LiveActive security incident?Get immediate response
CVE archive

2013 CVE Archive

Browse CVE records published in 2013 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 6221 matching CVEs · Page 1 of 125.

Critical · CVSS 10

CVE-2013-10069: D-Link Devices Unauthenticated RCE

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.

Published Aug 5, 2025 · Updated May 15, 2026

Critical · CVSS 9.4

CVE-2013-10068: Foxit Reader <= 5.4.5.0114 Plugin URL Processing Buffer Overflow

Foxit Reader Plugin version 2.2.1.530, bundled with Foxit Reader 5.4.4.11281, contains a stack-based buffer overflow vulnerability in the npFoxitReaderPlugin.dll module. When a PDF file is loaded from a remote host, an overly long query string in the URL can overflow a buffer, allowing remote attackers to execute arbitrary code.

Published Aug 5, 2025 · Updated May 15, 2026

Medium · CVSS 6.9

CVE-2013-10063: Netgear SPH200D <= 1.0.4.80 Path Traversal via HTTP GET

A path traversal vulnerability exists in the Netgear SPH200D Skype phone firmware versions <= 1.0.4.80 in its embedded web server. Authenticated attackers can exploit crafted GET requests to access arbitrary files outside the web root by injecting traversal sequences. This can expose sensitive system files and configuration data.

Published Aug 1, 2025 · Updated May 15, 2026

Critical · CVSS 9.4

CVE-2013-10060: Netgear Routers pppoe.cgi RCE

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored.

Published Aug 1, 2025 · Updated May 15, 2026

High · CVSS 8.6

CVE-2013-10059: D-Link Routers tools_vct.htm OS Command Injection

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Published Aug 1, 2025 · Updated May 15, 2026

High · CVSS 8.7

CVE-2013-10053: ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Published Aug 1, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10051: InstantCMS <= 1.6 Remote PHP Code Execution

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

Published Aug 1, 2025 · Updated May 15, 2026

High · CVSS 8.7

CVE-2013-10050: D-Link Devices tools_vct.xgi Unauthenticated RCE

An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

Published Aug 1, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10048: D-Link Devices command.php Unauthenticated RCE

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.

Published Aug 1, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10047: MiniWeb <= Build 300 Arbitrary File Upload

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32, followed by a .mof file in the WMI directory. This triggers execution of the payload with SYSTEM privileges via the Windows Management Instrumentation service. The exploit is only viable on Windows versions prior to Vista.

Published Aug 1, 2025 · Updated May 15, 2026

High · CVSS 8.7

CVE-2013-10044: OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.

Published Aug 1, 2025 · Updated May 15, 2026

Critical · CVSS 9.5

CVE-2013-10043: Astium VOIP PBX <= 2.1 SQL Injection File Upload RCE

A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10042: freeFTPd <= 1.0.10 PASS Command Stack-Based Buffer Overflow

A stack-based buffer overflow vulnerability exists in freeFTPd version 1.0.10 and earlier in the handling of the FTP PASS command. When an attacker sends a specially crafted password string, the application fails to validate input length, resulting in memory corruption. This can lead to denial of service or arbitrary code execution. Exploitation requires the anonymous user account to be enabled.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 10

CVE-2013-10040: ClipBucket <= 2.6 ofc_upload_image.php Arbitrary File Upload RCE

ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution.

Published Jul 31, 2025 · Updated May 15, 2026

High · CVSS 8.7

CVE-2013-10039: GestioIP 3.0 ip_checkhost.cgi RCE

A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ip_checkhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deployment configuration.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10034: Kaseya < 6.3.0.2 uploadImage.asp Arbitrary File Upload RCE

An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint.

Published Jul 31, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2013-10064: ActFax 5.01 RAW Server Buffer Overflow

A stack-based buffer overflow vulnerability exists in ActFax Server version 5.01. The server's RAW protocol interface fails to safely process user-supplied data in @F506 fax header fields due to insecure usage of strcpy. Remote attackers can exploit this vulnerability by sending specially crafted @F506 fields, potentially leading to arbitrary code execution. Successful exploitation requires network access to TCP port 4559 and does not require authentication.

Published Aug 5, 2025 · Updated May 14, 2026

High · CVSS 8.7

CVE-2013-10035: ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.

Published Jul 31, 2025 · Updated May 14, 2026

Medium · CVSS 5.5

CVE-2013-0266: Puppetlabs-cinder: packstack: openstack: puppetlabs-cinder: information disclosure of openstack administrative passwords due to world-readable configuration files.

A flaw was found in the `puppetlabs-cinder` module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable permissions, on the `cinder.conf` and `api-paste.ini` configuration files. A local user can exploit this by reading these files, which leads to the disclosure of OpenStack administrative passwords. This information disclosure could allow unauthorized access to sensitive OpenStack resources.

Published Mar 8, 2013 · Updated Apr 30, 2026

High · CVSS 8.8

CVE-2013-0261: Packstack: packstack: arbitrary file overwrite via symlink attack

A flaw was found in PackStack. A local user could exploit a symlink attack on a temporary file with a predictable name in the `/tmp` directory. This vulnerability allows the local user to overwrite arbitrary files on the system, potentially leading to system compromise or data corruption.

Published Mar 8, 2013 · Updated Apr 30, 2026

Critical · CVSS 10

CVE-2013-10070: PHP-Charts v1.0 PHP Code Execution

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.

Published Aug 5, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.4

CVE-2013-10067: Glossword 1.8.8 - 1.8.12 Arbitrary File Upload RCE

Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows users with administrator privileges to upload files to the gw_temp/a/ directory. Due to insufficient validation of file type and path, attackers can upload and execute PHP payloads, resulting in remote code execution.

Published Aug 5, 2025 · Updated Apr 7, 2026

Critical · CVSS 10

CVE-2013-10066: Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request.

Published Aug 5, 2025 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2013-10062: Linksys Routers apply.cgi Path Traversal

A directory traversal vulnerability exists in Linksys router's web interface (tested on the E1500 model firmware versions 1.0.00, 1.0.04, and 1.0.05), specifically in the /apply.cgi endpoint. Authenticated attackers can exploit the next_page POST parameter to access arbitrary files outside the intended web root by injecting traversal sequences. This allows exposure of sensitive system files and configuration data.

Published Aug 1, 2025 · Updated Apr 7, 2026

High · CVSS 8.6

CVE-2013-10061: Netgear Routers setup.cgi RCE

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN1000B model firmware versions 1.1.00.24 and 1.1.00.45) via the TimeToLive parameter in the setup.cgi endpoint. The vulnerability arises from improper input neutralization, enabling command injection through crafted POST requests. This flaw enables remote attackers to deploy payloads or manipulate system state post-authentication.

Published Aug 1, 2025 · Updated Apr 7, 2026

High · CVSS 8.6

CVE-2013-10058: Linksys Routers apply.cgi Remote Command Injection

An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. The web interface fails to properly sanitize user-supplied input passed to the ping_size parameter during diagnostic operations. An attacker with valid credentials can inject arbitrary shell commands, enabling remote code execution.

Published Aug 1, 2025 · Updated Apr 7, 2026

High · CVSS 7.5

CVE-2013-10057: Synactis PDF In-The-Box ConnectToSynactic Stack-Based Buffer Overflow

A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a long string is passed to this method—intended to populate the ldCmdLine argument of a WinExec call—a strcpy operation overwrites a saved TRegistry class pointer on the stack. This allows remote attackers to execute arbitrary code in the context of the user by enticing them to visit a malicious webpage that instantiates the vulnerable ActiveX control. The vulnerability was discovered via its use in third-party software such as Logic Print 2013.

Published Aug 1, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10055: Havalite CMS Arbitary File Upload RCE

An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution.

Published Aug 1, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10054: LibrettoCMS File Manager Arbitrary File Upload

An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager plugin. The upload handler located at adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php fails to properly validate file extensions, allowing attackers to upload files with misleading extensions and subsequently rename them to executable .php scripts. This enables remote code execution on the server without authentication.

Published Aug 4, 2025 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2013-10052: ZPanel zsudo Local Privilege Escalation

ZPanel includes a helper binary named zsudo, intended to allow restricted privilege escalation for administrative tasks. However, when misconfigured in /etc/sudoers, zsudo can be invoked by low-privileged users to execute arbitrary commands as root. This flaw enables local attackers with shell access to escalate privileges by writing a payload to a writable directory and executing it via zsudo. The vulnerability is particularly impactful in post-exploitation scenarios following web server compromise, where the attacker inherits access to zsudo.

Published Aug 4, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10049: Raidsonic NAS Devices Unauthenticated Remote Command Execution

An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands.

Published Aug 1, 2025 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2013-10046: Agnitum Outpost Internet Security Local Privilege Escalation

A local privilege escalation vulnerability exists in Agnitum Outpost Internet Security 8.1 that allows an unprivileged user to execute arbitrary code with SYSTEM privileges. The flaw resides in the acs.exe component, which exposes a named pipe that accepts unauthenticated commands. By exploiting a directory traversal weakness in the pipe protocol, an attacker can instruct the service to load a malicious DLL from a user-controlled location. The DLL is then executed in the context of the privileged service.

Published Aug 1, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10038: FlashChat Arbitrary File Upload RCE

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user.

Published Jul 31, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10037: WebTester 5.x install2.php Unauthenticated Command Execution

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.

Published Jul 31, 2025 · Updated Apr 7, 2026

High · CVSS 8.4

CVE-2013-10036: Beetel Connection Manager NetConfig.ini Stack-Based Buffer Overflow

A stack-based buffer overflow vulnerability exists in Beetel Connection Manager version PCW_BTLINDV1.0.0B04 when parsing the UserName parameter in the NetConfig.ini configuration file. A crafted .ini file containing an overly long UserName value can overwrite the Structured Exception Handler (SEH), leading to arbitrary code execution when the application processes the file.

Published Jul 31, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.3

CVE-2013-10033: Kimai 0.9.2 db_restore.php SQL Injection

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.

Published Jul 31, 2025 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2013-10032: GetSimple CMS 3.2.1 Authenticated RCE via Arbitrary PHP File Upload

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

Published Jul 25, 2025 · Updated Apr 7, 2026

Medium · CVSS 6.9

CVE-2013-20005: Qool CMS 2.0 RC2 Cross-Site Request Forgery via adduser

Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 8.7

CVE-2013-20006: Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 8.8 · CISA KEV

CVE-2013-0648: Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before...

Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.

Published Feb 27, 2013 · Updated Jan 12, 2026

Unknown · CVSS Not scored

CVE-2013-0340: expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses...

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Published Jan 21, 2014 · Updated Nov 25, 2025