CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2013-5614 – Mozilla: Sandbox restrictions not applied to nested object elements (MFSA 2013-107)
https://notcve.org/view.php?id=CVE-2013-5614
11 Dec 2013 — Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site. Mozilla Firefox anteriores a 26.0 y SeaMonkey anteriores a 2.23 no considera apropiadamente el atributo sandbox de un elemento IFRAME durante el procesado de un elemento OBJECT, lo que permite a atacantes remotos franquear las restricciones de san... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.8EPSS: 2%CPEs: 28EXPL: 1CVE-2013-5616 – Mozilla: Use-after-free in event listeners (MFSA 2013-108)
https://notcve.org/view.php?id=CVE-2013-5616
11 Dec 2013 — Use-after-free vulnerability in the nsEventListenerManager::HandleEventSubType function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to mListeners event listeners. Vulnerabilidad de liberación despues de uso en la función nsEventListenerManager :: HandleEventSubType en Mozilla Firefox anterior a 26.0, Firefox ESR 24.x ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html • CWE-416: Use After Free •
CVSS: 10.0EPSS: 10%CPEs: 28EXPL: 1CVE-2013-5618 – Mozilla: Use-after-free during Table Editing (MFSA 2013-109)
https://notcve.org/view.php?id=CVE-2013-5618
11 Dec 2013 — Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection. Vulnerabilidad de uso despues de liberación en la función nsNodeUtils::LastRelease en la interfaz de usuario en el editor de componentes en Mozilla Firefox anterior a 26.0, Fir... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html • CWE-416: Use After Free •
CVSS: 10.0EPSS: 10%CPEs: 28EXPL: 1CVE-2013-6671 – Mozilla: Segmentation violation when replacing ordered list elements (MFSA 2013-111)
https://notcve.org/view.php?id=CVE-2013-6671
11 Dec 2013 — The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code via crafted use of JavaScript code for ordered list elements. L función nsGfxScrollFrameInner::IsLTR en Mozilla Firefox anterior a 26.0, Firefox ESR 24.x anteriores a 24.2, Thunderbird anteriores a 24.2, y SeaMonkey anteriores a 2.23 permite a atacantes remotos ejecutar código de forma arbitraria a través ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-1090
https://notcve.org/view.php?id=CVE-2013-1090
06 Dec 2013 — The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect ownership for certain configuration files and directories including /etc/apache2/vhosts.d, which allows local wwwrun users to gain privileges via unspecified vectors. El paquete SUSE horde5 anteriores a 5.0.0-2.4.1 establece permisos de propiedad incorrectos para determinados ficheros de configuración y directorios, incluyendo /etc/apache2/vhosts.d, lo cual permite a usuarios wwwrun locales escalar privilegios a través de vectores no especificados. • http://lists.opensuse.org/opensuse-updates/2013-12/msg00025.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-0427
https://notcve.org/view.php?id=CVE-2012-0427
02 Dec 2013 — yast2-add-on-creator in SUSE inst-source-utils 2008.11.26 before 2008.11.26-0.9.1 and 2012.9.13 before 2012.9.13-0.8.1 allows local users to gain privileges via a crafted (1) file name or (2) directory name. yast2-add-on-creator en SUSE inst-source-utils 2008.11.26 anterior a la versión 2008.11.26-0.9.1 y 2012.9.13 anterior a 2012.9.13-0.8.1 permite a usuarios locales obtener privilegios a través de (1) un nombre de archivo o (2) un nombre de directorio manipulado. • http://download.novell.com/Download?buildid=tGCXHQR48E4~ • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-0425
https://notcve.org/view.php?id=CVE-2012-0425
02 Dec 2013 — LanItems.ycp in save_y2logs in yast2-network before 2.24.4 in SUSE YaST writes cleartext Wi-Fi credentials to the y2log log file, which allows context-dependent attackers to obtain sensitive information by reading the (1) WIRELESS_WPA_PASSWORD or (2) WIRELESS_CLIENT_KEY_PASSWORD field. LanItems.ycp en save_y2logs de yast2-network anterior a la versión 2.24.4 de SUSE YaST escribe credenciales Wi-Fi en texto plano en el archivo log de y2log, lo que permite a atacantes dependientes del contexto obtener informa... • https://bugzilla.novell.com/show_bug.cgi?id=752464 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 22%CPEs: 15EXPL: 0CVE-2013-6712 – php: heap-based buffer over-read in DateInterval
https://notcve.org/view.php?id=CVE-2013-6712
28 Nov 2013 — The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification. La función de análisis en ext/date/lib/parse_iso_intervals.c de PHP hasta la versión 5.5.6 no restringe adecuadamente la creación de objetos DateInterval, lo que podría permitir a atacantes remotos provocar una denegación de servicio (desbord... • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=12fe4e90be7bfa2a763197079f68f5568a14e071 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2013-4509
https://notcve.org/view.php?id=CVE-2013-4509
23 Nov 2013 — The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen. La configuración predeterminada de IBUS 1.5.4, y posiblemente de 1.5.2 y anteriores, cuando IBus.InputPurpose.PASSWORD no se establece y utiliza con GNOME 3, no oscurece los caracteres escritos, lo que permite a atacantes físi... • http://lists.opensuse.org/opensuse-updates/2013-11/msg00036.html • CWE-255: Credentials Management Errors •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2013-6858 – openstack: horizon multiple XSS vulnerabilities.
https://notcve.org/view.php?id=CVE-2013-6858
23 Nov 2013 — Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page. Múltiples vulnerabilidades de XSS en OpenStack Dashboard (Horizon) 2013.2 y anteriores versiones permiten a usuarios locales inyectar script web o HTML arbitrario a través de un nombre de instancia en (1) "Volumes" o (2) "Network Topology". OpenStack Dashboard provides administrat... • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •