Weekly Vulnerabilities Reports > September 9 to 15, 2013
Overview
111 new vulnerabilities reported during this period, including 56 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 86 products from 34 vendors including Microsoft, Adobe, Apple, Citrix, and IBM. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", and "Numeric Errors".
- 99 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 18 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 104 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 49 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 41 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
56 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-09-12 | CVE-2013-2940 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2939 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2938 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2937 | Citrix | Information Disclosure vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, related to debugging messages, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2936 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2935 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2934 | Citrix | Permissions, Privileges, and Access Controls vulnerability in Citrix Cloudportal Services Manager 10.0 Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 does not properly restrict access to web services, which has unspecified impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-2933 | Citrix | Security vulnerability in Citrix Cloudportal Services Manager 10.0 Unspecified vulnerability in Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 has unknown impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162. | 10.0 |
| 2013-09-12 | CVE-2013-5324 | Adobe Apple Microsoft Linux | Buffer Errors vulnerability in Adobe Air, AIR SDK and Flash Player Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before 3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3361, CVE-2013-3362, and CVE-2013-3363. | 10.0 |
| 2013-09-12 | CVE-2013-3363 | Adobe Apple Microsoft Linux | Buffer Errors vulnerability in Adobe Air, AIR SDK and Flash Player Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before 3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3361, CVE-2013-3362, and CVE-2013-5324. | 10.0 |
| 2013-09-12 | CVE-2013-3362 | Adobe Apple Microsoft Linux | Buffer Errors vulnerability in Adobe Air, AIR SDK and Flash Player Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before 3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3361, CVE-2013-3363, and CVE-2013-5324. | 10.0 |
| 2013-09-12 | CVE-2013-3361 | Adobe Apple Microsoft Linux | Buffer Errors vulnerability in Adobe Air, AIR SDK and Flash Player Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before 3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3362, CVE-2013-3363, and CVE-2013-5324. | 10.0 |
| 2013-09-12 | CVE-2013-3360 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Adobe Shockwave Player before 12.0.4.144 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3359. | 10.0 |
| 2013-09-12 | CVE-2013-3359 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Adobe Shockwave Player before 12.0.4.144 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3360. | 10.0 |
| 2013-09-12 | CVE-2013-3358 | Adobe Apple Microsoft | Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader Integer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-3357. | 10.0 |
| 2013-09-12 | CVE-2013-3357 | Adobe Apple Microsoft | Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader Integer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-3358. | 10.0 |
| 2013-09-12 | CVE-2013-3356 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Buffer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-3353. | 10.0 |
| 2013-09-12 | CVE-2013-3355 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3352 and CVE-2013-3354. | 10.0 |
| 2013-09-12 | CVE-2013-3354 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3352 and CVE-2013-3355. | 10.0 |
| 2013-09-12 | CVE-2013-3353 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Buffer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-3356. | 10.0 |
| 2013-09-12 | CVE-2013-3352 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3354 and CVE-2013-3355. | 10.0 |
| 2013-09-12 | CVE-2013-3351 | Adobe Apple Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Multiple stack-based buffer overflows in Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Windows and Mac OS X allow attackers to execute arbitrary code via unspecified vectors. | 10.0 |
| 2013-09-11 | CVE-2013-1330 | Microsoft | Improper Input Validation vulnerability in Microsoft products The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and SP2, and Office Web Apps 2010 does not set the EnableViewStateMac attribute, which allows remote attackers to execute arbitrary code by leveraging an unassigned workflow, aka "MAC Disabled Vulnerability." | 10.0 |
| 2013-09-10 | CVE-2013-4983 | Sophos | OS Command Injection vulnerability in Sophos web Appliance Firmware The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to end-user/index.php. | 10.0 |
| 2013-09-09 | CVE-2013-5715 | Gomlab | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Gomlab GOM Player Buffer overflow in Gretech GOM Media Player before 2.2.53.5169 has unspecified impact and attack vectors. | 10.0 |
| 2013-09-10 | CVE-2013-3658 | Vmware | Path Traversal vulnerability in VMWare ESX and Esxi Directory traversal vulnerability in VMware ESXi 4.0 through 5.0, and ESX 4.0 and 4.1, allows remote attackers to delete arbitrary host OS files via unspecified vectors. | 9.4 |
| 2013-09-11 | CVE-2013-3870 | Microsoft | Resource Management Errors vulnerability in Microsoft Outlook 2007/2010 Double free vulnerability in Microsoft Outlook 2007 SP3 and 2010 SP1 and SP2 allows remote attackers to execute arbitrary code by including many nested S/MIME certificates in an e-mail message, aka "Message Certificate Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3863 | Microsoft | Buffer Errors vulnerability in Microsoft Windows Server 2003 and Windows XP Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allow remote attackers to execute arbitrary code via a crafted OLE object in a file, aka "OLE Property Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3858 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word Web App 2010 SP1 in Office Web Apps 2010, Word 2003 SP3, Word 2007 SP3, Word 2010 SP1, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3847, CVE-2013-3848, and CVE-2013-3849. | 9.3 |
| 2013-09-11 | CVE-2013-3857 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Microsoft Word Automation Services in SharePoint Server 2010 SP1 and SP2, Word Web App 2010 SP1 and SP2 in Office Web Apps 2010, Word 2003 SP3, Word 2007 SP3, Word 2010 SP1 and SP2, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3856 | Microsoft | Buffer Errors vulnerability in Microsoft Word and Word Viewer Microsoft Word 2003 SP3 and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3855 | Microsoft | Buffer Errors vulnerability in Microsoft Office Compatibility Pack, Word and Word Viewer Microsoft Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3854 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Office and Word Microsoft Office 2007 SP3 and Word 2007 SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3853. | 9.3 |
| 2013-09-11 | CVE-2013-3853 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Office and Word Microsoft Office 2007 SP3 and Word 2007 SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3854. | 9.3 |
| 2013-09-11 | CVE-2013-3852 | Microsoft | Buffer Errors vulnerability in Microsoft Office Compatibility Pack, Word and Word Viewer Microsoft Word 2003 SP3, 2007 SP3, and 2010 SP1; Office Compatibility Pack SP3; and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3851 | Microsoft | Buffer Errors vulnerability in Microsoft Office Compatibility Pack, Word and Word Viewer Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3850 | Microsoft | Buffer Errors vulnerability in Microsoft Office Compatibility Pack, Word and Word Viewer Microsoft Word 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3849 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word Web App 2010 SP1 in Office Web Apps 2010, Word 2003 SP3, Word 2007 SP3, Word 2010 SP1, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3847, CVE-2013-3848, and CVE-2013-3858. | 9.3 |
| 2013-09-11 | CVE-2013-3848 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word Web App 2010 SP1 in Office Web Apps 2010, Word 2003 SP3, Word 2007 SP3, Word 2010 SP1, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3847, CVE-2013-3849, and CVE-2013-3858. | 9.3 |
| 2013-09-11 | CVE-2013-3847 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word Web App 2010 SP1 in Office Web Apps 2010, Word 2003 SP3, Word 2007 SP3, Word 2010 SP1, Office Compatibility Pack SP3, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3848, CVE-2013-3849, and CVE-2013-3858. | 9.3 |
| 2013-09-11 | CVE-2013-3845 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Explorer 8/9 Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3209 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3201, CVE-2013-3203, CVE-2013-3206, and CVE-2013-3207. | 9.3 |
| 2013-09-11 | CVE-2013-3208 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/8/9 Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3207 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3201, CVE-2013-3203, CVE-2013-3206, and CVE-2013-3209. | 9.3 |
| 2013-09-11 | CVE-2013-3206 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3201, CVE-2013-3203, CVE-2013-3207, and CVE-2013-3209. | 9.3 |
| 2013-09-11 | CVE-2013-3205 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 6/7/8 Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3204 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3203 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3201, CVE-2013-3206, CVE-2013-3207, and CVE-2013-3209. | 9.3 |
| 2013-09-11 | CVE-2013-3202 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3201 | Microsoft | Buffer Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3203, CVE-2013-3206, CVE-2013-3207, and CVE-2013-3209. | 9.3 |
| 2013-09-11 | CVE-2013-3158 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Excel 2003/2007 Microsoft Excel 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3157 | Microsoft | Buffer Errors vulnerability in Microsoft Access 2007/2010/2013 Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Access file, aka "Access Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3155. | 9.3 |
| 2013-09-11 | CVE-2013-3156 | Microsoft | Buffer Errors vulnerability in Microsoft Access 2007/2010/2013 Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Access file, aka "Access File Format Memory Corruption Vulnerability." | 9.3 |
| 2013-09-11 | CVE-2013-3155 | Microsoft | Buffer Errors vulnerability in Microsoft Access 2007/2010/2013 Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Access file, aka "Access Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3157. | 9.3 |
| 2013-09-10 | CVE-2013-3934 | Kingsoft | Buffer Errors vulnerability in Kingsoft Office 2012 and Writer 2012 Stack-based buffer overflow in Kingsoft Writer 2012 8.1.0.3030, as used in Kingsoft Office 2013 before 9.1.0.4256, allows remote attackers to execute arbitrary code via a long font name in a WPS file. | 9.3 |
| 2013-09-09 | CVE-2013-2803 | Prosoft Technology | Cryptographic Issues vulnerability in Prosoft-Technology Radiolinx Controlscape 6.00 ProSoft RadioLinx ControlScape before 6.00.040 uses a deficient PRNG algorithm and seeding strategy for passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack. | 9.3 |
9 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-09-09 | CVE-2013-2793 | Trianglemicroworks | Buffer Errors vulnerability in Trianglemicroworks products Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DNP3 .NET Protocol components 3.06.0.171 through 3.15.0.369, and DNP3 C libraries 3.06.0000 through 3.15.0000 allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet. | 7.8 |
| 2013-09-12 | CVE-2013-2601 | Citrix | Unspecified vulnerability in Citrix Xenclient XT 2.1.2/3.0.0/3.1.3 The NDVM in Citrix XenClient XT before 2.1.3 and 3.x before 3.1.4 allows remote attackers to execute arbitrary commands by using the UIVM to create a network connection. | 7.5 |
| 2013-09-12 | CVE-2013-5723 | SAP | SQL Injection vulnerability in SAP Netweaver 7.30 SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE." | 7.5 |
| 2013-09-12 | CVE-2013-4339 | Wordpress | Improper Input Validation vulnerability in Wordpress WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. | 7.5 |
| 2013-09-12 | CVE-2013-4338 | Wordpress | Code Injection vulnerability in Wordpress wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. | 7.5 |
| 2013-09-10 | CVE-2013-5673 | Indianic Wordpress | SQL Injection vulnerability in Indianic Testimonial Plugin 2.2 SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php. | 7.5 |
| 2013-09-10 | CVE-2013-3657 | Vmware | Buffer Errors vulnerability in VMWare ESX and Esxi Buffer overflow in VMware ESXi 4.0 through 5.0, and ESX 4.0 and 4.1, allows remote attackers to execute arbitrary code or cause a denial of service via unspecified vectors. | 7.5 |
| 2013-09-10 | CVE-2013-4984 | Sophos | Permissions, Privileges, and Access Controls vulnerability in Sophos web Appliance The close_connections function in /opt/cma/bin/clear_keys.pl in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows local users to gain privileges via shell metacharacters in the second argument. | 7.2 |
| 2013-09-09 | CVE-2013-2791 | Matrikonopc | Buffer Errors vulnerability in Matrikonopc Scada Dnp3 OPC Server 1.2.0 MatrikonOPC SCADA DNP3 OPC Server 1.2.0 allows remote attackers to cause a denial of service (master-station daemon crash) via a malformed DNP3 TCP packet from the IP address of an outstation. | 7.1 |
42 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-09-12 | CVE-2013-5740 | Intel | Unspecified vulnerability in Intel products Unspecified vulnerability in the Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) before 1.2, as used by the Intel QM77, QS77, Q77 Express, C216, Q67 Express, C202, C204, and C206 chipsets and Mobile Intel QM67 and QS67 chipsets, when the measured launch environment (MLE) is invoked, allows local users to bypass the Trusted Execution Technology protection mechanism and perform other unspecified SINIT ACM functions via unspecified vectors. | 6.9 |
| 2013-09-11 | CVE-2013-3862 | Microsoft | Resource Management Errors vulnerability in Microsoft Windows 7 and Windows Server 2008 Double free vulnerability in Microsoft Windows 7 and Server 2008 R2 SP1 allows local users to gain privileges via a crafted service description that is not properly handled by services.exe in the Service Control Manager (SCM), aka "Service Control Manager Double Free Vulnerability." | 6.9 |
| 2013-09-11 | CVE-2013-3859 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Office and Pinyin IME Microsoft Pinyin IME 2010, when used in conjunction with Microsoft Office 2010 SP1, does not properly restrict configuration options, which allows local users to gain privileges by starting Internet Explorer from the IME toolbar, aka "Chinese IME Vulnerability." | 6.9 |
| 2013-09-10 | CVE-2013-4169 | Gnome | Link Following vulnerability in Gnome Display Manager GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/. | 6.9 |
| 2013-09-13 | CVE-2013-5493 | Cisco | Improper Input Validation vulnerability in Cisco products The diagnostic module in the firmware on Cisco Virtualization Experience Client 6000 devices allows local users to bypass intended access restrictions and execute arbitrary commands via unspecified vectors, aka Bug ID CSCug68407. | 6.8 |
| 2013-09-10 | CVE-2013-5672 | Indianic Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Indianic Testimonial Plugin 2.2 Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save action; (2) add a listing template via an iNIC_testimonial_save_listing_template action; (3) add a widget template via an iNIC_testimonial_save_widget action; insert cross-site scripting (XSS) sequences via the (4) project_name, (5) project_url, (6) client_name, (7) client_city, (8) client_state, (9) description, (10) tags, (11) video_url, or (12) is_featured, (13) title, (14) widget_title, (15) no_of_testimonials, (16) filter_by_country, (17) filter_by_tags, or (18) widget_template parameter to wp-admin/admin-ajax.php. | 6.8 |
| 2013-09-09 | CVE-2013-4062 | IBM | Cryptographic Issues vulnerability in IBM Rational Policy Tester IBM Rational Policy Tester 8.5 before 8.5.0.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof Jazz Team servers, obtain sensitive information, and modify the client-server data stream via a crafted certificate. | 6.8 |
| 2013-09-12 | CVE-2013-4329 | XEN | Permissions, Privileges, and Access Controls vulnerability in XEN The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. | 6.5 |
| 2013-09-12 | CVE-2013-3446 | Cisco | Improper Input Validation vulnerability in Cisco Digital Media Manager Open redirect vulnerability in the login page in Cisco Digital Media Manager (DMM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCub23849. | 5.8 |
| 2013-09-12 | CVE-2013-3039 | IBM | Improper Authentication vulnerability in IBM Rational Requirements Composer IBM Rational Requirements Composer before 4.0.4 does not properly perform authentication, which has unspecified impact and remote attack vectors. | 5.4 |
| 2013-09-12 | CVE-2013-3038 | IBM | Credentials Management vulnerability in IBM Rational Requirements Composer Unspecified vulnerability in IBM Rational Requirements Composer before 4.0.4 makes it easier for remote attackers to discover credentials via unknown vectors. | 5.4 |
| 2013-09-13 | CVE-2013-5492 | Cisco | Cryptographic Issues vulnerability in Cisco Socialminer administration.jsp in Cisco SocialMiner allows remote attackers to obtain sensitive information by sniffing the network for HTTP client-server traffic, aka Bug ID CSCuh76780. | 5.0 |
| 2013-09-13 | CVE-2013-5489 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco Socialminer The gadget implementation in Cisco SocialMiner does not properly restrict the content of GET requests, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuh74125. | 5.0 |
| 2013-09-12 | CVE-2013-5216 | Capasystems | Path Traversal vulnerability in Capasystems Performance Guard Directory traversal vulnerability in logreader/uploadreader.jsp in CapaSystems Performance Guard before 6.2.102 allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
| 2013-09-12 | CVE-2013-5488 | Cisco | Improper Input Validation vulnerability in Cisco products Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS), Cisco Security Manager, Cisco Unified Service Monitor, and Cisco Unified Operations Manager, does not properly interact with the ActiveMQ component, which allows remote attackers to cause a denial of service (memory consumption) via simultaneous TCP sessions, aka Bug IDs CSCuh54766, CSCuh01267, CSCuh95976, and CSCuh95969. | 5.0 |
| 2013-09-11 | CVE-2013-3160 | Microsoft | Information Exposure vulnerability in Microsoft Office, Word and Word Viewer Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, and Word Viewer allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka "XML External Entities Resolution Vulnerability." | 5.0 |
| 2013-09-11 | CVE-2013-0081 | Microsoft | Improper Input Validation vulnerability in Microsoft products Microsoft SharePoint Portal Server 2003 SP3 and SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 do not properly process unassigned workflows, which allows remote attackers to cause a denial of service (W3WP process hang) via a crafted URL, aka "SharePoint Denial of Service Vulnerability." | 5.0 |
| 2013-09-10 | CVE-2013-4283 | Fedoraproject | Improper Input Validation vulnerability in Fedoraproject 389 Directory Server ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request. | 5.0 |
| 2013-09-10 | CVE-2013-5700 | Bitcoin | Numeric Errors vulnerability in Bitcoin Bitcoin-Qt and Bitcoin Core The Bloom Filter implementation in bitcoind and Bitcoin-Qt 0.8.x before 0.8.4rc1 allows remote attackers to cause a denial of service (divide-by-zero error and daemon crash) via a crafted sequence of messages. | 5.0 |
| 2013-09-09 | CVE-2013-5642 | Digium | Improper Input Validation vulnerability in Digium Asterisk, Asterisk Digiumphones and Certified Asterisk The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an invalid SDP that defines a media description before the connection description in a SIP request. | 5.0 |
| 2013-09-09 | CVE-2013-5641 | Digium | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Digium Asterisk and Certified Asterisk The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an ACK with SDP to a previously terminated channel. | 5.0 |
| 2013-09-09 | CVE-2013-4900 | Twilightcms | Path Traversal vulnerability in Twilightcms Twilight CMS 5.17 Directory traversal vulnerability in DeWeS web server 0.4.2 and possibly earlier, as used in Twilight CMS, allows remote attackers to read arbitrary files via a ..%5c (dot dot encoded backslash) in a GET request. | 5.0 |
| 2013-09-12 | CVE-2013-3036 | IBM | Improper Input Validation vulnerability in IBM Rational Requirements Composer Open redirect vulnerability in IBM Rational Requirements Composer before 4.0.4 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. | 4.9 |
| 2013-09-09 | CVE-2013-2794 | Trianglemicroworks | Buffer Errors vulnerability in Trianglemicroworks products Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DNP3 .NET Protocol components 3.06.0.171 through 3.15.0.369, and DNP3 C libraries 3.06.0000 through 3.15.0000 allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line. | 4.9 |
| 2013-09-12 | CVE-2013-3037 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Rational Requirements Composer Unspecified vulnerability in IBM Rational Requirements Composer before 4.0.4 makes it easier for local users to gain privileges via unknown vectors. | 4.4 |
| 2013-09-13 | CVE-2013-5649 | Juniper | Cross-Site Scripting vulnerability in Juniper IVE OS Multiple cross-site scripting (XSS) vulnerabilities in Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7.1 before 7.1r15, 7.2 before 7.2r11, 7.3 before 7.3r6, and 7.4 before 7.4r3 allow (1) remote attackers to inject arbitrary web script or HTML via vectors involving login pages, and allow (2) remote authenticated users to inject arbitrary web script or HTML via vectors involving a support page. | 4.3 |
| 2013-09-13 | CVE-2013-5482 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco Prime LAN Management Solution Cisco Prime LAN Management Solution (LMS) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCug77823. | 4.3 |
| 2013-09-13 | CVE-2013-4705 | Opera | Cross-Site Scripting vulnerability in Opera Browser Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows remote attackers to inject arbitrary web script or HTML by leveraging UTF-8 encoding. | 4.3 |
| 2013-09-12 | CVE-2013-4308 | Liquidthreads Project Mediawiki | Cross-Site Scripting vulnerability in Liquidthreads Project Liquidthreads 2.0/2.1 Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. | 4.3 |
| 2013-09-12 | CVE-2013-5738 | Wordpress | Improper Input Validation vulnerability in Wordpress The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. | 4.3 |
| 2013-09-12 | CVE-2013-4307 | Mediawiki | Cross-Site Scripting vulnerability in Mediawiki Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description. | 4.3 |
| 2013-09-11 | CVE-2013-3180 | Microsoft | Cross-Site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2010 SP1 and SP2 and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted POST request, aka "POST XSS Vulnerability." | 4.3 |
| 2013-09-11 | CVE-2013-3179 | Microsoft | Cross-Site Scripting vulnerability in Microsoft products Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "SharePoint XSS Vulnerability." | 4.3 |
| 2013-09-11 | CVE-2013-3159 | Microsoft | Improper Input Validation vulnerability in Microsoft Excel 2003/2007/2010 Microsoft Excel 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Excel Viewer; and Microsoft Office Compatibility Pack SP3 allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka "XML External Entities Resolution Vulnerability." | 4.3 |
| 2013-09-11 | CVE-2013-3137 | Microsoft | Information Exposure vulnerability in Microsoft Frontpage 2003 Microsoft FrontPage 2003 SP3 does not properly parse DTDs, which allows remote attackers to obtain sensitive information via crafted XML data in a FrontPage document, aka "XML Disclosure Vulnerability." | 4.3 |
| 2013-09-10 | CVE-2013-4298 | Imagemagick | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Imagemagick The ReadGIFImage function in coders/gif.c in ImageMagick before 6.7.8-8 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted comment in a GIF image. | 4.3 |
| 2013-09-10 | CVE-2013-4703 | Cybozu | Cross-Site Scripting vulnerability in Cybozu Office Cross-site scripting (XSS) vulnerability in the top-page customization feature in Cybozu Office before 9.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2013-09-09 | CVE-2013-5716 | Gomlab | Improper Input Validation vulnerability in Gomlab GOM Player Gretech GOM Media Player 2.2.53.5169 and possibly earlier allows remote attackers to cause a denial of service (application crash) via a crafted WAV file. | 4.3 |
| 2013-09-09 | CVE-2013-5714 | Videowhisper Wordpress | Cross-Site Scripting vulnerability in Videowhisper Live Streaming Integration Plugin Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. | 4.3 |
| 2013-09-09 | CVE-2013-4899 | Twilightcms | Cross-Site Scripting vulnerability in Twilightcms Twilight CMS 5.17 Cross-site scripting (XSS) vulnerability in Twilight CMS 5.17 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the gallery/ page. | 4.3 |
| 2013-09-09 | CVE-2013-2992 | IBM | Improper Input Validation vulnerability in IBM Websphere Commerce 7.0.0.4/7.0.0.5/7.0.0.6 The Search component in IBM WebSphere Commerce 7.0 FP4 through FP6, in certain search-term association configurations, allows remote attackers to cause a denial of service via a crafted query. | 4.3 |
| 2013-09-09 | CVE-2013-4061 | IBM | Improper Authentication vulnerability in IBM Rational Policy Tester IBM Rational Policy Tester 8.5 before 8.5.0.5 does not properly check authorization for changes to the set of authentication hosts, which allows remote authenticated users to perform spoofing attacks involving an HTTP redirect via unspecified vectors. | 4.0 |
4 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2013-09-12 | CVE-2013-5739 | Wordpress | Cross-Site Scripting vulnerability in Wordpress The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. | 3.5 |
| 2013-09-12 | CVE-2013-4340 | Wordpress | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. | 3.5 |
| 2013-09-09 | CVE-2013-3031 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Soliddb A SQL stored procedure in the Universal Cache component in IBM solidDB 6.0.x before 6.0.1070, 6.3.x before 6.3.0.56, 6.5.x before 6.5.0.12, and 7.0.x before 7.0.0.4 allows remote authenticated users to cause a denial of service (uninitialized-memory access and daemon crash) via a call that includes named arguments and default parameter values, but does not include all of the expected arguments. | 3.5 |
| 2013-09-12 | CVE-2013-5724 | Debian | Permissions, Privileges, and Access Controls vulnerability in Debian PHPbb3 Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations. | 2.1 |