Weekly Vulnerabilities Reports > August 5 to 11, 2013
Overview
64 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 127 products from 39 vendors including IBM, Mozilla, Symantec, Cisco, and NI. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Cross-Site Request Forgery (CSRF)", and "Permissions, Privileges, and Access Controls".
- 54 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 52 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 11 reported vulnerabilities.
- Mozilla has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
11 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-08-09 | CVE-2013-4031 | IBM | Credentials Management vulnerability in IBM products The Intelligent Platform Management Interface (IPMI) implementation in Integrated Management Module (IMM) and Integrated Management Module II (IMM2) on IBM BladeCenter, Flex System, System x iDataPlex, and System x3### servers has a default password for the IPMI user account, which makes it easier for remote attackers to perform power-on, power-off, or reboot actions, or add or modify accounts, via unspecified vectors. | 10.0 |
2013-08-08 | CVE-2013-3454 | Cisco | Credentials Management vulnerability in Cisco products Cisco TelePresence System Software 1.10.1 and earlier on 500, 13X0, 1X00, 30X0, and 3X00 devices, and 6.0.3 and earlier on TX 9X00 devices, has a default password for the pwrecovery account, which makes it easier for remote attackers to modify the configuration or perform arbitrary actions via HTTPS requests, aka Bug ID CSCui43128. | 10.0 |
2013-08-07 | CVE-2013-1705 | Mozilla | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mozilla Firefox and Seamonkey Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Certificate Request Message Format (CRMF) request. | 10.0 |
2013-08-07 | CVE-2013-1702 | Mozilla | Memory Corruption vulnerability in Mozilla Firefox/Thunderbird/Seamonkey Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 10.0 |
2013-08-06 | CVE-2013-5022 | NI | Path Traversal vulnerability in NI products Absolute path traversal vulnerability in the 3D Graph ActiveX control in cw3dgrph.ocx in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allows remote attackers to create and execute arbitrary files via a full pathname in an argument to the ExportStyle method, in conjunction with file content in the (1) Caption or (2) FormatString property value. | 10.0 |
2013-08-09 | CVE-2013-2577 | Xnview | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Xnview Buffer overflow in XnView before 2.04 allows remote attackers to execute arbitrary code via a crafted PCT file. | 9.3 |
2013-08-09 | CVE-2013-3480 | Sagelighteditor | Numeric Errors vulnerability in Sagelighteditor Sagelight 4.4 Integer overflow in Sagelight 4.4 and earlier allows remote attackers to execute arbitrary code via crafted width and height dimensions in a BMP file, which triggers a heap-based buffer overflow. | 9.3 |
2013-08-09 | CVE-2013-3027 | IBM | Numeric Errors vulnerability in IBM Lotus Domino 9.0.0.0 Integer overflow in the DWA9W ActiveX control in iNotes in IBM Domino 9.0 before IF3 allows remote attackers to execute arbitrary code via a crafted web page, aka SPR PTHN97XHFW. | 9.3 |
2013-08-07 | CVE-2013-1704 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox and Seamonkey Use-after-free vulnerability in the nsINode::GetParentNode function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via vectors involving a DOM modification at the time of a SetBody mutation event. | 9.3 |
2013-08-06 | CVE-2013-5026 | NI | Unspecified vulnerability in NI Lookout 6.5/6.6/6.7 An ActiveX control in lookout650.ocx, lookout660.ocx, and lookout670.ocx in National Instruments Lookout 6.5 through 6.7 allows remote attackers to execute arbitrary code by triggering the download of, and calls to, an arbitrary DLL file. | 9.3 |
2013-08-05 | CVE-2013-4805 | HP | Authentication Bypass vulnerability in HP Integrated Lights-Out Unspecified vulnerability in HP Integrated Lights-Out 3 (aka iLO3) firmware before 1.60 and 4 (aka iLO4) firmware before 1.30 allows remote attackers to bypass authentication via unknown vectors. | 9.0 |
9 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-08-05 | CVE-2013-4575 | Symantec | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Symantec Backup Exec 2010/2012 Heap-based buffer overflow in the utility program in the Linux agent in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote attackers to cause a denial of service (agent crash) or possibly execute arbitrary code via unspecified vectors. | 7.9 |
2013-08-05 | CVE-2013-4807 | HP | Information Disclosure vulnerability in Multiple HP LaserJet Pro Printers Unspecified vulnerability on the HP LaserJet Pro P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1218nfs MFP, and CP1025nw with firmware before 2013-07-26 20130703 allows remote attackers to modify data via unknown vectors. | 7.8 |
2013-08-09 | CVE-2013-4115 | Opensuse Squid Cache | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request. | 7.5 |
2013-08-09 | CVE-2013-4789 | Cotonti | SQL Injection vulnerability in Cotonti Siena SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php. | 7.5 |
2013-08-09 | CVE-2013-4742 | Netwin | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Netwin Surgeftp Buffer overflow in NetWin SurgeFTP before 23d2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string within the authentication request. | 7.5 |
2013-08-09 | CVE-2013-4147 | Yard Radius Project | USE of Externally-Controlled Format String vulnerability in Yard Radius Project Yard Radius 1.1.24 Multiple format string vulnerabilities in Yet Another Radius Daemon (YARD RADIUS) 1.1.2 allow context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in a request in the (1) log_msg function in log.c or (2) version or (3) build_version function in version.c. | 7.5 |
2013-08-09 | CVE-2013-4943 | Siemens | Permissions, Privileges, and Access Controls vulnerability in Siemens Comos 10.0/9.1/9.2 The client application in Siemens COMOS before 9.1 Update 458, 9.2 before 9.2.0.6.37, and 10.0 before 10.0.3.0.19 allows local users to gain privileges and bypass intended database-operation restrictions by leveraging COMOS project access. | 7.2 |
2013-08-09 | CVE-2013-2792 | Selinc | Improper Input Validation vulnerability in Selinc products Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet. | 7.1 |
2013-08-09 | CVE-2012-3039 | Moxa | Cryptographic Issues vulnerability in Moxa products Moxa OnCell Gateway G3111, G3151, G3211, and G3251 devices with firmware before 1.4 do not use a sufficient source of entropy for SSH and SSL keys, which makes it easier for remote attackers to obtain access by leveraging knowledge of a key from a product installation elsewhere. | 7.1 |
39 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-08-09 | CVE-2013-2796 | Schneider Electric | Permissions, Privileges, and Access Controls vulnerability in Schneider-Electric Citectscada, Powerlogic Scada and Vijeo Citect Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and earlier, and PowerLogic SCADA 7.20 and earlier allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 6.9 |
2013-08-07 | CVE-2013-1715 | Mozilla Microsoft | Arbitrary Code Execution vulnerability in Mozilla Firefox and Seamonkey Multiple untrusted search path vulnerabilities in the (1) full installer and (2) stub installer in Mozilla Firefox before 23.0 on Windows allow local users to gain privileges via a Trojan horse DLL in the default downloads directory. | 6.9 |
2013-08-09 | CVE-2013-2576 | B E Soft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in B-E-Soft Artweaver Buffer overflow in Artweaver before 3.1.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted AWD file. | 6.8 |
2013-08-08 | CVE-2013-3256 | Shareaholic Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Shareaholic Sexybookmarks 6.1.4.0 Cross-site request forgery (CSRF) vulnerability in the Shareaholic SexyBookmarks plugin 6.1.4.0 for WordPress allows remote attackers to hijack the authentication of users for requests that "manipulate plugin settings." | 6.8 |
2013-08-06 | CVE-2013-1633 | Python | Improper Input Validation vulnerability in Python Setuptools easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product. | 6.8 |
2013-08-06 | CVE-2013-1630 | Guillaume Gauvrit | Improper Input Validation vulnerability in Guillaume Gauvrit Pyshop pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation. | 6.8 |
2013-08-06 | CVE-2013-1629 | Pypa | Improper Input Validation vulnerability in Pypa PIP pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. | 6.8 |
2013-08-05 | CVE-2013-3451 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Communications Manager Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Unified Communications Manager (Unified CM) allow remote attackers to hijack the authentication of arbitrary users for requests that perform arbitrary Unified CM operations, aka Bug ID CSCui13033. | 6.8 |
2013-08-05 | CVE-2013-3450 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Communications Manager Cross-site request forgery (CSRF) vulnerability in the User WebDialer page in Cisco Unified Communications Manager (Unified CM) allows remote attackers to hijack the authentication of arbitrary users for requests that dial calls, aka Bug ID CSCui13028. | 6.8 |
2013-08-05 | CVE-2013-1610 | Symantec | Local Privilege Escalation vulnerability in Symantec Encryption Desktop Unquoted Windows search path vulnerability in RDDService in Symantec PGP Desktop 10.0.x through 10.2.x and Symantec Encryption Desktop 10.3.0 before MP3 allows local users to gain privileges via a Trojan horse application in the %SYSTEMDRIVE% top-level directory. | 6.8 |
2013-08-05 | CVE-2013-4679 | Symantec | Buffer Errors vulnerability in Symantec Workspace Virtualization 6.4.1895.0 Symantec Workspace Virtualization before 6.x before 6.4.1953.0, when a virtual application layer is configured, allows local users to gain privileges via an application that performs crafted interaction with the operating system. | 6.6 |
2013-08-09 | CVE-2013-4619 | Open EMR | SQL Injection vulnerability in Open-Emr Openemr 4.1.1 Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) start or (2) end parameter to interface/reports/custom_report_range.php, or the (3) form_newid parameter to custom/chart_tracker.php. | 6.5 |
2013-08-06 | CVE-2013-3992 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Infosphere Biginsights 2.0.0.0/2.1.0.0 Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere BigInsights 2.0 through 2.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | 6.0 |
2013-08-05 | CVE-2013-0149 | Cisco | Remote Security Bypass vulnerability in Cisco IOS and IOS XE The OSPF implementation in Cisco IOS 12.0 through 12.4 and 15.0 through 15.3, IOS-XE 2.x through 3.9.xS, ASA and PIX 7.x through 9.1, FWSM, NX-OS, and StarOS before 14.0.50488 does not properly validate Link State Advertisement (LSA) type 1 packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a (1) unicast or (2) multicast packet, aka Bug IDs CSCug34485, CSCug34469, CSCug39762, CSCug63304, and CSCug39795. | 5.8 |
2013-08-09 | CVE-2013-0494 | IBM | Resource Management Errors vulnerability in IBM Sterling B2B Integrator 5.0/5.1 IBM Sterling B2B Integrator 5.0 and 5.1 allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted HTTP (1) Range or (2) Request-Range header. | 5.0 |
2013-08-06 | CVE-2013-4124 | Canonical Redhat Fedoraproject Samba Opensuse | Numeric Errors vulnerability in multiple products Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet. | 5.0 |
2013-08-06 | CVE-2013-3996 | IBM | Improper Input Validation vulnerability in IBM Infosphere Biginsights IBM InfoSphere BigInsights 1.1 through 2.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct phishing attacks via a crafted web site. | 4.9 |
2013-08-09 | CVE-2013-2798 | Selinc | Improper Input Validation vulnerability in Selinc products Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line. | 4.7 |
2013-08-09 | CVE-2013-4037 | IBM | Authentication Bypass vulnerability in Intelligent Platform Management Interface The RAKP protocol support in the Intelligent Platform Management Interface (IPMI) implementation in Integrated Management Module (IMM) and Integrated Management Module II (IMM2) on IBM BladeCenter, Flex System, System x iDataPlex, and System x3### servers sends a password hash to the client, which makes it easier for remote attackers to obtain access via a brute-force attack. | 4.3 |
2013-08-09 | CVE-2013-5100 | Franz Holzinger | Cross-Site Scripting vulnerability in Franz Holzinger Static Methods Cross-site scripting (XSS) vulnerability in the Static Methods since 2007 (div2007) extension before 0.10.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the t3lib_div::quoteJSvalue function. | 4.3 |
2013-08-09 | CVE-2012-6458 | Silverstripe | Cross-Site Scripting vulnerability in Silverstripe 3.0.0 Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. | 4.3 |
2013-08-09 | CVE-2013-5098 | Mikejolley Wordpress | Cross-Site Scripting vulnerability in Mikejolley Download Monitor Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort parameter, a different vulnerability than CVE-2013-3262. | 4.3 |
2013-08-09 | CVE-2013-4759 | Magnolia CMS | Cross-Site Scripting vulnerability in Magnolia-Cms Magnolia Form Module Multiple cross-site scripting (XSS) vulnerabilities in the Magnolia Form module 1.x before 1.4.7 and 2.x before 2.0.2 for Magnolia CMS allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) fullname, or (3) email parameter to magnoliaPublic/demo-project/members-area/registration.html. | 4.3 |
2013-08-09 | CVE-2013-4625 | Cory Lamle Wordpress | Cross-Site Scripting vulnerability in Cory Lamle Duplicator 0.4.2/0.4.3 Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. | 4.3 |
2013-08-09 | CVE-2013-4620 | Open EMR | Cross-Site Scripting vulnerability in Open-Emr Openemr 4.1.1 Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter. | 4.3 |
2013-08-09 | CVE-2013-4600 | Alkacon | Cross-Site Scripting vulnerability in Alkacon Opencms Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html. | 4.3 |
2013-08-09 | CVE-2013-3262 | Mikejolley Wordpress | Cross-Site Scripting vulnerability in Mikejolley Download Monitor Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the p parameter. | 4.3 |
2013-08-09 | CVE-2013-2117 | Jason A Donenfeld Lars Hjemli | Path Traversal vulnerability in multiple products Directory traversal vulnerability in the cgit_parse_readme function in ui-summary.c in cgit before 0.9.2, when a readme file is set to a filesystem path, allows remote attackers to read arbitrary files via a .. | 4.3 |
2013-08-09 | CVE-2013-3990 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Domino Cross-site scripting (XSS) vulnerability in the MIME e-mail functionality in iNotes in IBM Domino 9.0 before IF3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPR PTHN98FLQ2. | 4.3 |
2013-08-09 | CVE-2013-3032 | IBM | Cross-Site Scripting vulnerability in IBM Lotus Domino Cross-site scripting (XSS) vulnerability in the MIME e-mail functionality in iNotes in IBM Domino 9.0 before IF3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPR PTHN986NAA. | 4.3 |
2013-08-07 | CVE-2013-1711 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Firefox and Seamonkey The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. | 4.3 |
2013-08-07 | CVE-2013-1708 | Mozilla | Denial of Service vulnerability in Mozilla Firefox/SeaMonkey Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (application crash) via a crafted WAV file that is not properly handled by the nsCString::CharAt function. | 4.3 |
2013-08-06 | CVE-2013-5025 | NI | Security vulnerability in National Instruments LabWindows/CVI An ActiveX control in exlauncher.dll in the Help subsystem in National Instruments LabWindows/CVI before 2013 allows remote attackers to cause a denial of service by triggering the display of local example files. | 4.3 |
2013-08-06 | CVE-2013-5024 | NI | Unspecified vulnerability in NI Measurementstudio 2013 An ActiveX control in NationalInstruments.Help2.dll in National Instruments NI .NET Class Library Help, as used in Measurement Studio 2013 and earlier and other products, allows remote attackers to obtain sensitive information about the existence of registry keys via crafted (1) key-open or (2) key-close method calls. | 4.3 |
2013-08-06 | CVE-2013-5023 | NI | Unspecified vulnerability in NI products The ActiveX controls in the HelpAsst component in NI Help Links in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allow remote attackers to cause a denial of service by triggering the display of local .chm files. | 4.3 |
2013-08-05 | CVE-2013-4677 | Symantec | Permissions, Privileges, and Access Controls vulnerability in Symantec Backup Exec 2010/2010R3/2012 Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive information or modify the outcome of a restore via direct access to these files. | 4.3 |
2013-08-05 | CVE-2013-4676 | Symantec | Cross-Site Scripting vulnerability in Symantec Backup Exec 2010R3/2012 Multiple cross-site scripting (XSS) vulnerabilities in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) custom-reports generation page, (2) Storage Devices creation page, or (3) jobs creation page in the management console; or (4) a Backup Exec server-management page in the beutility console. | 4.3 |
2013-08-09 | CVE-2013-4038 | IBM | Cryptographic Issues vulnerability in IBM products The Intelligent Platform Management Interface (IPMI) implementation in Integrated Management Module (IMM) on IBM BladeCenter, Flex System, System x iDataPlex, and System x3### servers uses cleartext for password storage, which allows context-dependent attackers to obtain sensitive information by reading a file. | 4.0 |
2013-08-05 | CVE-2013-3442 | Cisco | Information Exposure vulnerability in Cisco Unified Communications Manager The web portal in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to obtain sensitive stack-trace information via unspecified vectors that trigger a stack exception, aka Bug ID CSCug34854. | 4.0 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-08-09 | CVE-2013-0492 | IBM | Cross-Site Scripting vulnerability in IBM Informix Open Admin Tool 2.0/3.0 Cross-site scripting (XSS) vulnerability in IBM Informix Open Admin Tool (OAT) 2.x and 3.x before 3.11.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2013-08-06 | CVE-2013-3995 | IBM | Cross-Site Scripting vulnerability in IBM Infosphere Biginsights Cross-site scripting (XSS) vulnerability in IBM InfoSphere BigInsights 1.1 through 2.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2013-08-09 | CVE-2013-3659 | Nttdocomo | Improper Authentication vulnerability in Nttdocomo Overseas Usage 2.0.0/2.0.4 The NTT DOCOMO overseas usage application 2.0.0 through 2.0.4 for Android does not properly connect to Wi-Fi access points, which allows remote attackers to obtain sensitive information by leveraging presence in an 802.11 network's coverage area. | 3.3 |
2013-08-05 | CVE-2013-4678 | Symantec | Information Exposure vulnerability in Symantec Backup Exec 2010/2010R3/2012 The NDMP protocol implementation in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote authenticated users to obtain sensitive host-version information via unspecified vectors. | 2.7 |
2013-08-09 | CVE-2013-5099 | Anchor | Cross-Site Scripting vulnerability in Anchor CMS 0.9.1 Cross-site scripting (XSS) vulnerability in article.php in Anchor CMS 0.9.1, when comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Name field. | 2.6 |