CVE-2013-0259

Cross-site scripting XSS vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter...

CVE-2013-0454

CVE-2013-0454 concerns the Samba SMB2 implementation. Multiple connected sources confirm a vulnerability in Samba 3.6.x (before 3.6.6) that mishandles CIFS share attributes, enabling an authenticated remote user to (1) write to a read-only share, and (2) trigger data-integrity issues related to o...

CVE-2013-0335

OpenStack Compute Nova Grizzly, Folsom 2012.2, and Essex 2012.1 allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port...

CVE-2013-0287

CVE-2013-0287 affects System Security Services Daemon (SSSD) when using the Active Directory provider. The Simple Access Provider in SSSD 1.9.0–1.9.4 does not properly enforce the simple_deny_groups option, allowing remote authenticated users to bypass access restrictions. Connected advisories/pa...

CVE-2013-0713

CVE-2013-0713 affects Wind River VxWorks 6.5–6.9 IPSSH (SSH server). A crafted pty request can cause SSH access to be unavailable until next reboot; authenticated users may trigger this DoS. Public details confirm affected versions and the root cause (pty handling). Mitigation: apply Wind River p...

CVE-2013-2275

The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors...

CVE-2013-2274

Puppet vulnerability CVE-2013-2274 affects Puppet 2.6.x (pre-2.6.18) and Puppet Enterprise 1.2.x (pre-1.2.7). An authenticated attacker could send a crafted report to the puppet master (or an agent with puppet kick enabled) to achieve remote arbitrary code execution. Remediation per RHSA-2013:071...

CVE-2013-1652

CVE-2013-1652 affects Puppet: remote authenticated users with a valid certificate and key can read arbitrary catalogs or poison the Puppet master’s cache via unspecified vectors. Affected versions include Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, plus Puppet Enterprise be...

CVE-2013-1863

Samba 4.x before 4.0.4, when configured as an Active Directory domain controller, uses world-writable permissions on non-default CIFS shares, which allows remote authenticated users to read, modify, create, or delete arbitrary files via standard filesystem operations...

Code injection

The Keyboard Shortcut Utility module 7.x-1.x before 7.x-1.1 for Drupal does not properly check node restrictions, which allows 1 remote authenticated users with the "view shortcuts" permission to read nodes or 2 remote authenticated users with the "admin shortcuts" permission to read, edit, or...

CVE-2013-0330

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors...

CVE-2013-0331

CVE-2013-0331 affects Jenkins before 1.502 and LTS before 1.480.3, where remote authenticated users with write access can cause a denial of service by sending a crafted payload. The available sources consistently describe the issue and its existence in Jenkins’ older releases, with remediation gu...

Design/Logic Flaw

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response...

CVE-2013-1814

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response...

CVE-2013-1814

CVE-2013-1814 (Apache Rave) affects Apache Rave 0.11–0.20. The vulnerability lies in the User RPC API (users/get): remote authenticated users can disclose sensitive data for all user accounts via the offset parameter, including password hashes. Public references corroborate an information disclos...

apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element...

AZL-7231 CVE-2011-4966 affecting package freeradius 3.2.3-2

modules/rlmunix/rlmunix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password...

Design/Logic Flaw

modules/rlmunix/rlmunix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password...

Design/Logic Flaw

The Administer tab in Aeolus Conductor allows remote authenticated users to bypass intended quota restrictions by updating the Maximum Running Instances quota user setting...

CVE-2013-1794

OpenAFS vulnerability CVE-2013-1794: a buffer overflow in certain client utilities before version 1.6.2 allows remote authenticated users to crash the fileserver or potentially execute code via a long fileserver ACL entry. Several connected advisories cite this CVE and indicate upgrades are neede...