Vulnerabilities (CVE)

Filtered by CWE-20
Total 11567 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-2629 1 Idleman 1 Leed 2026-06-16 5.0 MEDIUM N/A
Leed (Light Feed), possibly before 1.5 Stable, allows remote attackers to bypass authorization via vectors related to the (1) importForm, (2) importFeed, (3) addFavorite, or (4) removeFavorite actions in action.php.
CVE-2013-2598 1 Codeaurora 1 Android-msm 2026-06-16 6.6 MEDIUM N/A
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory locations within bootloader memory.
CVE-2013-2571 1 Hcomm 1 Xpient Iris 2026-06-16 7.5 HIGH 9.8 CRITICAL
Iris 3.8 before build 1548, as used in Xpient point of sale (POS) systems, allows remote attackers to execute arbitrary commands via a crafted request to TCP port 7510, as demonstrated by opening the cash drawer.
CVE-2013-2503 1 Privoxy 1 Privoxy 2026-06-16 5.8 MEDIUM N/A
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
CVE-2013-2488 3 Debian, Opensuse, Wireshark 3 Debian Linux, Opensuse, Wireshark 2026-06-16 5.0 MEDIUM N/A
The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location.
CVE-2013-2315 1 Lockon 1 Ec-cube 2026-06-16 5.0 MEDIUM N/A
data/class/pages/forgot/LC_Page_Forgot.php in LOCKON EC-CUBE 2.11.0 through 2.12.3enP2 does not properly validate the input to the password reminder function, which allows remote attackers to obtain sensitive information via a crafted request.
CVE-2013-2279 3 Siteminder Agent For Sharepoint, Siteminder Federation, Siteminder For Secure Proxy Server 8 2010, 12.0, 12.1 and 5 more 2026-06-16 7.5 HIGH N/A
CA SiteMinder Federation (FSS) 12.5, 12.0, and r6; Federation (Standalone) 12.1 and 12.0; Agent for SharePoint 2010; and SiteMinder for Secure Proxy Server 6.0, 12.0, and 12.5 does not properly verify XML signatures for SAML statements, which allows remote attackers to spoof other users and gain privileges.
CVE-2013-2259 1 Cryptocat Project 1 Cryptocat 2026-06-16 7.5 HIGH 9.8 CRITICAL
Cryptocat before 2.0.22 has Arbitrary Code Execution on Firefox Conversation Overview
CVE-2013-2250 1 Apache 1 Ofbiz 2026-06-16 10.0 HIGH N/A
Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions.
CVE-2013-2248 1 Apache 1 Struts 2026-06-16 5.8 MEDIUM N/A
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
CVE-2013-2232 1 Linux 1 Linux Kernel 2026-06-16 4.9 MEDIUM N/A
The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
CVE-2013-2230 1 Redhat 1 Libvirt 2026-06-16 4.0 MEDIUM N/A
The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via unspecified vectors involving "multiple events registration."
CVE-2013-2227 2 Debian, Glpi-project 2 Debian Linux, Glpi 2026-06-16 5.0 MEDIUM 7.5 HIGH
GLPI 0.83.7 has Local File Inclusion in common.tabs.php.
CVE-2013-2204 2 Tinymce, Wordpress 2 Media, Wordpress 2026-06-16 4.3 MEDIUM N/A
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
CVE-2013-2191 3 Fedoraproject, Opensuse, Python Bugzilla Project 3 Fedora, Opensuse, Python-bugzilla 2026-06-16 4.3 MEDIUM N/A
python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.
CVE-2013-2186 2 Redhat, Ubuntu 5 Jboss Enterprise Brms Platform, Jboss Enterprise Portal Platform, Jboss Enterprise Web Server and 2 more 2026-06-16 7.5 HIGH N/A
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
CVE-2013-2185 2 Apache, Redhat 3 Tomcat, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform 2026-06-16 7.5 HIGH N/A
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
CVE-2013-2178 1 Fail2ban 1 Fail2ban 2026-06-16 5.0 MEDIUM N/A
The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and apache-overflows.conf files in Fail2ban before 0.8.10 do not properly validate log messages, which allows remote attackers to block arbitrary IP addresses via certain messages in a request.
CVE-2013-2175 4 Canonical, Debian, Haproxy and 1 more 4 Ubuntu Linux, Debian Linux, Haproxy and 1 more 2026-06-16 5.0 MEDIUM N/A
HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.
CVE-2013-2168 2 Freedesktop, Opensuse 2 Dbus, Opensuse 2026-06-16 1.9 LOW N/A
The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.