MCS, WebEx Meetings Server, and WebEx Node for ASR 1000 Series allows remote attackers to read the contents of uninitialized memory locations via a crafted request, aka Bug IDs CSCue36672, CSCue31363, CSCuf17466, and CSCug61252. | 5.0 |
2013-05-03 | CVE-2013-1231 | Cisco | Improper Input Validation vulnerability in Cisco Webex Meetings Server and Webex Node FOR MCS The HTTP implementation in Cisco WebEx Node for MCS and WebEx Meetings Server allows remote attackers to read cache files via a crafted request, aka Bug IDs CSCue36664 and CSCue36629. | 5.0 |
2013-05-02 | CVE-2013-1884 | Apache | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apache Subversion The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable. | 5.0 |
2013-05-02 | CVE-2013-1847 | Apache | Unspecified vulnerability in Apache Subversion The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. | 5.0 |
2013-05-02 | CVE-2013-0306 | Djangoproject Canonical | Numeric Errors vulnerability in multiple products The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter. | 5.0 |
2013-05-02 | CVE-2012-5657 | Zend | Information Exposure vulnerability in Zend Framework The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. | 5.0 |
2013-05-02 | CVE-2011-4609 | GNU | Resource Management Errors vulnerability in GNU Glibc The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections. | 5.0 |
2013-05-02 | CVE-2009-5135 | Nextapp | Improper Input Validation vulnerability in Nextapp Echo The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 5.0 |
2013-05-02 | CVE-2012-5222 | HP Microsoft | Information Exposure vulnerability in HP Service Manager web Tier 9.31 HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows remote attackers to obtain sensitive information via unspecified vectors. | 5.0 |
2013-05-01 | CVE-2013-1230 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Unified Communications Domain Manager Cisco Unified Communications Domain Manager allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets, aka Bug ID CSCug47057. | 5.0 |
2013-05-01 | CVE-2013-1229 | Cisco | Improper Input Validation vulnerability in Cisco Telepresence Management Suite TMSSNMPService.exe in TelePresence Manager in Cisco TelePresence Management Suite (TMS) on 64-bit platforms allows remote attackers to cause a denial of service (process crash) via SNMP traps, aka Bug ID CSCue00028. | 5.0 |
2013-05-01 | CVE-2013-1156 | Cisco | Path Traversal vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Directory traversal vulnerability in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to read arbitrary files via a crafted URL, aka Bug ID CSCud51034. | 5.0 |
2013-05-01 | CVE-2013-0666 | Matrikonopc | Resource Management Errors vulnerability in Matrikonopc Security Gateway 1.0 The configuration utility in MatrikonOPC Security Gateway 1.0 allows remote attackers to cause a denial of service (unhandled exception and application crash) via a TCP RST packet. | 5.0 |
2013-05-01 | CVE-2012-4952 | Dentrix | Credentials Management vulnerability in Dentrix G5 Henry Schein Dentrix G5 before 15.1.294 has a single internal-database password that is shared across different customers' installations, which allows remote attackers to obtain sensitive information about patients by leveraging knowledge of this password from another installation. | 5.0 |
2013-04-29 | CVE-2013-1944 | Haxx Canonical | Information Exposure vulnerability in multiple products The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. | 5.0 |
2013-04-29 | CVE-2012-5221 | HP | Information Disclosure vulnerability in Multiple HP LaserJet Printers Directory traversal vulnerability in the PostScript Interpreter, as used on the HP LaserJet 4xxx, 5200, 90xx, M30xx, M4345, M50xx, M90xx, P3005, and P4xxx; LaserJet Enterprise P3015; Color LaserJet 3xxx, 47xx, 5550, 9500, CM60xx, CP35xx, CP4005, and CP6015; Color LaserJet Enterprise CP4xxx; and 9250c Digital Sender with model-dependent firmware through 52.x allows remote attackers to read arbitrary files via unknown vectors. | 5.0 |
2013-05-04 | CVE-2013-1240 | Cisco | Improper Input Validation vulnerability in Cisco Unified Communications Manager The command-line interface in Cisco Unified Communications Manager (CUCM) does not properly validate input, which allows local users to read arbitrary files via unspecified vectors, aka Bug ID CSCue25770. | 4.6 |
2013-04-29 | CVE-2013-1219 | Cisco | Local Denial of Service vulnerability in Cisco Intrusion Prevention System SensorApp in Cisco Intrusion Prevention System (IPS) allows local users to cause a denial of service (Regex hardware job failure and application hang) via a (1) initiate signature upgrade, (2) initiate global correlation, (3) show statistics anomaly-detection, or (4) clear database action, aka Bug ID CSCuc74630. | 4.4 |
2013-05-03 | CVE-2013-3267 | Joomla | Cross-Site Scripting vulnerability in Joomla Joomla! Cross-site scripting (XSS) vulnerability in the highlighter plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-05-03 | CVE-2013-3059 | Joomla | Cross-Site Scripting vulnerability in Joomla Joomla! Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-05-03 | CVE-2013-3058 | Joomla | Cross-Site Scripting vulnerability in Joomla Joomla! Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-05-02 | CVE-2013-0582 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a SAML 2.0 response. | 4.3 |
2013-05-02 | CVE-2013-1849 | Apache | Unspecified vulnerability in Apache Subversion The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL. | 4.3 |
2013-05-02 | CVE-2013-2321 | HP Microsoft | Cross-Site Scripting vulnerability in HP Service Manager web Tier 9.31 Cross-site scripting (XSS) vulnerability in HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-05-01 | CVE-2013-3107 | Vmware | Permissions, Privileges, and Access Controls vulnerability in VMWare Vcenter Server Appliance 5.0 VMware vCenter Server 5.1 before Update 1, when anonymous LDAP binding for Active Directory is enabled, allows remote attackers to bypass authentication by providing a valid username in conjunction with an empty password. | 4.3 |
2013-05-01 | CVE-2013-1160 | Cisco | Cross-Site Scripting vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Cross-site scripting (XSS) vulnerability in the OpenView web menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud56743. | 4.3 |
2013-05-01 | CVE-2013-1159 | Cisco | Cross-Site Scripting vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Cross-site scripting (XSS) vulnerability in the Netcool Impact (NCI) web menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud56706. | 4.3 |
2013-05-01 | CVE-2013-1158 | Cisco | Cross-Site Scripting vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring (ITM) help menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud54397. | 4.3 |
2013-05-01 | CVE-2013-1157 | Cisco | Cross-Site Scripting vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring (ITM) Java servlet container in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud51068. | 4.3 |
2013-05-01 | CVE-2013-0538 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Notes Cross-site scripting (XSS) vulnerability in IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in an HTML e-mail message, aka SPRs JMOY95BLM6 and JMOY95BN49. | 4.3 |
2013-05-01 | CVE-2013-0141 | Mcafee | Path Traversal vulnerability in Mcafee Epolicy Orchestrator Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing to the Software/ directory. | 4.3 |
2013-04-29 | CVE-2013-1227 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Communications Domain Manager Cross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Domain Manager allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCug37902. | 4.3 |
2013-04-29 | CVE-2013-1198 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Computing System Software Cross-site scripting (XSS) vulnerability in a Flash component in Cisco Unified Computing System (UCS) Central allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCud15430. | 4.3 |
2013-05-03 | CVE-2013-3057 | Joomla | Permissions, Privileges, and Access Controls vulnerability in Joomla Joomla! Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and list the privileges of arbitrary users via unspecified vectors. | 4.0 |
2013-05-03 | CVE-2013-3056 | Joomla | Permissions, Privileges, and Access Controls vulnerability in Joomla Joomla! Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and delete the private messages of arbitrary users via unspecified vectors. | 4.0 |
2013-05-03 | CVE-2013-1234 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS XR The SNMP module in Cisco IOS XR allows remote authenticated users to cause a denial of service (process restart) via crafted SNMP packets, aka Bug ID CSCue69472. | 4.0 |
2013-05-02 | CVE-2013-1846 | Apache Opensuse | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. | 4.0 |
2013-05-02 | CVE-2013-0305 | Djangoproject Canonical | Information Exposure vulnerability in multiple products The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information. | 4.0 |
2013-04-29 | CVE-2013-1216 | Cisco | Information Exposure vulnerability in Cisco IOS XR Memory leak in the SNMP module in Cisco IOS XR allows remote authenticated users to cause a denial of service (memory consumption and process restart) via crafted SNMP packets, aka Bug ID CSCue31546. | 4.0 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-05-03 | CVE-2013-0944 | EMC | Information Exposure vulnerability in EMC Avamar The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL. | 3.5 |
2013-05-02 | CVE-2013-0535 | IBM | Cross-Site Scripting vulnerability in IBM Classic Meeting Server and Lotus Sametime Multiple cross-site scripting (XSS) vulnerabilities in the Classic Meeting Server in IBM Sametime 7.5.1.2 through 8.5.2.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2013-05-02 | CVE-2013-1845 | Apache Opensuse | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. | 2.1 |