CVEs from 2013
Total
5,687
critical
critical 917
high
high 949
medium
medium 3,166
low
low 557
% Critical
16.1%
% with KEV
0.7%
% with exploit
11.6%
Top vendors
Top products
- chrome 11,665
- ffmpeg 3,379
- seamonkey 2,231
- acrobat_reader 1,911
- acrobat 1,909
- itunes 1,678
- firefox 1,634
- moodle 1,560
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-6384 | low | — | 1.9 | 13y ago | (1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to… | |||
| CVE-2013-0223 | low | — | 1.9 | 13y ago | The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the join command, when using the -i… | |||
| CVE-2013-4481 | low | — | 1.9 | 13y ago | Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive inf… | |||
| CVE-2013-4425 | low | — | 1.9 | 13y ago | The DICOM listener in OsiriX before 5.8 and before 2.5-MD, when starting up, encrypts the TLS private key file using "SuperSecretPassword" as the hardcoded password, which allows local users to obtai… | |||
| CVE-2013-3287 | low | — | 1.9 | 13y ago | EMC Unisphere for VMAX before 1.6.1.6, when using an unspecified level of debug logging in LDAP configurations, allows local users to discover the cleartext LDAP bind password by reading the console. | |||
| CVE-2013-1056 | low | — | 1.9 | 13y ago | X.org X server 1.13.3 and earlier, when not run as root, allows local users to cause a denial of service (crash) or possibly gain privileges via vectors involving cached xkb files. | |||
| CVE-2013-5187 | low | — | 1.9 | 13y ago | The Screen Lock implementation in Apple Mac OS X before 10.9 does not immediately accept Keychain Status menu Lock Screen commands, and instead incorrectly relies on a certain timeout setting, which … | |||
| CVE-2013-5169 | low | — | 1.9 | 13y ago | CoreGraphics in Apple Mac OS X before 10.9, when display-sleep mode is used, does not ensure that screen locking blocks the visibility of all windows, which allows physically proximate attackers to o… | |||
| CVE-2013-4369 | low | — | 1.9 | 13y ago | The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate conf… | |||
| CVE-2013-4368 | low | — | 1.9 | 13y ago | The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests t… | |||
| CVE-2013-1921 | low | — | 1.9 | 13y ago | PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | |||
| CVE-2013-4025 | low | — | 1.9 | 13y ago | IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager 5.x before 5.2, InfoSphere Optim Configuration Manager 2.x before 2.2, and DB2 Recovery Expert 2.x do not have an off autocomplet… | |||
| CVE-2013-5150 | low | — | 1.9 | 13y ago | The history-clearing feature in Safari in Apple iOS before 7 does not clear the back/forward history of an open tab, which allows physically proximate attackers to obtain sensitive information by lev… | |||
| CVE-2013-4259 | low | — | 1.9 | 13y ago | runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp… | |||
| CVE-2013-2898 | low | — | 1.9 | 13y ago | drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sen… | |||
| CVE-2013-2976 | low | — | 1.9 | 13y ago | The Administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.7, and 8.5 before 8.5.5.0 does not properly perform caching, which allo… | |||
| CVE-2013-4242 | low | — | 1.9 | 13y ago | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cach… | |||
| CVE-2013-2162 | low | — | 1.9 | 13y ago | Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions befo… | |||
| CVE-2013-2168 | low | — | 1.9 | 13y ago | The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of s… | |||
| CVE-2013-0534 | low | — | 1.9 | 13y ago | The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and 8.5.2.1, as used in the Lotus Notes client and separately, might allow local users to obtain sensitive information by leveraging… | |||
| CVE-2013-0527 | low | — | 1.9 | 13y ago | The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not close pages upon the timeout of a session, which allows physically proximate attackers to obtain sensit… | |||
| CVE-2013-1952 | low | — | 1.9 | 13y ago | Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which … | |||
| CVE-2013-1917 | low | — | 1.9 | 13y ago | Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hyp… | |||
| CVE-2013-1958 | low | — | 1.9 | 13y ago | The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, w… | |||
| CVE-2013-0541 | low | — | 1.9 | 13y ago | Buffer overflow in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Windows, when a localOS registry is used in conjuncti… | |||
| CVE-2013-0122 | low | — | 1.9 | 13y ago | The avast! Mobile Security application before 2.0.4400 for Android allows attackers to cause a denial of service (application crash) via a crafted application that sends an intent to com.avast.androi… | |||
| CVE-2013-0403 | low | — | 1.9 | 13y ago | Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Utility. | |||
| CVE-2013-2302 | low | — | 1.9 | 13y ago | TransWARE Active! mail 6, when an external public interface is used, allows local users to obtain sensitive information belonging to arbitrary users by leveraging shell access, as demonstrated by a T… | |||
| CVE-2013-2636 | low | — | 1.9 | 13y ago | net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. | |||
| CVE-2013-2635 | low | — | 1.9 | 13y ago | The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from ke… | |||
| CVE-2013-2634 | low | — | 1.9 | 13y ago | net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. | |||
| CVE-2013-1427 | low | — | 1.9 | 13y ago | The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP con… | |||
| CVE-2013-0979 | low | — | 1.9 | 13y ago | lockdownd in Lockdown in Apple iOS before 6.1.3 does not properly consider file types during the permission-setting step of a backup restoration, which allows local users to change the permissions of… | |||
| CVE-2013-0200 | low | — | 1.9 | 13y ago | HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/h… | |||
| CVE-2013-0349 | low | — | 1.9 | 13y ago | The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from ke… | |||
| CVE-2013-0154 | low | — | 1.9 | 14y ago | The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash… | |||
| CVE-2013-7291 | low | — | 1.8 | 13y ago | memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an "unbounded key print" during logging, related to an … | |||
| CVE-2013-7290 | low | — | 1.8 | 13y ago | The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a … | |||
| CVE-2013-0179 | low | — | 1.8 | 13y ago | The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fa… | |||
| CVE-2013-5885 | low | — | 1.7 | 13y ago | Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect integrity via unknown vectors related to Audit. | |||
| CVE-2013-5874 | low | — | 1.7 | 13y ago | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, and 12.2.2 allows local users to affect confidentiality via unknown … | |||
| CVE-2013-5865 | low | — | 1.7 | 13y ago | Unspecified vulnerability in Oracle Solaris 11.1 allows local users to affect availability via unknown vectors related to Utility/User administration. | |||
| CVE-2013-2997 | low | — | 1.7 | 13y ago | IBM Security AppScan Enterprise before 8.7 does not invalidate the session context upon a logout action, which allows remote attackers to hijack sessions by leveraging an unattended workstation. | |||
| CVE-2013-0982 | low | — | 1.7 | 13y ago | The Private Browsing feature in CFNetwork in Apple Mac OS X before 10.8.4 does not prevent storage of permanent cookies upon exit from Safari, which might allow physically proximate attackers to bypa… | |||
| CVE-2013-2382 | low | — | 1.7 | 13y ago | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 12.0.1 allows local users to affect confidentiality via vectors related t… | |||
| CVE-2013-1499 | low | — | 1.7 | 13y ago | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Network Configuration. | |||
| CVE-2013-5763 | low | — | 1.5 | 13y ago | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 allows context-dependent attackers to affect availability via unknown vectors related to Outs… | |||
| CVE-2013-4829 | low | — | 1.5 | 13y ago | HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet Enterprise color flow MFP M575c; Color LaserJet CM4540, M575, and M775; and ScanJet Enterprise 8500fn1 FutureSmart devices allow l… | |||
| CVE-2013-4355 | low | — | 1.5 | 13y ago | Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified o… | |||
| CVE-2013-2393 | low | — | 1.5 | 13y ago | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4.0 allows context-dependent attackers to affect availability via unknown vectors relat… | |||
| CVE-2013-1546 | low | — | 1.5 | 13y ago | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 2.8.0 through 3.1.0 and 5.0.2 through 12.0.1 allows local users to affect confidentiali… | |||
| CVE-2013-1502 | low | — | 1.5 | 13y ago | Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.9 and earlier allows local users to affect availability via unknown vectors related to Server Partition. | |||
| CVE-2013-0525 | low | — | 1.5 | 13y ago | Multiple cross-site scripting (XSS) vulnerabilities in IBM iNotes 8.5.x allow local users to inject arbitrary web script or HTML via a shared mail file, aka SPR DKEN8PDNTX. | |||
| CVE-2013-6891 | low | — | 1.2 | 13y ago | lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows local users to read portions of arbitrary files via a modified HOME environment variable and a symlink attack involving .cup… | |||
| CVE-2013-4476 | low | — | 1.2 | 13y ago | Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information b… | |||
| CVE-2013-1442 | low | — | 1.2 | 13y ago | Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCP… | |||
| CVE-2013-2217 | low | — | 1.2 | 13y ago | cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name … |