Weekly Vulnerabilities Reports > September 16 to 22, 2013
Overview
128 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 139 products from 30 vendors including Apple, Cisco, Mozilla, IBM, and Wireshark. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Improper Input Validation", "Cross-site Scripting", and "Resource Management Errors".
- 110 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 23 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 115 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 52 reported vulnerabilities.
- HP has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-09-20 | CVE-2010-5290 | Adobe | Credentials Management vulnerability in Adobe Coldfusion The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which makes it easier for context-dependent attackers to obtain administrative privileges by leveraging read access to the configuration file, a different vulnerability than CVE-2010-2861. | 10.0 |
2013-09-18 | CVE-2013-1719 | Mozilla | Buffer Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 10.0 |
2013-09-17 | CVE-2013-5754 | Dahuasecurity | Permissions, Privileges, and Access Controls vulnerability in Dahuasecurity products The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which makes it easier for remote attackers to obtain administrative access and change the administrator password via requests involving (1) ActiveX, (2) a standalone client, or (3) unspecified other vectors, a different vulnerability than CVE-2013-3612. | 10.0 |
2013-09-17 | CVE-2013-3612 | Dahuasecurity | Credentials Management vulnerability in Dahuasecurity products Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers to obtain administrative access via authorization requests involving (a) ActiveX, (b) a standalone client, or (c) unknown other vectors. | 10.0 |
2013-09-16 | CVE-2013-4813 | HP | Code Injection vulnerability in HP Identity Driven Manager and Procurve Manager The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745. | 10.0 |
2013-09-16 | CVE-2013-4812 | HP | Improper Input Validation vulnerability in HP Identity Driven Manager and Procurve Manager UpdateCertificatesServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the fileName argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743. | 10.0 |
2013-09-16 | CVE-2013-4811 | HP | Improper Input Validation vulnerability in HP Identity Driven Manager and Procurve Manager UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 does not properly validate the adCert argument, which allows remote attackers to upload .jsp files and consequently execute arbitrary code via unspecified vectors, aka ZDI-CAN-1743. | 10.0 |
2013-09-16 | CVE-2013-4810 | HP | Code Injection vulnerability in HP products HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. | 9.8 |
2013-09-19 | CVE-2013-5139 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS The IOSerialFamily driver in Apple iOS before 7 allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds array access) via a crafted application. | 9.3 |
2013-09-19 | CVE-2013-1035 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Itunes The iTunes ActiveX control in Apple iTunes before 11.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. | 9.3 |
2013-09-18 | CVE-2013-3893 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll. | 9.3 |
2013-09-18 | CVE-2013-1738 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Use-after-free vulnerability in the JS_GetGlobalForScopeChain function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code by leveraging incorrect garbage collection in situations involving default compartments and frame-chain restoration. | 9.3 |
2013-09-18 | CVE-2013-1724 | Mozilla | Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Use-after-free vulnerability in the mozilla::dom::HTMLFormElement::IsDefaultSubmitElement function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving a destroyed SELECT element. | 9.3 |
2013-09-18 | CVE-2013-1721 | Mozilla | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mozilla Firefox and Seamonkey Integer overflow in the drawLineLoop function in the libGLESv2 library in Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox before 24.0 and SeaMonkey before 2.21, allows remote attackers to execute arbitrary code via a crafted web site. | 9.3 |
2013-09-17 | CVE-2013-3614 | Dahuasecurity | Permissions, Privileges, and Access Controls vulnerability in Dahuasecurity products Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to obtain access via a brute-force attack. | 9.3 |
2013-09-16 | CVE-2013-5369 | IBM | Code Injection vulnerability in IBM Spss Analytical Decision Management 6.1.0.0/6.2.0.0/7.0.0.0 IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1, and 7.0 before FP1 IF6 might allow remote attackers to execute arbitrary code by deploying and accessing a service. | 9.3 |
12 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-09-16 | CVE-2013-4049 | IBM | Arbitrary File Upload vulnerability in IBM Spss Analytical Decision Management 6.1.0.0/6.2.0.0/7.0.0.0 Unrestricted file upload vulnerability in IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1, and 7.0 before FP1 IF6 allows remote authenticated users to execute arbitrary code by uploading and accessing a JSP file. | 8.5 |
2013-09-17 | CVE-2013-5709 | Siemens | Numeric Errors vulnerability in Siemens products The authentication implementation in the web server on Siemens SCALANCE X-200 switches with firmware before 5.0.0 does not use a sufficient source of entropy for generating values of random numbers, which makes it easier for remote attackers to hijack sessions by predicting a value. | 8.3 |
2013-09-20 | CVE-2013-3473 | Cisco | Improper Authentication vulnerability in Cisco Prime Central FOR Hosted Collaboration Solution Assurance The web framework in Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance before 9.1.1 does not properly determine the existence of an authenticated session, which allows remote attackers to discover usernames and passwords via an HTTP request, aka Bug ID CSCud32600. | 7.8 |
2013-09-19 | CVE-2013-5140 | Apple | Improper Input Validation vulnerability in Apple Iphone OS The kernel in Apple iOS before 7 allows remote attackers to cause a denial of service (assertion failure and device restart) via an invalid packet fragment. | 7.8 |
2013-09-17 | CVE-2013-3615 | Dahuasecurity | Credentials Management vulnerability in Dahuasecurity products Dahua DVR appliances use a password-hash algorithm with a short hash length, which makes it easier for context-dependent attackers to discover cleartext passwords via a brute-force attack. | 7.8 |
2013-09-17 | CVE-2013-3613 | Dahuasecurity | Improper Authentication vulnerability in Dahuasecurity products Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access via vectors involving a replay attack against the TELNET port. | 7.8 |
2013-09-16 | CVE-2013-5674 | Moodle | Code Injection vulnerability in Moodle 2.5.0/2.5.1 badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. | 7.5 |
2013-09-16 | CVE-2013-4313 | Moodle | SQL Injection vulnerability in Moodle Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. | 7.5 |
2013-09-16 | CVE-2013-4809 | HP | SQL Injection vulnerability in HP Identity Driven Manager and Procurve Manager Multiple SQL injection vulnerabilities in GetEventsServlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter. | 7.5 |
2013-09-20 | CVE-2013-4068 | IBM | Buffer Errors vulnerability in IBM Lotus Domino and Lotus Inotes Buffer overflow in iNotes in IBM Domino 8.5.3 before FP5 IF1 and 9.0 before IF4 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka SPR PTHN9ADPA8. | 7.1 |
2013-09-19 | CVE-2013-5155 | Apple | Improper Input Validation vulnerability in Apple Iphone OS The Sandbox subsystem in Apple iOS before 7 allows attackers to cause a denial of service (infinite loop) via an application that writes crafted values to /dev/random. | 7.1 |
2013-09-19 | CVE-2013-5141 | Apple | Numeric Errors vulnerability in Apple Iphone OS The kernel in Apple iOS before 7 uses an incorrect data size for a certain integer variable, which allows attackers to cause a denial of service (infinite loop and device hang) via a crafted application, related to an "integer truncation vulnerability." | 7.1 |
89 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-09-17 | CVE-2013-2297 | Eucalyptus | Credentials Management vulnerability in Eucalyptus Eustore Eucalyptus EuStore sets a blank root password in the default configuration of EMI 3868652036, EMI 0400376721, EMI 2425352071, and EMI 1347115203, which allows local users to gain privileges via unspecified vectors, a related issue to CVE-2013-2069. | 6.9 |
2013-09-20 | CVE-2013-4053 | IBM | Improper Input Validation vulnerability in IBM products The WS-Security implementation in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.31, 8.0 before 8.0.0.8, and 8.5 before 8.5.5.1, and WAS Feature Pack for Web Services 6.1 before 6.1.0.47, when a trust store is configured for XML Digital Signatures, does not properly verify X.509 certificates, which allows remote attackers to obtain privileged access via unspecified vectors. | 6.8 |
2013-09-20 | CVE-2012-4082 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System MCTools in the Cisco Management Controller in Cisco Unified Computing System (UCS) allows local users to gain privileges by entering crafted command-line parameters on a Fabric Interconnect device, aka Bug ID CSCtg20749. | 6.8 |
2013-09-20 | CVE-2013-1130 | Cisco Apple | Permissions, Privileges, and Access Controls vulnerability in Cisco Anyconnect Secure Mobility Client Cisco AnyConnect Secure Mobility Client on Mac OS X uses weak permissions for a library directory, which allows local users to gain privileges via a crafted library file, aka Bug ID CSCue33619. | 6.8 |
2013-09-20 | CVE-2013-4709 | IIJ | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IIJ products Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 with firmware before 2.82, SEIL/X1 with firmware before 4.32, SEIL/X2 with firmware before 4.32, SEIL/B1 with firmware before 4.32, SEIL/Turbo with firmware before 2.16, and SEIL/neu 2FE Plus with firmware before 2.16 allows remote attackers to execute arbitrary code via a crafted L2TP message. | 6.8 |
2013-09-19 | CVE-2013-5128 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-5127 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-5126 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-5125 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1047 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1046 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1045 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1044 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1043 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1042 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1041 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1040 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1039 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1038 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1037 | Apple | Buffer Errors vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple iOS before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-09-18-2. | 6.8 |
2013-09-19 | CVE-2013-1036 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS Safari in Apple iOS before 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. | 6.8 |
2013-09-18 | CVE-2013-1731 | Mozilla | Improper Input Validation vulnerability in Mozilla Firefox Untrusted search path vulnerability in the GL tracing functionality in Mozilla Firefox before 24.0 on Android allows attackers to execute arbitrary code via a Trojan horse .so file in a world-writable directory. | 6.8 |
2013-09-18 | CVE-2013-1720 | Mozilla | Buffer Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 does not properly maintain the state of the insertion-mode stack for template elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer over-read) by triggering use of this stack in its empty state. | 6.8 |
2013-09-16 | CVE-2013-4234 | Konstanty Bialkowski Debian | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) abc_MIDI_gchord functions in load_abc.cpp in libmodplug 0.8.8.4 and earlier allow remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via a crafted ABC. | 6.8 |
2013-09-16 | CVE-2013-4233 | Konstanty Bialkowski Debian | Numeric Errors vulnerability in multiple products Integer overflow in the abc_set_parts function in load_abc.cpp in libmodplug 0.8.8.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted P header in an ABC file, which triggers a heap-based buffer overflow. | 6.8 |
2013-09-16 | CVE-2013-5494 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco products Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Unified MeetingPlace Solution, as used in Unified MeetingPlace Web Conferencing and Unified MeetingPlace, allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCui45209 and CSCui44674. | 6.8 |
2013-09-16 | CVE-2013-1032 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and Quicktime QuickTime in Apple Mac OS X before 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted idsc atom in a QuickTime movie file. | 6.8 |
2013-09-16 | CVE-2013-1027 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X Installer in Apple Mac OS X before 10.8.5 provides an option to continue a package's installation after encountering a revoked certificate, which might allow user-assisted remote attackers to execute arbitrary code via a crafted package. | 6.8 |
2013-09-16 | CVE-2013-1026 | Apple | Buffer Errors vulnerability in Apple Iphone OS and mac OS X Buffer overflow in ImageIO in Apple Mac OS X before 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document. | 6.8 |
2013-09-16 | CVE-2013-1025 | Apple | Buffer Errors vulnerability in Apple Iphone OS and mac OS X Buffer overflow in CoreGraphics in Apple Mac OS X before 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JBIG2 data in a PDF document. | 6.8 |
2013-09-20 | CVE-2013-4707 | Dlink | Permissions, Privileges, and Access Controls vulnerability in Dlink Des-3810 and Des-3810 Firmware The SSH implementation on D-Link Japan DES-3810 devices with firmware before R2.20.011 allows remote authenticated users to cause a denial of service (device hang) by leveraging login access. | 6.3 |
2013-09-20 | CVE-2013-4706 | Dlink | Permissions, Privileges, and Access Controls vulnerability in Dlink Dwl-2100Ap and Dwl-2100Ap Firmware The SSH implementation on the D-Link Japan DWL-2100AP with firmware before R252JP-RC572 allows remote authenticated users to cause a denial of service (reboot) by leveraging login access. | 6.3 |
2013-09-19 | CVE-2013-5145 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS kextd in Kext Management in Apple iOS before 7 does not properly verify authorization for IPC messages, which allows local users to (1) load or (2) unload kernel extensions via a crafted message. | 6.3 |
2013-09-16 | CVE-2013-5496 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os Open Network Environment Platform (ONEP) in Cisco NX-OS allows remote authenticated users to cause a denial of service (network-element reload) via a crafted packet, aka Bug ID CSCui51551. | 6.3 |
2013-09-19 | CVE-2011-2391 | Apple | Improper Input Validation vulnerability in Apple Iphone OS, Itunes and mac OS X The IPv6 implementation in the kernel in Apple iOS before 7 allows remote attackers to cause a denial of service (CPU consumption) via crafted ICMPv6 packets. | 6.1 |
2013-09-20 | CVE-2012-4074 | Cisco | Credentials Management vulnerability in Cisco Unified Computing System The Board Management Controller (BMC) in the Serial over LAN (SoL) subsystem in Cisco Unified Computing System (UCS) relies on a hardcoded private key, which allows man-in-the-middle attackers to obtain sensitive information or modify the data stream by leveraging knowledge of this key, aka Bug ID CSCte90338. | 5.8 |
2013-09-20 | CVE-2012-4073 | Cisco | Cryptographic Issues vulnerability in Cisco Unified Computing System The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332. | 5.8 |
2013-09-19 | CVE-2013-0957 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS Data Protection in Apple iOS before 7 allows attackers to bypass intended limits on incorrect passcode entry, and consequently avoid a configured Erase Data setting, by leveraging the presence of an app in the third-party sandbox. | 5.8 |
2013-09-16 | CVE-2013-1028 | Apple | Improper Input Validation vulnerability in Apple Iphone OS and mac OS X The IPSec implementation in Apple Mac OS X before 10.8.5, when Hybrid Auth is used, does not verify X.509 certificates from security gateways, which allows man-in-the-middle attackers to spoof security gateways and obtain sensitive information via a crafted certificate. | 5.8 |
2013-09-16 | CVE-2012-6087 | Moodle | Improper Input Validation vulnerability in Moodle repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. | 5.8 |
2013-09-17 | CVE-2013-2296 | Eucalyptus | Permissions, Privileges, and Access Controls vulnerability in Eucalyptus Walrus in Eucalyptus before 3.2.2 does not verify authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus, and SetBucketVersioningStatus bucket operations, which allows remote authenticated users to bypass intended restrictions on (1) modifying the logging setting, (2) modifying the versioning setting, or (3) accessing activity logs via a request. | 5.5 |
2013-09-16 | CVE-2013-1033 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X Screen Lock in Apple Mac OS X before 10.8.5 does not properly track sessions, which allows remote authenticated users to bypass locking by leveraging screen-sharing access. | 5.5 |
2013-09-19 | CVE-2013-1121 | Cisco | Resource Management Errors vulnerability in Cisco Nx-Os The regex engine in the BGP implementation in Cisco NX-OS, when a complex regular expression is configured for inbound routes, allows remote attackers to cause a denial of service (device reload) via a crafted AS path set, aka Bug ID CSCuf49554. | 5.4 |
2013-09-16 | CVE-2013-5650 | Juniper | Improper Input Validation vulnerability in Juniper products Junos Pulse Secure Access Service (IVE) 7.1 before 7.1r5, 7.2 before 7.2r10, 7.3 before 7.3r6, and 7.4 before 7.4r3 and Junos Pulse Access Control Service (UAC) 4.1 before 4.1r8.1, 4.2 before 4.2r5, 4.3 before 4.3r6 and 4.4 before 4.4r3, when a hardware SSL acceleration card is enabled, allows remote attackers to cause a denial of service (device hang) via a crafted packet. | 5.4 |
2013-09-19 | CVE-2013-5157 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS The Twitter subsystem in Apple iOS before 7 does not require API conformity for access to Twitter daemon interfaces, which allows attackers to post Tweets via a crafted app that sends direct requests to the daemon. | 5.0 |
2013-09-16 | CVE-2013-5751 | SAP | Path Traversal vulnerability in SAP Netweaver Directory traversal vulnerability in SAP NetWeaver 7.x allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
2013-09-16 | CVE-2013-4315 | Djangoproject | Path Traversal vulnerability in Djangoproject Django Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. | 5.0 |
2013-09-16 | CVE-2013-4132 | KDE Opensuse | Cryptographic Issues vulnerability in multiple products KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid password to KCheckPass. | 5.0 |
2013-09-16 | CVE-2013-4123 | Squid Cache Opensuse | Improper Input Validation vulnerability in multiple products client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header. | 5.0 |
2013-09-16 | CVE-2013-5720 | Wireshark | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. | 5.0 |
2013-09-19 | CVE-2013-5142 | Apple | Information Exposure vulnerability in Apple Iphone OS The kernel in Apple iOS before 7 does not initialize unspecified kernel data structures, which allows local users to obtain sensitive information from kernel stack memory via the (1) msgctl API or (2) segctl API. | 4.9 |
2013-09-16 | CVE-2013-1029 | Apple | Improper Input Validation vulnerability in Apple mac OS X The kernel in Apple Mac OS X before 10.8.5 allows remote attackers to cause a denial of service (panic) via crafted IGMP packets that leverage incorrect, extraneous code in the IGMP parser. | 4.9 |
2013-09-19 | CVE-2013-5138 | Apple | Denial of Service vulnerability in Apple iPhone/iPad/iPod touch Prior to iOS 7 IOCatalogue in IOKitUser in Apple iOS before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted application. | 4.7 |
2013-09-20 | CVE-2012-4081 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Unified Computing System MCServer in the Cisco Management Controller in Cisco Unified Computing System (UCS) allows local users to cause a denial of service (application crash) via invalid MCTools parameters, aka Bug ID CSCtg20734. | 4.6 |
2013-09-20 | CVE-2012-4093 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System The Manager component in Cisco Unified Computing System (UCS) allows local users to cause a denial of service via an invalid Smart Call Home contact address, aka Bug ID CSCtl00186. | 4.6 |
2013-09-20 | CVE-2013-4815 | Microfocus | Cross-Site Scripting vulnerability in Microfocus Arcsight Enterprise Security Manager Cross-site scripting (XSS) vulnerability in the web interface in HP ArcSight Enterprise Security Manager (ESM) before 5.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-09-20 | CVE-2013-4052 | IBM | Cross-Site Scripting vulnerability in IBM Websphere Application Server Cross-site scripting (XSS) vulnerability in the UDDI Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.31, 8.0 before 8.0.0.8, and 8.5 before 8.5.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-09-20 | CVE-2013-0596 | IBM | Cross-Site Scripting vulnerability in IBM Websphere Application Server Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-09-20 | CVE-2013-5501 | Cisco | Cross-Site Scripting vulnerability in Cisco Mediasense Cross-site scripting (XSS) vulnerability in the oraservice page in Cisco MediaSense allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuj23328. | 4.3 |
2013-09-20 | CVE-2013-5500 | Cisco | Cross-Site Scripting vulnerability in Cisco Mediasense Multiple cross-site scripting (XSS) vulnerabilities in the oraadmin service page in Cisco MediaSense allow remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug IDs CSCuj23320, CSCuj23324, CSCuj23333, and CSCuj23338. | 4.3 |
2013-09-20 | CVE-2012-4072 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System The KVM subsystem in Cisco Unified Computing System (UCS) relies on a hardcoded X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers, and read keyboard and mouse events, by leveraging knowledge of this certificate's private key, aka Bug ID CSCte90327. | 4.3 |
2013-09-19 | CVE-2013-5497 | Cisco | Improper Authentication vulnerability in Cisco Intrusion Prevention System The authentication manager process in the web framework in Cisco Intrusion Prevention System (IPS) does not properly handle user tokens, which allows remote attackers to cause a denial of service (intermittent MainApp hang) via a crafted management-interface connection request, aka Bug ID CSCuf20148. | 4.3 |
2013-09-19 | CVE-2013-5159 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS WebKit in Apple iOS before 7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive information about use of the window.webkitRequestAnimationFrame API via an IFRAME element. | 4.3 |
2013-09-19 | CVE-2013-5156 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS The Telephony subsystem in Apple iOS before 7 does not require API conformity for access to telephony-daemon interfaces, which allows attackers to bypass intended restrictions on phone calls via a crafted app that sends direct requests to the daemon. | 4.3 |
2013-09-19 | CVE-2013-5154 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS The Sandbox subsystem in Apple iOS before 7 determines the sandboxing requirement for a #! application on the basis of the script interpreter instead of the script, which allows attackers to bypass intended access restrictions via a crafted application. | 4.3 |
2013-09-19 | CVE-2013-5152 | Apple | Improper Input Validation vulnerability in Apple Iphone OS Mobile Safari in Apple iOS before 7 allows remote attackers to spoof the URL bar via a crafted web site. | 4.3 |
2013-09-19 | CVE-2013-5151 | Apple | Cross-Site Scripting vulnerability in Apple Iphone OS Mobile Safari in Apple iOS before 7 does not prevent HTML interpretation of a document served with a text/plain content type, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading a file. | 4.3 |
2013-09-19 | CVE-2013-5149 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS The Push Notifications subsystem in Apple iOS before 7 provides the push-notification token to an app without user approval, which allows attackers to obtain sensitive information via an app that employs a crafted push-notification registration process. | 4.3 |
2013-09-19 | CVE-2013-5131 | Apple | Cross-Site Scripting vulnerability in Apple Iphone OS Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2013-09-19 | CVE-2013-5129 | Apple | Cross-Site Scripting vulnerability in Apple Iphone OS Multiple cross-site scripting (XSS) vulnerabilities in WebKit in Apple iOS before 7 allow user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) drag-and-drop or (2) copy-and-paste operation. | 4.3 |
2013-09-19 | CVE-2013-1034 | Apple | Cross-Site Scripting vulnerability in Apple OS X Server Multiple cross-site scripting (XSS) vulnerabilities in Wiki Server in Apple Mac OS X Server before 2.2.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-09-18 | CVE-2013-1728 | Mozilla | Buffer Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The IonMonkey JavaScript engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21, when Valgrind mode is used, does not properly initialize memory, which makes it easier for remote attackers to obtain sensitive information via unspecified vectors. | 4.3 |
2013-09-18 | CVE-2013-1723 | Mozilla | Buffer Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The NativeKey widget in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 processes key messages after destruction by a dispatched event listener, which allows remote attackers to cause a denial of service (application crash) by leveraging incorrect event usage after widget-memory reallocation. | 4.3 |
2013-09-17 | CVE-2013-5711 | Slickremix | Cross-Site Scripting vulnerability in Slickremix Design Approval System Plugin Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthrough.php in the Design Approval System plugin before 3.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter. | 4.3 |
2013-09-17 | CVE-2013-4766 | Eucalyptus | Information Exposure vulnerability in Eucalyptus The gather log service in Eucalyptus before 3.3.1 allows remote attackers to read log files via an unspecified request to the (1) Cluster Controller (CC) or (2) Node Controller (NC) component. | 4.3 |
2013-09-17 | CVE-2013-2788 | Subnet | Improper Input Validation vulnerability in Subnet Substation Server 2.7.0033/2.8.0106 The DNP3 Slave service in SUBNET Solutions SubSTATION Server 2.7.0033 and 2.8.0106 allows remote attackers to cause a denial of service (unhandled exception and process crash) via unspecified vectors. | 4.3 |
2013-09-17 | CVE-2012-4067 | Eucalyptus | Resource Management Errors vulnerability in Eucalyptus Walrus in Eucalyptus before 3.2.2 allows remote attackers to cause a denial of service (memory, thread, and CPU consumption) via a crafted XML message containing a DTD, as demonstrated by a bucket-logging request. | 4.3 |
2013-09-16 | CVE-2013-1439 | Libraw | NULL Pointer Dereference Denial of Service vulnerability in LibRaw The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before 0.15.4 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a crafted photo file. | 4.3 |
2013-09-16 | CVE-2013-4047 | IBM | Cross-Site Scripting vulnerability in IBM Spss Analytical Decision Management 6.1.0.0/6.2.0.0/7.0.0.0 Cross-site scripting (XSS) vulnerability in IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1, and 7.0 before FP1 IF6 allows remote attackers to inject arbitrary web script or HTML via a crafted link. | 4.3 |
2013-09-16 | CVE-2013-5495 | Cisco | Cross-Site Scripting vulnerability in Cisco Unified Meetingplace Cross-site scripting (XSS) vulnerability in the web framework in the Application Server in Cisco Unified MeetingPlace allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCui44681. | 4.3 |
2013-09-16 | CVE-2013-4704 | Chamanet | Cross-Site Scripting vulnerability in Chamanet Chamacargo 7.0000 Cross-site scripting (XSS) vulnerability in ChamaNet ChamaCargo 7.0000 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2013-09-16 | CVE-2013-4341 | Moodle | Cross-site Scripting vulnerability in Moodle Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. | 4.3 |
2013-09-16 | CVE-2013-5722 | Wireshark | Denial of Service vulnerability in Wireshark LDAP Dissector Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. | 4.3 |
2013-09-16 | CVE-2013-5721 | Wireshark | Improper Input Validation vulnerability in Wireshark The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not properly determine when to enter a certain loop, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. | 4.3 |
2013-09-16 | CVE-2013-5719 | Wireshark | Resource Management Errors vulnerability in Wireshark epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. | 4.3 |
2013-09-16 | CVE-2013-5718 | Wireshark | Permissions, Privileges, and Access Controls vulnerability in Wireshark The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. | 4.3 |
2013-09-16 | CVE-2013-5717 | Wireshark | Improper Input Validation vulnerability in Wireshark 1.10.0/1.10.1 The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c. | 4.3 |
2013-09-20 | CVE-2012-4083 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Unified Computing System Multiple buffer overflows in the administrative web interface in Cisco Unified Computing System (UCS) allow remote authenticated users to cause a denial of service (memory corruption and session termination) via long string values for unspecified parameters, aka Bug ID CSCtg20751. | 4.0 |
2013-09-18 | CVE-2013-1727 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Firefox Mozilla Firefox before 24.0 on Android allows attackers to bypass the Same Origin Policy, and consequently conduct cross-site scripting (XSS) attacks or obtain password or cookie information, by using a symlink in conjunction with a file: URL for a local file. | 4.0 |
11 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2013-09-19 | CVE-2013-5147 | Apple | Race Condition vulnerability in Apple Iphone OS Passcode Lock in Apple iOS before 7 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement by leveraging a race condition involving phone calls and ejection of a SIM card. | 3.7 |
2013-09-16 | CVE-2013-4048 | IBM | Cross-Site Scripting vulnerability in IBM Spss Analytical Decision Management 6.1.0.0/6.2.0.0/7.0.0.0 Cross-site scripting (XSS) vulnerability in IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1, and 7.0 before FP1 IF6 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving addition of script to a page. | 3.5 |
2013-09-16 | CVE-2013-4277 | Apache | Permissions, Privileges, and Access Controls vulnerability in Apache Subversion Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option. | 3.3 |
2013-09-16 | CVE-2013-1031 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X Power Management in Apple Mac OS X before 10.8.5 does not properly perform locking upon occurrences of a power assertion, which allows physically proximate attackers to bypass intended access restrictions by visiting an unattended workstation on which a locking failure had prevented the startup of the screen saver. | 3.3 |
2013-09-19 | CVE-2013-5137 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS IOKit in Apple iOS before 7 allows attackers to send user-interface events to the foreground app by leveraging control over a background app and using the (1) task-completion API or (2) VoIP API. | 2.6 |
2013-09-18 | CVE-2013-1729 | Mozilla Apple | Information Exposure vulnerability in Mozilla Firefox The WebGL implementation in Mozilla Firefox before 24.0, when NVIDIA graphics drivers are used on Mac OS X, allows remote attackers to obtain desktop-screenshot data by reading from a CANVAS element. | 2.6 |
2013-09-19 | CVE-2013-5158 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS The Social subsystem in Apple iOS before 7 does not properly restrict access to the cache of Twitter icons, which allows physically proximate attackers to obtain sensitive information about recent Twitter interaction via unspecified vectors. | 2.1 |
2013-09-19 | CVE-2013-5153 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS Springboard in Apple iOS before 7 does not properly manage the lock state in Lost Mode, which allows physically proximate attackers to read notifications via unspecified vectors. | 2.1 |
2013-09-16 | CVE-2013-4183 | Openstack | Information Exposure vulnerability in Openstack Cinder 2013.1.1/2013.1.2 The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
2013-09-16 | CVE-2013-1030 | Apple | Information Exposure vulnerability in Apple mac OS X mdmclient in Mobile Device Management in Apple Mac OS X before 10.8.5 places a password on the command line, which allows local users to obtain sensitive information by listing the process. | 2.1 |
2013-09-19 | CVE-2013-5150 | Apple | Information Exposure vulnerability in Apple Iphone OS The history-clearing feature in Safari in Apple iOS before 7 does not clear the back/forward history of an open tab, which allows physically proximate attackers to obtain sensitive information by leveraging an unattended workstation. | 1.9 |