LiveActive security incident?Get immediate response
CVE archive

January 2013

Browse CVE records published in January 2013, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 664 matching CVEs · Page 1 of 14.

Unknown · CVSS Not scored

CVE-2013-0340: expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses...

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Published Jan 21, 2014 · Updated Nov 25, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2013-0422: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code...

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

Published Jan 10, 2013 · Updated Oct 22, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2013-0632: administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentic...

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

Published Jan 17, 2013 · Updated Oct 22, 2025

Medium · CVSS 5.3 · CISA KEV

CVE-2013-0431: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Updat...

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

Published Jan 31, 2013 · Updated Oct 22, 2025

Medium · CVSS 5.5

CVE-2013-10008: sheilazpy eShop sql injection

A vulnerability was found in sheilazpy eShop. It has been classified as critical. Affected is an unknown function. The manipulation leads to sql injection. The name of the patch is e096c5849c4dc09e1074104531014a62a5413884. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217572.

Published Jan 6, 2023 · Updated May 28, 2025

Low · CVSS 2.6

CVE-2013-10006: Ziftr primecoin bitcoinrpc.cpp HTTPAuthorized timing discrepancy

A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1. Affected by this vulnerability is the function HTTPAuthorized of the file src/bitcoinrpc.cpp. The manipulation of the argument strUserPass/strRPCUserColonPass leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.8.4rc2 is able to address this issue. The patch is named cdb3441b5cd2c1bae49fae671dc4a496f7c96322. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217171.

Published Jan 1, 2023 · Updated Apr 10, 2025

Medium · CVSS 5.5

CVE-2013-10014: oktora24 2moons sql injection

A vulnerability classified as critical has been found in oktora24 2moons. Affected is an unknown function. The manipulation leads to sql injection. The patch is identified as 1b09cf7672eb85b5b0c8a4de321f7a4ad87b09a7. It is recommended to apply a patch to fix this issue. VDB-218898 is the identifier assigned to this vulnerability.

Published Jan 19, 2023 · Updated Nov 25, 2024

Unknown · CVSS Not scored

CVE-2013-7314: The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility...

The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2013-7308: The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the pos...

The OSPF implementation on the D-Link DES-3810-28 switch with firmware R2.20.B017 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2013-7312: The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Li...

The OSPF implementation on Enterasys switches and routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2013-0209: lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authenticat...

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

Published Jan 23, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7311: The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not conside...

The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO OS 6.2 R75.X and R76 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-0843: content/renderer/media/webrtc_audio_renderer.cc in Google Chrome before 24.0.1312.56 on Mac OS X does not u...

content/renderer/media/webrtc_audio_renderer.cc in Google Chrome before 24.0.1312.56 on Mac OS X does not use an appropriate buffer size for the 96 kHz sampling rate, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a web site that provides WebRTC audio.

Published Jan 24, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7309: The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State...

The OSPF implementation in Extreme Networks EXOS does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-1450: Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and P...

Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and Port values in the HTTP and Secure rows, does not properly reuse TCP sessions to the proxy server, which allows remote attackers to obtain sensitive information intended for a specific host via a crafted HTML document that triggers many HTTPS requests and then triggers an HTTP request to that host, as demonstrated by reading a Cookie header, aka MSRC 12096gd.

Published Jan 29, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7310: The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID valu...

The OSPF implementation on Yamaha routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-1451: Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and P...

Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and Port values in the HTTP and Secure rows, does not ensure that the SSL lock icon is consistent with the Address bar, which makes it easier for remote attackers to spoof web sites via a crafted HTML document that triggers many HTTPS requests to an arbitrary host, followed by an HTTPS request to a trusted host and then an HTTP request to an untrusted host, a related issue to CVE-2013-1450.

Published Jan 29, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7307: The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the poss...

The OSPF implementation on the Brocade Vyatta vRouter with software before 6.6R1 does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7313: The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider...

The OSPF implementation in Juniper Junos through 13.x, JunosE, and ScreenOS through 6.3.x does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-1490: Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote atta...

Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. NOTE: this issue also exists in SE 6, but it cannot be exploited without a separate vulnerability.

Published Jan 31, 2013 · Updated Sep 16, 2024

Medium · CVSS 5.5

CVE-2013-1053: Insecure crypto for storing passwords

In crypt.c of remote-login-service, the cryptographic algorithm used to cache usernames and passwords is insecure. An attacker could use this vulnerability to recover usernames and passwords from the file. This issue affects version 1.0.0-0ubuntu3 and prior versions.

Published Jan 13, 2021 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2013-7306: The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID val...

The OSPF implementation on Brocade routers does not consider the possibility of duplicate Link State ID values in Link State Advertisement (LSA) packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

Published Jan 23, 2014 · Updated Sep 16, 2024

Medium · CVSS 5.5

CVE-2013-10013: Bricco Authenticator Plugin DBAuthenticator.java compare sql injection

A vulnerability was found in Bricco Authenticator Plugin. It has been declared as critical. This vulnerability affects the function authenticate/compare of the file src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java. The manipulation leads to sql injection. Upgrading to version 1.39 is able to address this issue. The name of the patch is a5456633ff75e8f13705974c7ed1ce77f3f142d5. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218428.

Published Jan 17, 2023 · Updated Aug 6, 2024

Medium · CVSS 5.5

CVE-2013-10012: antonbolling clan7ups Login/Session sql injection

A vulnerability, which was classified as critical, was found in antonbolling clan7ups. Affected is an unknown function of the component Login/Session. The manipulation leads to sql injection. The name of the patch is 25afad571c488291033958d845830ba0a1710764. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218388.

Published Jan 16, 2023 · Updated Aug 6, 2024