Weekly Vulnerabilities Reports > July 15 to 21, 2013

Overview

135 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 23 high severity vulnerabilities. This weekly summary report vulnerabilities in 120 products from 44 vendors including Oracle, Cisco, SUN, Opensuse, and Suse. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "SQL Injection".

  • 113 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 17 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 94 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 63 reported vulnerabilities.
  • Apache has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

8 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-07-18 CVE-2013-4781 Siemens OS Command Injection vulnerability in Siemens products

core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to execute arbitrary commands via unspecified vectors.

10.0
2013-07-20 CVE-2013-2251 Apache
Fujitsu
Oracle
Injection vulnerability in multiple products

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

9.8
2013-07-18 CVE-2012-6349 Autonomy
IBM
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the .mdb parser in Autonomy KeyView IDOL, as used in IBM Notes 8.5.x before 8.5.3 FP4, allows remote attackers to execute arbitrary code via a crafted file, aka SPR KLYH92XL3W.

9.3
2013-07-16 CVE-2013-2135 Apache Code Injection vulnerability in Apache Struts

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

9.3
2013-07-16 CVE-2013-2134 Apache Code Injection vulnerability in Apache Struts

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

9.3
2013-07-19 CVE-2013-3274 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Avamar Server and Avamar Server Virtual Edition

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly determine authorization for calls to Java RMI methods, which allows remote authenticated users to execute arbitrary code via unspecified vectors.

9.0
2013-07-17 CVE-2013-3751 Oracle Remote Security vulnerability in Oracle Database Server 11.2.0.2/11.2.0.3

Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

9.0
2013-07-15 CVE-2013-3578 Wave SQL Injection vulnerability in Wave products

SQL injection vulnerability in the Help Desk application in Wave EMBASSY Remote Administration Server (ERAS) allows remote authenticated users to execute arbitrary SQL commands via the ct100$4MainController$TextBoxSearchValue parameter (aka the search field), leading to execution of operating-system commands.

9.0

23 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-07-18 CVE-2013-4780 Siemens Information Exposure vulnerability in Siemens products

core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to read arbitrary files via unspecified vectors.

7.8
2013-07-18 CVE-2013-4778 Siemens Information Exposure vulnerability in Siemens products

core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to obtain sensitive server and statistics information via unspecified vectors.

7.8
2013-07-18 CVE-2013-3411 Cisco Denial of Service vulnerability in Cisco IPS Software

The IDSM-2 drivers in Cisco Intrusion Prevention System (IPS) Software on Cisco Catalyst 6500 devices with an IDSM-2 module allow remote attackers to cause a denial of service (device hang) via malformed IPv4 TCP packets, aka Bug ID CSCuh27460.

7.8
2013-07-18 CVE-2013-3410 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Intrusion Prevention System and IPS NME

Cisco Intrusion Prevention System (IPS) Software on IPS NME devices before 7.0(9)E4 allows remote attackers to cause a denial of service (device reload) via malformed IPv4 packets that trigger incorrect memory allocation, aka Bug ID CSCua61977.

7.8
2013-07-18 CVE-2013-1243 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

The IP stack in Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software and hardware modules before 7.1(5)E4, IPS 4500 sensors before 7.1(6)E4, and IPS 4300 sensors before 7.1(5)E4 allows remote attackers to cause a denial of service (MainApp process hang) via malformed IPv4 packets, aka Bug ID CSCtx18596.

7.8
2013-07-18 CVE-2013-1218 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products

Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software modules before 7.1(7)sp1E4 allows remote attackers to cause a denial of service (Analysis Engine process hang or device reload) via fragmented (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCue51272.

7.8
2013-07-17 CVE-2013-3753 SUN Remote Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect availability via vectors related to Kernel/STREAMS framework.

7.8
2013-07-17 CVE-2013-3748 SUN Remote Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect availability via vectors related to Driver/IDM (iSCSI Data Mover).

7.8
2013-07-16 CVE-2013-1943 Linux
Redhat
Canonical
Improper Input Validation vulnerability in multiple products

The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.

7.8
2013-07-17 CVE-2013-3774 Oracle Remote Security vulnerability in RETIRED: Oracle Database Server

Unspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

7.6
2013-07-20 CVE-2013-4870 News Search Project
Typo3
SQL Injection vulnerability in News Search Project News Search 0.1.0

SQL injection vulnerability in the News Search (news_search) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2013-07-20 CVE-2013-2028 F5
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.

7.5
2013-07-18 CVE-2013-4878 Parallels
Linux
Permissions, Privileges, and Access Controls vulnerability in Parallels products

The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823.

7.5
2013-07-18 CVE-2013-1606 UI Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in UI products

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request.

7.5
2013-07-18 CVE-2013-3404 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager

SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, leading to discovery of encrypted credentials by leveraging metadata, aka Bug ID CSCuh01051.

7.5
2013-07-17 CVE-2013-3779 Oracle Remote Security vulnerability in Oracle Virtualization and VM Virtualbox

Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization All 4.6 releases including 4.63 and 4.7 prior to 4.71 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web UI.

7.5
2013-07-15 CVE-2013-3577 Wave SQL Injection vulnerability in Wave products

SQL injection vulnerability in the Help Desk application in Wave EMBASSY Remote Administration Server (ERAS) allows remote attackers to execute arbitrary SQL commands via the ct100$4MainController$TextBoxSearchValue parameter (aka the search field).

7.5
2013-07-18 CVE-2013-4011 IBM Local Privilege Escalation vulnerability in IBM AIX

Multiple unspecified vulnerabilities in the InfiniBand subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allow local users to gain privileges via vectors involving (1) arp.ib or (2) ibstat.

7.2
2013-07-17 CVE-2013-3771 Oracle Local Security vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle executable component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-3760.

7.2
2013-07-17 CVE-2013-3760 Oracle Local Security vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle executable component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-3771.

7.2
2013-07-17 CVE-2013-3754 Oracle Local Security vulnerability in Oracle and SUN Systems Product Suite 3.3

Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to HA for TimesTen.

7.2
2013-07-17 CVE-2013-3750 SUN Local Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel/VM Per: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html 'CVE-2013-3750 occurs only when Solaris is running on X86 platform.'

7.2
2013-07-17 CVE-2013-3746 Oracle Local Security vulnerability in Oracle Solaris Cluster

Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.2, 3.3, and 4 prior to 4.1 SRU 3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Cluster Infrastructure.

7.2

94 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-07-18 CVE-2013-4872 Google Permissions, Privileges, and Access Controls vulnerability in Google Glass XE5

Google Glass before XE6 does not properly restrict the processing of QR codes, which allows physically proximate attackers to modify the configuration or redirect users to arbitrary web sites via a crafted symbol, as demonstrated by selecting a Wi-Fi access point in order to conduct a man-in-the-middle attack.

6.9
2013-07-20 CVE-2013-4871 Markus Blaschke
Typo3
Cross-Site Request Forgery (CSRF) vulnerability in Markus Blaschke TQ SEO 5.0.0

Cross-site request forgery (CSRF) vulnerability in the TEQneers SEO Enhancements (tq_seo) extension before 5.0.1 for TYPO3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2013-07-18 CVE-2013-3665 Autodesk Unspecified vulnerability in Autodesk products

Unspecified vulnerability in Autodesk AutoCAD through 2014, AutoCAD LT through 2014, and DWG TrueView through 2014 allows remote attackers to execute arbitrary code via a crafted DWG file.

6.8
2013-07-18 CVE-2013-3420 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco products

Cross-site request forgery (CSRF) vulnerability in the web framework on the Cisco Identity Services Engine (ISE) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh25506.

6.8
2013-07-18 CVE-2013-3434 Cisco Local Privilege Escalation vulnerability in Cisco Unified Communications Manager

Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02242.

6.8
2013-07-18 CVE-2013-3433 Cisco Local Privilege Escalation vulnerability in Cisco Unified Communications Manager

Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02276.

6.8
2013-07-18 CVE-2013-3403 Cisco Unspecified vulnerability in Cisco Unified Communications Manager

Multiple untrusted search path vulnerabilities in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allow local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCuh73454.

6.8
2013-07-17 CVE-2013-3781 Oracle Local Security vulnerability in Oracle Fusion Middleware 8.3.7.0/8.4/8.4.1

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3776.

6.8
2013-07-17 CVE-2013-3776 Oracle Local Security vulnerability in Oracle Fusion Middleware 8.3.7.0/8.4/8.4.1

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3781.

6.8
2013-07-16 CVE-2013-3491 Mdolon
Wordpress
Cross-Site Request Forgery (CSRF) vulnerability in Mdolon Sharebar 1.2.5

Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences.

6.8
2013-07-18 CVE-2013-3412 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager

SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuh81766.

6.5
2013-07-18 CVE-2013-3402 Cisco Code Injection vulnerability in Cisco Unified Communications Manager

An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440.

6.5
2013-07-17 CVE-2013-3789 Oracle Remote Security vulnerability in Oracle Database Server

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

6.5
2013-07-19 CVE-2013-0559 IBM Authentication Bypass vulnerability in IBM API Management 2.0.0.0

Unspecified vulnerability in IBM API Management 2.0 before 2.0.0.1 allows remote attackers to access tenant APIs, and consequently obtain sensitive information or modify data, via unknown vectors.

6.4
2013-07-17 CVE-2013-3821 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Integration Broker.

6.4
2013-07-17 CVE-2013-3819 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Mobile Applications.

6.4
2013-07-17 CVE-2013-3800 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Business Interlinks.

6.4
2013-07-17 CVE-2013-3757 SUN Remote Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows remote attackers to affect integrity and availability via vectors related to SMF/File Locking Services.

6.4
2013-07-18 CVE-2013-4876 Verizon Credentials Management vulnerability in Verizon Wireless Network Extender Scs2U01

The Verizon Wireless Network Extender SCS-2U01 has a hardcoded password for the root account, which makes it easier for physically proximate attackers to obtain administrative access by leveraging a login prompt.

6.2
2013-07-18 CVE-2013-4875 Verizon Improper Authentication vulnerability in Verizon Wireless Network Extender Scs2U01

The Uboot bootloader on the Verizon Wireless Network Extender SCS-2U01 allows physically proximate attackers to bypass the intended boot process and obtain a login prompt by connecting a crafted HDMI cable and sending a SysReq interrupt.

6.2
2013-07-18 CVE-2013-4874 Verizon Improper Authentication vulnerability in Verizon Wireless Network Extender Scs26Uc4

The Uboot bootloader on the Verizon Wireless Network Extender SCS-26UC4 allows physically proximate attackers to obtain root access by connecting a crafted HDMI cable and using a sys session to modify the ramboot environment variable.

6.2
2013-07-17 CVE-2013-3786 SUN Local Security vulnerability in SUN Sunos 5.10/5.11/5.9

Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel.

6.0
2013-07-20 CVE-2013-3656 Cybozu Improper Authentication vulnerability in Cybozu Office

Cybozu Office 9.1.0 and earlier does not properly manage sessions, which allows remote attackers to bypass authentication by leveraging knowledge of a login URL.

5.8
2013-07-20 CVE-2013-2248 Apache Improper Input Validation vulnerability in Apache Struts

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.

5.8
2013-07-20 CVE-2013-2070 F5
Debian
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
5.8
2013-07-17 CVE-2013-3813 SUN Remote Security vulnerability in SUN Sunos 5.10

Unspecified vulnerability in Oracle Solaris 10 allows remote attackers to affect confidentiality and integrity via vectors related to Libraries/PAM-Unix.

5.8
2013-07-17 CVE-2013-3798 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect integrity and availability via unknown vectors related to MemCached.

5.8
2013-07-16 CVE-2013-1935 Redhat Race Condition vulnerability in Redhat Enterprise Linux 6.0

A certain Red Hat patch to the KVM subsystem in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly implement the PV EOI feature, which allows guest OS users to cause a denial of service (host OS crash) by leveraging a time window during which interrupts are disabled but copy_to_user function calls are possible.

5.7
2013-07-17 CVE-2013-3784 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors Time and Labor.

5.5
2013-07-17 CVE-2013-3770 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5.1/11.1.1.6.0/11.1.1.7.0

Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Content Server.

5.5
2013-07-17 CVE-2013-3764 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 7.4.0/7.5.1.1

Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 7.4.0 and 7.5.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2013-3763.

5.5
2013-07-17 CVE-2013-3763 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 7.4.0/7.5.1.1

Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 7.4.0 and 7.5.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2013-3764.

5.5
2013-07-17 CVE-2013-3756 Oracle Remote Security vulnerability in Oracle E-Business Suite 12.1.1/12.1.2/12.1.3

Unspecified vulnerability in the Oracle Landed Cost Management component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Shipment Workbench.

5.5
2013-07-19 CVE-2013-3436 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IOS

The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698.

5.0
2013-07-18 CVE-2013-4873 Yahoo Credentials Management vulnerability in Yahoo Tumblr 3.4.0

The Yahoo! Tumblr app before 3.4.1 for iOS sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network.

5.0
2013-07-18 CVE-2013-4668 File Roller Project
Canonical
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3.8.x before 3.8.3, and 3.9.x before 3.9.3, when libarchive is used, allows remote attackers to create arbitrary files via a crafted archive that is not properly handled in a "Keep directory structure" action, related to fr-archive-libarchive.c and fr-window.c.

5.0
2013-07-18 CVE-2013-3426 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

The Serviceability servlet on Cisco 9900 IP phones does not properly restrict paths, which allows remote attackers to read arbitrary files by specifying a pathname in a file request, aka Bug ID CSCuh52810.

5.0
2013-07-17 CVE-2013-3820 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect availability via unknown vectors related to Business Interlink.

5.0
2013-07-17 CVE-2013-3801 Oracle
Suse
Opensuse
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
5.0
2013-07-17 CVE-2013-3773 Oracle Remote Security vulnerability in Oracle SPARC Enterprise M-Series Servers

Unspecified vulnerability in the SPARC Enterprise M Series Servers component in Oracle and Sun Systems Products Suite XCP 1114 and earlier allows remote attackers to affect availability via vectors related to XSCF Control Package (XCP).

5.0
2013-07-17 CVE-2013-0398 SUN Remote Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows remote attackers to affect confidentiality via unknown vectors related to Utility/Remote Execution Server (in.rexecd).

5.0
2013-07-16 CVE-2013-2122 Quade
Drupal
Permissions, Privileges, and Access Controls vulnerability in Quade Edit Limit

The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors.

5.0
2013-07-16 CVE-2013-1908 Acquia
Commons Wikis Project
Drupal
Permissions, Privileges, and Access Controls vulnerability in multiple products

The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.

5.0
2013-07-16 CVE-2013-1907 Acquia
Drupal
Permissions, Privileges, and Access Controls vulnerability in Acquia Commons and Commons Group

The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.

5.0
2013-07-15 CVE-2013-2765 Modsecurity
Opensuse
Null Pointer Dereference vulnerability in multiple products

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header.

5.0
2013-07-17 CVE-2013-3799 SUN Local Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11, when running on AMD64, allows local users to affect availability via unknown vectors related to Kernel.

4.9
2013-07-17 CVE-2013-3765 SUN Local Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows local users to affect availability via unknown vectors related to Kernel/VM.

4.9
2013-07-17 CVE-2013-3797 SUN Local Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows local users to affect availability via unknown vectors related to Filesystem/DevFS.

4.7
2013-07-16 CVE-2013-2188 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Enterprise Linux 6.0

A certain Red Hat patch to the do_filp_open function in fs/namei.c in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle failure to obtain write permissions, which allows local users to cause a denial of service (system crash) by leveraging access to a filesystem that is mounted read-only.

4.7
2013-07-20 CVE-2013-1955 Nashtech Cross-Site Scripting vulnerability in Nashtech Easy PHP Calendar

Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php and (2) datePicker.php in Easy PHP Calendar 6.x and 7.x before 7.0.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-07-20 CVE-2013-1879 Apache Cross-Site Scripting vulnerability in Apache Activemq

Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message."

4.3
2013-07-19 CVE-2013-3275 EMC Improper Input Validation vulnerability in EMC Avamar Server and Avamar Server Virtual Edition

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities."

4.3
2013-07-19 CVE-2012-3414 Swfupload Project
Tinymce
Wordpress
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.

4.3
2013-07-18 CVE-2013-4779 Siemens Cross-Site Scripting vulnerability in Siemens products

Cross-site scripting (XSS) vulnerability in core/handleTw.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-07-17 CVE-2013-3822 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.1

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote attackers to affect integrity via unknown vectors related to Web Client (CS).

4.3
2013-07-17 CVE-2013-3818 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to Portal, a different vulnerability than CVE-2013-2404.

4.3
2013-07-17 CVE-2013-3791 Oracle Remote Security vulnerability in Oracle products

Unspecified vulnerability in Enterprise Manager (EM) Base Platform 10.2.0.5 and EM DB Control 11.1.0.7 in Oracle Enterprise Manager Grid Control allows remote attackers to affect integrity via unknown vectors related to User Interface Framework.

4.3
2013-07-17 CVE-2013-3788 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Supplier Management.

4.3
2013-07-17 CVE-2013-3787 SUN Remote Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Kernel.

4.3
2013-07-17 CVE-2013-3782 Oracle Remote Security vulnerability in Oracle Virtualization 4.6/4.7

Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.6 prior to 4.63 and 4.7 prior to 4.71 allows remote attackers to affect integrity via unknown vectors related to Web UI.

4.3
2013-07-17 CVE-2013-3778 Oracle Remote Security vulnerability in Oracle E-Business Suite 12.0.6/12.1.3

Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Help.

4.3
2013-07-17 CVE-2013-3777 Oracle Remote Security vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.3

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Signon.

4.3
2013-07-17 CVE-2013-3775 Oracle Remote Security vulnerability in Oracle Ilearning 5.2.1/6.0

Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 5.2.1 and 6.0 allows remote attackers to affect integrity via unknown vectors related to Learner Pages.

4.3
2013-07-17 CVE-2013-3772 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5.1/11.1.1.6.0/11.1.1.7.0

Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote attackers to affect integrity via unknown vectors related to Web Forms.

4.3
2013-07-17 CVE-2013-3769 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.3.5.1/11.1.1.6.0/11.1.1.7.0

Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote attackers to affect integrity via unknown vectors related to Site Studio.

4.3
2013-07-17 CVE-2013-3768 Oracle Remote Security vulnerability in Oracle Peoplesoft products 8.51/8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to Rich Text Editor.

4.3
2013-07-17 CVE-2013-3767 Oracle Remote Security vulnerability in Oracle E-Business Suite Access Gate 1.2.1

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite Access Gate 1.2.1 allows remote attackers to affect integrity via unknown vectors.

4.3
2013-07-17 CVE-2013-3761 Oracle Remote Security vulnerability in Oracle products

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products Portal 9.1 and PeopleTools 8.52 allows remote attackers to affect integrity via vectors related to PIA Core Technology.

4.3
2013-07-17 CVE-2013-3759 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.52/8.53

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Search Functionality.

4.3
2013-07-17 CVE-2013-3758 Oracle Remote Security vulnerability in Oracle products

Unspecified vulnerability in the Enterprise Manager (EM) Base Platform 10.2.0.5 and 11.1.0.1; EM DB Control 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3; and EM Plugin for DB 12.1.0.2 and 12.1.0.3 in Oracle Enterprise Manager Grid Control allows remote attackers to affect integrity via unknown vectors related to Schema Management.

4.3
2013-07-17 CVE-2013-3755 Oracle Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.5.0/11.1.1.7.0/11.1.2.0

Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5.0 allows remote attackers to affect integrity via vectors related to SSO Engine.

4.3
2013-07-17 CVE-2013-3752 SUN Remote Security vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect integrity via vectors related to Service Management Facility (SMF).

4.3
2013-07-16 CVE-2013-0246 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal

The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.

4.3
2013-07-16 CVE-2013-4117 Anshul Sharma
Wordpress
Cross-Site Scripting vulnerability in Anshul Sharma Category-Grid-View-Gallery 2.3.1

Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.

4.3
2013-07-15 CVE-2013-1087 Novell
Microsoft
Cross-Site Scripting vulnerability in Novell Groupwise

Cross-site scripting (XSS) vulnerability in the client in Novell GroupWise through 8.0.3 HP3, and 2012 through SP2, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML via the body of an e-mail message.

4.3
2013-07-17 CVE-2013-3825 Oracle Information Exposure vulnerability in Oracle Supply Chain products Suite 9.3.1

Unspecified vulnerability in the Oracle Agile Product Collaboration component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Folders & Files Attachment.

4.0
2013-07-17 CVE-2013-3824 Oracle Remote Security vulnerability in Oracle Supply Chain products Suite 9.3.1

Unspecified vulnerability in the Oracle Agile Collaboration Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Manufacturing/Mfg Parts.

4.0
2013-07-17 CVE-2013-3823 Oracle Information Exposure vulnerability in Oracle Supply Chain products Suite 9.3.1

Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.

4.0
2013-07-17 CVE-2013-3816 Oracle Remote Security vulnerability in Oracle Policy Automation

Unspecified vulnerability in the Oracle Policy Automation component in Oracle Industry Applications 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Determinations Engine.

4.0
2013-07-17 CVE-2013-3809 Oracle
Suse
Opensuse
Canonical
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Audit Log.
4.0
2013-07-17 CVE-2013-3808 Oracle
Mariadb
Opensuse
Suse
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options.
4.0
2013-07-17 CVE-2013-3807 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Server Privileges.

4.0
2013-07-17 CVE-2013-3806 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3811.

4.0
2013-07-17 CVE-2013-3805 Oracle
Suse
Opensuse
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Prepared Statements.
4.0
2013-07-17 CVE-2013-3804 Oracle
Debian
Canonical
Mariadb
Suse
Opensuse
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
4.0
2013-07-17 CVE-2013-3802 Oracle
Mariadb
Debian
Canonical
Opensuse
Suse
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search.
4.0
2013-07-17 CVE-2013-3796 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.

4.0
2013-07-17 CVE-2013-3795 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.

4.0
2013-07-17 CVE-2013-3794 Oracle
Suse
Opensuse
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Partition.
4.0
2013-07-17 CVE-2013-3793 Oracle
Debian
Opensuse
Suse
Canonical
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language.
4.0
2013-07-17 CVE-2013-3783 Oracle
Mariadb
Debian
Canonical
Opensuse
Suse
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Parser.
4.0
2013-07-17 CVE-2013-3780 Oracle Remote Security vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise Portal component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Saved Search.

4.0
2013-07-17 CVE-2013-3747 Oracle Remote Security vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.3

Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Client System Analyzer.

4.0
2013-07-15 CVE-2013-3428 Cisco Information Exposure vulnerability in Cisco Secure Access Control System

The web interface in Cisco Secure Access Control System (ACS) does not properly suppress error-condition details, which allows remote authenticated users to obtain sensitive information via an unspecified request that triggers an error, aka Bug ID CSCue65957.

4.0

10 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-07-17 CVE-2013-3812 Oracle
Suse
Opensuse
Canonical
Debian
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication.
3.5
2013-07-17 CVE-2013-3811 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3806.

3.5
2013-07-17 CVE-2013-3810 Oracle Remote Security vulnerability in Oracle MySQL Server

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA Transactions.

3.5
2013-07-17 CVE-2013-3803 Oracle Directory Traversal vulnerability in Oracle Hyperion

Unspecified vulnerability in the Hyperion BI+ component in Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Intelligence Service.

3.5
2013-07-17 CVE-2013-3749 Oracle Remote Password Disclosure vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.3

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Logging.

3.5
2013-07-16 CVE-2013-1925 Chaos Tool Suite Project Permissions, Privileges, and Access Controls vulnerability in Chaos Tool Suite Project Ctools

The Chaos Tool Suite (ctools) module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list.

3.5
2013-07-18 CVE-2013-4877 Verizon Improper Authentication vulnerability in Verizon Wireless Network Extender Scs26Uc4/Scs2U01

The Verizon Wireless Network Extender SCS-26UC4 and SCS-2U01 does not use CAVE authentication, which makes it easier for remote attackers to obtain ESN and MIN values from arbitrary phones, and conduct cloning attacks, by sniffing the network for registration packets.

2.6
2013-07-17 CVE-2013-3790 Oracle Remote Security vulnerability in Oracle Database Server

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect integrity via unknown vectors related to Privileged Account.

2.1
2013-07-17 CVE-2013-3745 SUN Local Security vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc.

2.1
2013-07-16 CVE-2013-0245 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal

The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors.

2.1