Weekly Vulnerabilities Reports > June 17 to 23, 2013
Overview
107 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 19 high severity vulnerabilities. This weekly summary report vulnerabilities in 178 products from 29 vendors including Oracle, SUN, IBM, Huawei, and Vanderbilt. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Permissions, Privileges, and Access Controls", and "Information Exposure".
- 94 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 17 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 97 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 38 reported vulnerabilities.
- Oracle has the most reported critical vulnerabilities, with 13 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
20 Critical Vulnerabilities
19 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-06-20 | CVE-2013-4629 | Huawei | Credentials Management vulnerability in Huawei VP 9610 and VP 9620 The Huawei viewpoint VP9610 and VP9620 units for the Huawei Video Conference system do not update the Session ID upon successful establishment of a login session, which allows remote authenticated users to hijack sessions via an unspecified interception method. | 8.5 |
2013-06-21 | CVE-2013-3379 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco Telepresence TC Software The firewall subsystem in Cisco TelePresence TC Software before 4.2 does not properly implement rules that grant access to hosts, which allows remote attackers to obtain shell access with root privileges by leveraging connectivity to the management network, aka Bug ID CSCts37781. | 8.3 |
2013-06-20 | CVE-2013-1612 | Symantec | Buffer Errors vulnerability in Symantec products Buffer overflow in secars.dll in the management console in Symantec Endpoint Protection Manager (SEPM) 12.1.x before 12.1.3, and Symantec Endpoint Protection Center (SPC) Small Business Edition 12.0.x, allows remote attackers to execute arbitrary code via unspecified vectors. | 7.9 |
2013-06-21 | CVE-2013-3378 | Cisco | Improper Input Validation vulnerability in Cisco Telepresence TC Software and Telepresence TE Software Cisco TelePresence TC Software before 6.1 and TE Software before 4.1.3 allow remote attackers to cause a denial of service (temporary device hang) via crafted SIP packets, aka Bug ID CSCuf89557. | 7.8 |
2013-06-21 | CVE-2013-3377 | Cisco | Resource Management Errors vulnerability in Cisco products Cisco TelePresence TC Software before 5.1.7 and TE Software before 4.1.3 allow remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCue01743. | 7.8 |
2013-06-20 | CVE-2013-4632 | Huawei | Improper Input Validation vulnerability in Huawei Access Router V200R002C01Spc200 The Huawei Access Router (AR) before V200R002SPC003 allows remote attackers to cause a denial of service (device reset) via a crafted field in a DHCP request, as demonstrated by a request from an IP phone. | 7.8 |
2013-06-20 | CVE-2013-4631 | Huawei | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Huawei products Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 is enabled, allow remote attackers to cause a denial of service (device crash) via malformed SNMPv3 requests that leverage unspecified overflow issues. | 7.8 |
2013-06-18 | CVE-2013-2445 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Hotspot. | 7.8 |
2013-06-20 | CVE-2013-4630 | Huawei | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Huawei products Stack-based buffer overflow on Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 debugging is enabled, allows remote attackers to execute arbitrary code via malformed SNMPv3 requests. | 7.6 |
2013-06-18 | CVE-2013-2448 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. | 7.6 |
2013-06-21 | CVE-2013-4613 | Canon | Permissions, Privileges, and Access Controls vulnerability in Canon products The default configuration of the administrative interface on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers does not require authentication, which allows remote attackers to modify the configuration by visiting the Advanced page. | 7.5 |
2013-06-20 | CVE-2013-4634 | Raphael Zschorsch Typo3 | SQL Injection vulnerability in Raphael Zschorsch Rzautocomplete SQL injection vulnerability in the jQuery autocomplete for indexed_search (rzautocomplete) extension before 0.0.9 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2013-06-20 | CVE-2012-6571 | Huawei | Cryptographic Issues vulnerability in Huawei products The HTTP module in the (1) Branch Intelligent Management System (BIMS) and (2) web management components on Huawei AR routers and S2000, S3000, S3500, S3900, S5100, S5600, and S7800 switches uses predictable Session ID values, which makes it easier for remote attackers to hijack sessions via a brute-force attack. | 7.5 |
2013-06-19 | CVE-2013-4622 | HTC | Credentials Management vulnerability in HTC Droid Incredible Frf91 The 3G Mobile Hotspot feature on the HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area. | 7.5 |
2013-06-18 | CVE-2013-2461 | SUN Oracle | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 7.5 |
2013-06-18 | CVE-2013-2442 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2466 and CVE-2013-2468. | 7.5 |
2013-06-17 | CVE-2013-3520 | Vmware | Code Injection vulnerability in VMWare Vcenter Chargeback Manager VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors. | 7.5 |
2013-06-21 | CVE-2013-0536 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Lotus Inotes, Lotus Notes and Lotus Notes Traveler ntmulti.exe in the Multi User Profile Cleanup service in IBM Notes 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3 before FP5, and 9.0 before IF2 allows local users to gain privileges via vectors that arrange for code to be executed during the next login session of a different user, aka SPR PJOK959J24. | 7.2 |
2013-06-21 | CVE-2013-3035 | IBM | Improper Input Validation vulnerability in IBM AIX and Vios The IPv6 implementation in the inet subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allows remote attackers to cause a denial of service (system hang) via a crafted packet to an IPv6 interface. | 7.1 |
58 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-06-20 | CVE-2012-6568 | Huawei | Buffer Errors vulnerability in Huawei Utps 1.0 Buffer overflow in the back-end component in Huawei UTPS 1.0 allows local users to gain privileges via a long IDS_PLUGIN_NAME string in a plug-in configuration file. | 6.9 |
2013-06-18 | CVE-2013-2467 | SUN Oracle | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 5.0 Update 45 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Java installer. | 6.9 |
2013-06-21 | CVE-2013-3250 | Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress WP Maintenance Mode Plugin Cross-site request forgery (CSRF) vulnerability in the WP Maintenance Mode plugin before 1.8.8 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings. | 6.8 |
2013-06-18 | CVE-2013-3647 | Cybozu | Information Exposure vulnerability in Cybozu Live 1.0.4/2.0.0 The WebView class in the Cybozu Live application before 2.0.1 for Android allows attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. | 6.8 |
2013-06-18 | CVE-2013-3646 | Cybozu | Code vulnerability in Cybozu Live 1.0.4/2.0.0 The Cybozu Live application before 2.0.1 for Android allows remote attackers to execute arbitrary Java methods, and obtain sensitive information or execute arbitrary commands, via a crafted web site. | 6.8 |
2013-06-17 | CVE-2013-2980 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Data Studio 3.1.0/3.1.1 Cross-site request forgery (CSRF) vulnerability in the Web Console in IBM Data Studio 3.1.0 and 3.1.1 allows remote attackers to hijack the authentication of arbitrary users for requests that access monitored database information. | 6.8 |
2013-06-20 | CVE-2012-4960 | Huawei | Cryptographic Issues vulnerability in Huawei products The Huawei NE5000E, MA5200G, NE40E, NE80E, ATN, NE40, NE80, NE20E-X6, NE20, ME60, CX600, CX200, CX300, ACU, WLAN AC 6605, S9300, S7700, S2300, S3300, S5300, S3300HI, S5300HI, S5306, S6300, S2700, S3700, S5700, S6700, AR G3, H3C AR(OEM IN), AR 19, AR 29, AR 49, Eudemon100E, Eudemon200, Eudemon300, Eudemon500, Eudemon1000, Eudemon1000E-U/USG5300, Eudemon1000E-X/USG5500, Eudemon8080E/USG9300, Eudemon8160E/USG9300, Eudemon8000E-X/USG9500, E200E-C/USG2200, E200E-X3/USG2200, E200E-X5/USG2200, E200E-X7/USG2200, E200E-C/USG5100, E200E-X3/USG5100, E200E-X5/USG5100, E200E-X7/USG5100, E200E-B/USG2100, E200E-X1/USG2100, E200E-X2/USG2100, SVN5300, SVN2000, SVN5000, SVN3000, NIP100, NIP200, NIP1000, NIP2100, NIP2200, and NIP5100 use the DES algorithm for stored passwords, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. | 6.5 |
2013-06-17 | CVE-2013-4609 | Project Redcap Vanderbilt | Permissions, Privileges, and Access Controls vulnerability in multiple products REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call. | 6.5 |
2013-06-17 | CVE-2012-6567 | Project Redcap | Improper Input Validation vulnerability in Project-Redcap Redcap REDCap before 4.14.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the logic of a custom rule. | 6.5 |
2013-06-18 | CVE-2013-2407 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. | 6.4 |
2013-06-19 | CVE-2013-2968 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Sterling Control Center An unspecified buffer-read method in IBM Sterling Control Center (SCC) 5.2 before 5.2.0.9, 5.3 before 5.3.0.4, and 5.4 through 5.4.0.1 allows remote authenticated users to cause a denial of service via a large file that lacks end-of-line characters. | 6.3 |
2013-06-18 | CVE-2013-2458 | Oracle | Remote Security vulnerability in Oracle JDK and JRE Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. | 5.8 |
2013-06-18 | CVE-2013-2454 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. | 5.8 |
2013-06-18 | CVE-2013-4616 | Apple | Credentials Management vulnerability in Apple Iphone OS The WifiPasswordController generateDefaultPassword method in Preferences in Apple iOS 6 and earlier relies on the UITextChecker suggestWordInLanguage method for selection of Wi-Fi hotspot WPA2 PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack that leverages the insufficient number of possible passphrases. | 5.8 |
2013-06-17 | CVE-2013-1093 | Novell | Improper Input Validation vulnerability in Novell Zenworks Configuration Management Open redirect vulnerability in the fwdToURL function in the ZCC login page in zcc-framework.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the directToPage parameter. | 5.8 |
2013-06-18 | CVE-2013-1203 | Cisco | Improper Input Validation vulnerability in Cisco ASA CX Context-Aware Security Software Cisco ASA CX Context-Aware Security Software allows remote attackers to cause a denial of service (device reload) via crafted TCP packets that appear to have been forwarded by a Cisco Adaptive Security Appliances (ASA) device, aka Bug ID CSCue88386. | 5.4 |
2013-06-21 | CVE-2013-4635 | PHP | Numeric Errors vulnerability in PHP Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. | 5.0 |
2013-06-21 | CVE-2013-4615 | Canon | Improper Input Validation vulnerability in Canon products The Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers allow remote attackers to cause a denial of service (device hang) via a crafted LAN_TXT24 parameter to English/pages_MacUS/cgi_lan.cgi followed by a direct request to English/pages_MacUS/lan_set_content.html. | 5.0 |
2013-06-21 | CVE-2013-2110 | PHP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function. | 5.0 |
2013-06-21 | CVE-2013-2960 | IBM | Buffer Errors vulnerability in IBM products Buffer overflow in KDSMAIN in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to cause a denial of service (segmentation fault) via a crafted http URL. | 5.0 |
2013-06-21 | CVE-2013-0551 | IBM | Improper Input Validation vulnerability in IBM products The Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to cause a denial of service (abend) via a crafted URL. | 5.0 |
2013-06-21 | CVE-2013-0529 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Sterling Connect Direct User Interface The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 5.0 |
2013-06-18 | CVE-2013-3744 | Oracle | Remote Security vulnerability in Oracle JDK and JRE Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2400. | 5.0 |
2013-06-18 | CVE-2013-2457 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to JMX. | 5.0 |
2013-06-18 | CVE-2013-2456 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serialization. | 5.0 |
2013-06-18 | CVE-2013-2455 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. | 5.0 |
2013-06-18 | CVE-2013-2453 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. | 5.0 |
2013-06-18 | CVE-2013-2452 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. | 5.0 |
2013-06-18 | CVE-2013-2450 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Serialization. | 5.0 |
2013-06-18 | CVE-2013-2447 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Networking. | 5.0 |
2013-06-18 | CVE-2013-2446 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via vectors related to CORBA. | 5.0 |
2013-06-18 | CVE-2013-2444 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect availability via vectors related to AWT. | 5.0 |
2013-06-18 | CVE-2013-2443 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. | 5.0 |
2013-06-18 | CVE-2013-2437 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Deployment. | 5.0 |
2013-06-18 | CVE-2013-2412 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. | 5.0 |
2013-06-18 | CVE-2013-2400 | Oracle | Remote Security vulnerability in Oracle JDK and JRE Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-3744. | 5.0 |
2013-06-17 | CVE-2013-2981 | IBM | Path Traversal vulnerability in IBM Data Studio 3.1.0/3.1.1 Directory traversal vulnerability in the Web Console in IBM Data Studio 3.1.0 and 3.1.1 allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
2013-06-18 | CVE-2013-3927 | Siemens | Local Security Bypass vulnerability in Siemens Comos 10.0/9.2 Unspecified vulnerability in the client library in Siemens COMOS 9.2 before 9.2.0.6.10 and 10.0 before 10.0.3.0.4 allows local users to obtain unintended write access to the database by leveraging read access. | 4.6 |
2013-06-21 | CVE-2013-4636 | PHP | Improper Input Validation vulnerability in PHP The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object. | 4.3 |
2013-06-21 | CVE-2013-3392 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Webex Social Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco WebEx Social allow remote attackers to hijack the authentication of arbitrary users via unspecified vectors, aka Bug IDs CSCuh10405 and CSCuh10355. | 4.3 |
2013-06-21 | CVE-2013-0523 | IBM | Information Exposure vulnerability in IBM Websphere Commerce IBM WebSphere Commerce Enterprise 5.6.x through 5.6.1.5, 6.0.x through 6.0.0.11, and 7.0.x through 7.0.0.7 does not use a suitable encryption algorithm for storefront web requests, which allows remote attackers to obtain sensitive information via a padding oracle attack that targets certain UTF-8 processing of the krypto parameter, and leverages unspecified browser access or traffic-log access. | 4.3 |
2013-06-21 | CVE-2012-6572 | Kong Drupal | Cross-Site Scripting vulnerability in Kong Inf08 Cross-site scripting (XSS) vulnerability in the phptemplate_preprocess_node function in template.php in the Inf08 theme 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary name. | 4.3 |
2013-06-21 | CVE-2013-2961 | IBM | Improper Input Validation vulnerability in IBM products The internal web server in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allows remote attackers to perform unspecified redirection of HTTP requests, and bypass the proxy-server configuration, via crafted HTTP traffic. | 4.3 |
2013-06-21 | CVE-2013-0548 | IBM | Cross-Site Scripting vulnerability in IBM products Multiple cross-site scripting (XSS) vulnerabilities in the Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 through FP3, 6.2.1 through FP4, 6.2.2 through FP9, and 6.2.3 before FP3, as used in IBM Application Manager for Smart Business (formerly Tivoli Foundations Application Manager) 1.2.1 before 1.2.1.0-TIV-IAMSB-FP0004 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-06-21 | CVE-2013-2173 | Wordpress | Cryptographic Issues vulnerability in Wordpress 3.5.1 wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie. | 4.3 |
2013-06-20 | CVE-2013-1905 | Catalin Florian Radut Drupal | Cross-Site Scripting vulnerability in Catalin Florian Radut Zeropoint Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1.x before 7.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-06-19 | CVE-2013-0484 | IBM | Denial of Service vulnerability in IBM Cognos TM1 10.1.0/10.1.0.1/10.1.1 The server process in IBM Cognos TM1 10.1.x before 10.1.1 FP1 allows remote attackers to cause a denial of service (daemon crash) via an undocumented API call that triggers the transmission of unexpected data. | 4.3 |
2013-06-18 | CVE-2013-2449 | Oracle | Remote Security vulnerability in Oracle JDK and JRE Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. | 4.3 |
2013-06-17 | CVE-2013-4612 | Project Redcap Vanderbilt | Cross-Site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules. | 4.3 |
2013-06-17 | CVE-2013-4608 | Project Redcap Vanderbilt | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page. | 4.3 |
2013-06-17 | CVE-2013-1097 | Novell | Cross-Site Scripting vulnerability in Novell Zenworks Configuration Management Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via vectors involving an onload event. | 4.3 |
2013-06-17 | CVE-2013-1095 | Novell | Cross-Site Scripting vulnerability in Novell Zenworks Configuration Management Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via vectors involving an onError event. | 4.3 |
2013-06-17 | CVE-2013-1094 | Novell | Cross-Site Scripting vulnerability in Novell Zenworks Configuration Management Cross-site scripting (XSS) vulnerability in a ZCC page in zenworks-core in Novell ZENworks Configuration Management (ZCM) 11.2 before 11.2.3a Monthly Update 1 allows remote attackers to inject arbitrary web script or HTML via an invalid locale. | 4.3 |
2013-06-17 | CVE-2012-6566 | Vanderbilt | Cross-Site Scripting vulnerability in Vanderbilt Redcap 4.14.0/4.14.1 Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-06-17 | CVE-2012-6564 | Vanderbilt | Cross-Site Scripting vulnerability in Vanderbilt Redcap Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-06-17 | CVE-2013-3643 | Adgjm | Information Exposure vulnerability in Adgjm Galapagos Browser The Galapagos Browser application for Android does not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. | 4.3 |
2013-06-17 | CVE-2013-3642 | Adgjm | Information Exposure vulnerability in Adgjm Angel Browser The Angel Browser application 1.47b and earlier for Android 1.6 through 2.1, 1.62b and earlier for Android 2.2 through 2.3.4, 1.68b and earlier for Android 3.0 through 4.0.3, and 1.76b and earlier for Android 4.1 through 4.2 does not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. | 4.3 |
2013-06-17 | CVE-2013-2309 | Tejimaya | Cross-Site Scripting vulnerability in Tejimaya Openpne Cross-site scripting (XSS) vulnerability in the management screen in OpenPNE 3.4.x before 3.4.21.1, 3.6.x before 3.6.9.1, and 3.8.x before 3.8.5.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving the "mobile version color scheme." | 4.3 |
10 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-06-18 | CVE-2013-2451 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking. | 3.7 |
2013-06-18 | CVE-2013-1500 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality and integrity via unknown vectors related to 2D. | 3.6 |
2013-06-20 | CVE-2013-4628 | Huawei | Information Exposure vulnerability in Huawei products The firewall module on the Huawei Quidway Service Process Unit (SPU) board S7700, S9300, and S9700 on Huawei Campus Switch devices allows remote authenticated users to obtain sensitive information from the high-priority security zone by leveraging access to the low-priority security zone. | 3.5 |
2013-06-19 | CVE-2013-2969 | IBM | Cross-Site Scripting vulnerability in IBM Sterling Control Center Cross-site scripting (XSS) vulnerability in IBM Sterling Control Center (SCC) 5.2 before 5.2.0.9, 5.3 before 5.3.0.4, and 5.4 through 5.4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving invalid characters. | 3.5 |
2013-06-17 | CVE-2012-6565 | Vanderbilt | Cross-Site Scripting vulnerability in Vanderbilt Redcap 4.14.0/4.14.1/4.14.2 Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels. | 3.5 |
2013-06-17 | CVE-2013-2310 | Softbank Willcom INC | Improper Authentication vulnerability in multiple products SoftBank Wi-Fi Spot Configuration Software, as used on SoftBank SHARP 3G handsets, SoftBank Panasonic 3G handsets, SoftBank NEC 3G handsets, SoftBank Samsung 3G handsets, SoftBank mobile Wi-Fi routers, SoftBank Android smartphones with the Wi-Fi application before 1.7.1, SoftBank Windows Mobile smartphones with the WISPrClient application before 1.3.1, SoftBank Disney Mobile Android smartphones with the Wi-Fi application before 1.7.1, and WILLCOM Android smartphones with the Wi-Fi application before 1.7.1, does not properly connect to access points, which allows remote attackers to obtain sensitive information by leveraging access to an 802.11 network. | 3.3 |
2013-06-21 | CVE-2013-4614 | Canon | Credentials Management vulnerability in Canon products English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive information by reading the screen of an unattended workstation. | 2.1 |
2013-06-20 | CVE-2013-1393 | Curvycorners Drupal | Cross-Site Scripting vulnerability in Curvycorners 6.X1.0/7.X1.0 Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors. | 2.1 |
2013-06-21 | CVE-2013-0534 | IBM | Credentials Management vulnerability in IBM Lotus Sametime and Sametime The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and 8.5.2.1, as used in the Lotus Notes client and separately, might allow local users to obtain sensitive information by leveraging the persistence of cleartext password strings within process memory. | 1.9 |
2013-06-21 | CVE-2013-0527 | IBM | Information Exposure vulnerability in IBM Sterling Connect Direct User Interface The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not close pages upon the timeout of a session, which allows physically proximate attackers to obtain sensitive administrative-console information by reading the screen of an unattended workstation. | 1.9 |