Vulnerabilities (CVE)

Filtered by CWE-20
Total 11566 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-1946 2 Drupal, Restful Web Services Project 2 Drupal, Restful Web Services 2026-06-16 4.3 MEDIUM N/A
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
CVE-2013-1943 3 Canonical, Linux, Redhat 4 Ubuntu Linux, Linux Kernel, Enterprise Linux and 1 more 2026-06-16 4.4 MEDIUM 7.8 HIGH
The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.
CVE-2013-1939 3 Fruux, Microsoft, Owncloud 3 Sabredav, Windows, Owncloud Server 2026-06-16 5.0 MEDIUM N/A
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
CVE-2013-1930 2 Fedoraproject, Mantisbt 2 Fedora, Mantisbt 2026-06-16 4.0 MEDIUM 4.3 MEDIUM
MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.
CVE-2013-1917 1 Xen 1 Xen 2026-06-16 1.9 LOW N/A
Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction.
CVE-2013-1911 2 Mark Burns, Ruby-lang 2 Ldoce, Ruby 2026-06-16 6.8 MEDIUM N/A
lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.
CVE-2013-1910 2 Baseurl, Debian 2 Yum, Debian Linux 2026-06-16 7.5 HIGH 9.8 CRITICAL
yum does not properly handle bad metadata, which allows an attacker to cause a denial of service and possibly have other unspecified impact via a Trojan horse file in the metadata of a remote repository.
CVE-2013-1909 2 Apache, Redhat 2 Qpid, Enterprise Mrg 2026-06-16 5.8 MEDIUM N/A
The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2013-1892 2 Mongodb, Redhat 2 Mongodb, Enterprise Mrg 2026-06-16 6.0 MEDIUM N/A
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
CVE-2013-1889 1 Mod Ruid2 Project 1 Mod Ruid2 2026-06-16 5.0 MEDIUM 7.5 HIGH
mod_ruid2 before 0.9.8 improperly handles file descriptors which allows remote attackers to bypass security using a CGI script to break out of the chroot.
CVE-2013-1883 1 Mantisbt 1 Mantisbt 2026-06-16 5.0 MEDIUM N/A
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type.
CVE-2013-1881 1 Gnome 1 Librsvg 2026-06-16 4.3 MEDIUM N/A
GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2013-1869 1 Redhat 2 Satellite, Spacewalk-java 2026-06-16 4.3 MEDIUM N/A
CRLF injection vulnerability in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 5.6 allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks and cross-site scripting (XSS) attacks, via the return_url parameter.
CVE-2013-1856 1 Rubyonrails 2 Rails, Ruby On Rails 2026-06-16 5.8 MEDIUM N/A
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
CVE-2013-1854 2 Redhat, Rubyonrails 3 Enterprise Linux, Rails, Ruby On Rails 2026-06-16 5.0 MEDIUM N/A
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
CVE-2013-1848 1 Linux 1 Linux Kernel 2026-06-16 6.2 MEDIUM N/A
fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.
CVE-2013-1839 1 Squid-cache 1 Squid 2026-06-16 7.8 HIGH N/A
The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x before 3.2.9 and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a "," character in an Accept-Language header.
CVE-2013-1828 1 Linux 1 Linux Kernel 2026-06-16 6.9 MEDIUM N/A
The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
CVE-2013-1821 1 Ruby-lang 1 Ruby 2026-06-16 5.0 MEDIUM N/A
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
CVE-2013-1820 2 Fedoraproject, Redhat 2 Fedora, Tuned 2026-06-16 4.7 MEDIUM 5.5 MEDIUM
tuned before 2.x allows local users to kill running processes due to insecure permissions with tuned's ktune service.