CVSS: 9.3EPSS: 3%CPEs: 189EXPL: 0CVE-2013-2394 – Oracle Java t2k Type1 Subroutine Indexing Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2013-2394
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2432 and CVE-2013-1491. Vulnerabilidad no especificada en Java Runtime Environment (JRE) componente de Oracle Java SE v7 Update v17 y anteriores, v6 Update v43 y anteriores, y v5.0 Update v41 y anteriores, y JavaFX v2.2.7 y anteriores, permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con 2D, una vulnerabilidad diferente de CVE-2013-2432 y CVE-2013-1491. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Type1 fonts in t2k.dll. A file parsing vulnerability can occur by controlling a value placed after the "/Subrs" keyword in the eexec portion of the file which defines a size of an array. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880 http://lists.apple.com/archives/security-announce/2013/Apr/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00007.html http://marc.info/?l=bugtraq&m=137283787217316&w=2 http://rhn.redhat.com/errata/RHSA-2013-0757.html http://rhn.redhat& •
CVSS: 10.0EPSS: 13%CPEs: 37EXPL: 0CVE-2013-2428 – Oracle Java JavaFX WebPage Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2013-2428
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX, a different vulnerability than CVE-2013-0402, CVE-2013-2414, and CVE-2013-2427. Vulnerabilidad no especificada en el entorno de ejecución de Java (JRE) en el componente Oracle Java SE 7 Update 17 y anteriores y JavaFX 2.2.7 y anteriores permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con JavaFX, una vulnerabilidad diferente a CVE-2013-0402, CVE-2013-2414 y CVE-2013-2427. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the JavaFX WebPage class. A descendant class can overwrite the getPage method with a custom pointer into the native function. • http://rhn.redhat.com/errata/RHSA-2013-0757.html http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html http://www.us-cert.gov/ncas/alerts/TA13-107A https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16416 https://access.redhat.com/security/cve/CVE-2013-2428 https://bugzilla.redhat.com/show_bug.cgi?id=953135 •
CVSS: 10.0EPSS: 28%CPEs: 3EXPL: 0CVE-2013-0402 – Oracle Java FLV Parsing Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2013-0402
Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013. Un desbordamiento de búfer basado en memoria dinámica ('heap') en Oracle Java 7 Update v17 y posiblemente otras versiones, permite a atacantes remotos ejecutar código de su elección a través de vectores no especificados, como fue demostrado por VUPEN durante el concurso Pwn2Own en CanSecWest 2013. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of FLV files. The issue lies in the parsing of a FLV file with two video tags using the On2 VP6 codec. • http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 http://rhn.redhat.com/errata/RHSA-2013-0757.html http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html http://www.us-cert.gov/ncas/alerts/TA13-107A http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728 https://twitter.com/thezdi/status/309484730506698752 https://access.redhat.com/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •