CVEs from 2013
Total
5,731
critical
critical 917
high
high 949
medium
medium 3,166
low
low 557
% Critical
16.0%
% with KEV
0.7%
% with exploit
0.9%
Top vendors
Top products
- chrome 11,665
- ffmpeg 3,379
- seamonkey 2,231
- acrobat_reader 1,911
- acrobat 1,909
- itunes 1,678
- firefox 1,634
- moodle 1,560
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2013-4221 | high | — | 7.5 | 13y ago | Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML | |
| CVE-2013-2240 | high | — | 7.5 | 13y ago | lib/flowplayer.swf.php in Gallery 3 before 3.0.9 does not properly remove query fragments, which allows remote attackers to have an unspecified impact via a replay attack, a different vulnerability t… | |
| CVE-2013-2138 | high | — | 7.5 | 13y ago | The (1) uploadify and (2) flowplayer SWF files in Gallery 3 before 3.0.8 do not properly remove query parameters and fragments, which allows remote attackers to have an unspecified impact via a repla… | |
| CVE-2013-5967 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.3 and earlier allow remote attackers to execute arbitrary SQL commands via the date_from par… | |
| CVE-2013-4385 | high | — | 7.5 | 13y ago | Buffer overflow in the "read-string!" procedure in the "extras" unit in CHICKEN stable before 4.8.0.5 and development snapshots before 4.8.3 allows remote attackers to cause a denial of service (memo… | |
| CVE-2013-4258 | high | — | 7.5 | 13y ago | Format string vulnerability in the osLogMsg function in server/os/aulog.c in Network Audio System (NAS) 1.9.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitra… | |
| CVE-2013-2221 | high | — | 7.5 | 13y ago | Heap-based buffer overflow in the ZRtp::storeMsgTemp function in GNU ZRTPCPP before 3.2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large … | |
| CVE-2013-2924 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or po… | |
| CVE-2013-2923 | high | — | 7.5 | 13y ago | Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599.66 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |
| CVE-2013-2919 | high | — | 7.5 | 13y ago | Google V8, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | |
| CVE-2013-2918 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the RenderBlock::collapseAnonymousBlockChild function in core/rendering/RenderBlock.cpp in the DOM implementation in Blink, as used in Google Chrome before 30.0.1599.6… | |
| CVE-2013-2912 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the PepperInProcessRouter::SendToHost function in content/renderer/pepper/pepper_in_process_router.cc in the Pepper Plug-in API (PPAPI) in Google Chrome before 30.0.15… | |
| CVE-2013-2910 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in modules/webaudio/AudioScheduledSourceNode.cpp in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause … | |
| CVE-2013-2909 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related… | |
| CVE-2013-5395 | high | — | 7.5 | 13y ago | IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, and 7.5 before 7.5.0.5 allows remote attackers to bypass intended access restrictions via unspecified vectors. | |
| CVE-2013-7463 | high | 7.5 | 7.5 | 13y ago | Aescrypt does not sufficiently use random values | |
| CVE-2013-5697 | high | — | 7.5 | 13y ago | SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header. | |
| CVE-2013-5200 | high | — | 7.5 | 13y ago | The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 do not require authentication, which allows remote… | |
| CVE-2013-5931 | high | — | 7.5 | 13y ago | SQL injection vulnerability in property_listings_detail.php in Real Estate PHP Script allows remote attackers to execute arbitrary SQL commands via the listingid parameter. | |
| CVE-2013-5917 | high | — | 7.5 | 13y ago | SQL injection vulnerability in wp-comments-post.php in the NOSpam PTI plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the comment_post_ID parameter. | |
| CVE-2013-4182 | high | — | 7.5 | 13y ago | app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request. | |
| CVE-2013-5674 | high | — | 7.5 | 13y ago | badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object i… | |
| CVE-2013-4313 | high | — | 7.5 | 13y ago | Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injec… | |
| CVE-2013-4809 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in GetEventsServlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allow remote attackers to execute arbitr… | |
| CVE-2013-2601 | high | — | 7.5 | 13y ago | The NDVM in Citrix XenClient XT before 2.1.3 and 3.x before 3.1.4 allows remote attackers to execute arbitrary commands by using the UIVM to create a network connection. | |
| CVE-2013-5723 | high | — | 7.5 | 13y ago | SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "ABAD0_DELETE_DERIVATION_TABLE." | |
| CVE-2013-4339 | high | — | 7.5 | 13y ago | WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. | |
| CVE-2013-4338 | high | — | 7.5 | 13y ago | wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP u… | |
| CVE-2013-5673 | high | — | 7.5 | 13y ago | SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testi… | |
| CVE-2013-3657 | high | — | 7.5 | 13y ago | Buffer overflow in VMware ESXi 4.0 through 5.0, and ESX 4.0 and 4.1, allows remote attackers to execute arbitrary code or cause a denial of service via unspecified vectors. | |
| CVE-2013-3602 | high | — | 7.5 | 13y ago | SQL injection vulnerability in admindocumentworker.jsp in Coursemill Learning Management System (LMS) 6.6 allows remote authenticated users to execute arbitrary SQL commands via the docID parameter. | |
| CVE-2013-5671 | high | — | 7.5 | 13y ago | Code injection in dragonfly gem | |
| CVE-2013-5589 | high | — | 7.5 | 13y ago | SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | |
| CVE-2013-2247 | high | — | 7.5 | 13y ago | The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers … | |
| CVE-2013-4219 | high | — | 7.5 | 13y ago | Multiple integer overflows in the Intel WiMAX Network Service through 1.5.2 for Intel Wireless WiMAX Connection 2400 devices allow remote attackers to cause a denial of service (component crash) or p… | |
| CVE-2013-1435 | high | — | 7.5 | 13y ago | (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. | |
| CVE-2013-1434 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-5569 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the Slideshare extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-4701 | high | — | 7.5 | 13y ago | PHP OpenID Library Denial of Service vulnerability | |
| CVE-2013-2904 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the Document::finishedParsing function in core/dom/Document.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of se… | |
| CVE-2013-2903 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocument function in core/html/HTMLMediaElement.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers t… | |
| CVE-2013-2902 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the XSLT ProcessingInstruction implementation in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly … | |
| CVE-2013-2901 | high | — | 7.5 | 13y ago | Multiple integer overflows in (1) libGLESv2/renderer/Renderer9.cpp and (2) libGLESv2/renderer/Renderer11.cpp in Almost Native Graphics Layer Engine (ANGLE), as used in Google Chrome before 29.0.1547.… | |
| CVE-2013-2900 | high | — | 7.5 | 13y ago | The FilePath::ReferencesParent function in files/file_path.cc in Google Chrome before 29.0.1547.57 on Windows does not properly handle pathname components composed entirely of . (dot) and whitespace … | |
| CVE-2013-2887 | high | — | 7.5 | 13y ago | Multiple unspecified vulnerabilities in Google Chrome before 29.0.1547.57 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |
| CVE-2013-2210 | high | — | 7.5 | 13y ago | Heap-based buffer overflow in the XML Signature Reference functionality in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2 allows context-dependent attackers to cause a denial… | |
| CVE-2013-2161 | high | — | 7.5 | 13y ago | OpenStack Swift Unchecked user input in XML responses | |
| CVE-2013-2156 | high | — | 7.5 | 13y ago | Heap-based buffer overflow in the Exclusive Canonicalization functionality (xsec/canon/XSECC14n20010315.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows remote a… | |
| CVE-2013-2154 | high | — | 7.5 | 13y ago | Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-depend… | |
| CVE-2013-5322 | high | — | 7.5 | 13y ago | CoolURI extension for TYPO3 vulnerable to SQL Injection | |
| CVE-2013-5321 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.1 allow remote attackers to execute arbitrary SQL commands via the (1) sensor parameter in a… | |
| CVE-2013-5318 | high | — | 7.5 | 13y ago | SQL injection vulnerability in Ginkgo CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the rang parameter to index.php. | |
| CVE-2013-5311 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in Vastal I-Tech phpVID 1.2.3 allow remote attackers to execute arbitrary SQL commands via the "n" parameter to (1) browse_videos.php or (2) members.php. NOTE:… | |
| CVE-2013-5310 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the DB Integration (wfqbe) extension before 2.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-5306 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the Browser - TYPO3 without PHP (browser) extension before 4.5.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-5304 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the Store Locator (locator) extension before 3.1.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-5302 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the Faceted Search (ke_search) extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-5121 | high | — | 7.5 | 13y ago | SQL injection vulnerability in PHPFox before 3.6.0 (build6) allows remote attackers to execute arbitrary SQL commands via the search[sort_by] parameter to user/browse/view_/. | |
| CVE-2013-5120 | high | — | 7.5 | 13y ago | SQL injection vulnerability in PHPFox before 3.6.0 (build4) allows remote attackers to execute arbitrary SQL commands via the search[gender] parameter to user/browse/view_/. | |
| CVE-2013-2127 | high | — | 7.5 | 13y ago | Buffer overflow in the exposure correction code in LibRaw before 0.15.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vec… | |
| CVE-2013-2126 | high | — | 7.5 | 13y ago | Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow context-dependent attackers to cause a denial of service (application crash) and po… | |
| CVE-2013-4879 | high | — | 7.5 | 13y ago | SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. | |
| CVE-2013-5647 | high | — | 7.5 | 13y ago | Sounder Contains Arbitrary Command Execution Vulnerability | |
| CVE-2013-4115 | high | — | 7.5 | 13y ago | Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server ter… | |
| CVE-2013-4789 | high | — | 7.5 | 13y ago | SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php. | |
| CVE-2013-4742 | high | — | 7.5 | 13y ago | Buffer overflow in NetWin SurgeFTP before 23d2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string within the authentication request. | |
| CVE-2013-4147 | high | — | 7.5 | 13y ago | Multiple format string vulnerabilities in Yet Another Radius Daemon (YARD RADIUS) 1.1.2 allow context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via f… | |
| CVE-2013-4203 | high | — | 7.5 | 13y ago | rgpg Code Injection vulnerability | |
| CVE-2013-2220 | high | — | 7.5 | 13y ago | Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code vi… | |
| CVE-2013-2886 | high | — | 7.5 | 13y ago | Multiple unspecified vulnerabilities in Google Chrome before 28.0.1500.95 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |
| CVE-2013-2885 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in Google Chrome before 28.0.1500.95 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to not properly co… | |
| CVE-2013-2884 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in the DOM implementation in Google Chrome before 28.0.1500.95 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors … | |
| CVE-2013-2883 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in Google Chrome before 28.0.1500.95 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to deleting the re… | |
| CVE-2013-2882 | high | — | 7.5 | 13y ago | Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." | |
| CVE-2013-4953 | high | — | 7.5 | 13y ago | SQL injection vulnerability in play.php in Top Games Script 1.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter. | |
| CVE-2013-4952 | high | — | 7.5 | 13y ago | SQL injection vulnerability in functions/global.php in Elemata CMS RC 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |
| CVE-2013-4948 | high | — | 7.5 | 13y ago | SQL injection vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary SQL commands via the element_2 parameter. | |
| CVE-2013-4947 | high | — | 7.5 | 13y ago | Unspecified vulnerability in the update and build database page in Sawmill before 8.6.3 allows remote attackers to have unknown impact and attack vectors. | |
| CVE-2013-4945 | high | — | 7.5 | 13y ago | Multiple SQL injection vulnerabilities in BMC Service Desk Express (SDE) 10.2.1.95 allow remote attackers to execute arbitrary SQL commands via the (1) ASPSESSIONIDASSRATTQ, (2) TABLE_WIDGET_1, (3) T… | |
| CVE-2013-4801 | high | — | 7.5 | 13y ago | Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1736. | |
| CVE-2013-4797 | high | — | 7.5 | 13y ago | Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1690. | |
| CVE-2013-2370 | high | — | 7.5 | 13y ago | Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1671. | |
| CVE-2013-2369 | high | — | 7.5 | 13y ago | Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1670. | |
| CVE-2013-2249 | high | — | 7.5 | 13y ago | mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new ses… | |
| CVE-2013-2165 | high | — | 7.5 | 13y ago | Remote code execution due to insecure deserialization | |
| CVE-2013-4870 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the News Search (news_search) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2013-4878 | high | — | 7.5 | 13y ago | The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote … | |
| CVE-2013-1606 | high | — | 7.5 | 13y ago | Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE… | |
| CVE-2013-3404 | high | — | 7.5 | 13y ago | SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, leading to discove… | |
| CVE-2013-3779 | high | — | 7.5 | 13y ago | Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization All 4.6 releases including 4.63 and 4.7 prior to 4.71 allows remote attackers to affect confidentiality, inte… | |
| CVE-2013-3577 | high | — | 7.5 | 13y ago | SQL injection vulnerability in the Help Desk application in Wave EMBASSY Remote Administration Server (ERAS) allows remote attackers to execute arbitrary SQL commands via the ct100$4MainController$Te… | |
| CVE-2013-2351 | high | — | 7.5 | 13y ago | Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00, 9.1x, and 9.2x allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vecto… | |
| CVE-2013-1768 | high | — | 7.5 | 13y ago | Deserialization of Untrusted Data in Apache OpenJPA | |
| CVE-2013-2880 | high | — | 7.5 | 13y ago | Multiple unspecified vulnerabilities in Google Chrome before 28.0.1500.71 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |
| CVE-2013-2873 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a 404 HTTP statu… | |
| CVE-2013-2871 | high | — | 7.5 | 13y ago | Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of… | |
| CVE-2013-2867 | high | — | 7.5 | 13y ago | Google Chrome before 28.0.1500.71 does not properly prevent pop-under windows, which allows remote attackers to have an unspecified impact via a crafted web site. | |
| CVE-2013-2118 | high | — | 7.5 | 13y ago | SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php. | |
| CVE-2013-1362 | high | — | 7.5 | 13y ago | Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, whic… | |
| CVE-2013-4786 | high | 7.5 | 7.5 | 13y ago | The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing atta… |