Critical · CVSS 9.1
Apache::Session versions through 1.94 for Perl re-creates deleted sessions.
The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
Published May 8, 2026 · Updated May 8, 2026
High · CVSS 8.8 · CISA KEV
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
Published May 16, 2013 · Updated Nov 21, 2025
High · CVSS 8.8 · CISA KEV
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.
Published May 5, 2013 · Updated Oct 22, 2025
High · CVSS 8.4 · CISA KEV
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
Published May 14, 2013 · Updated Oct 22, 2025
Medium · CVSS 6.5 · CISA KEV
Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.
Published May 16, 2013 · Updated Oct 22, 2025
High · CVSS 7.8 · CISA KEV
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
Published May 24, 2013 · Updated Oct 22, 2025
Medium · CVSS 6.5
Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.
Published May 6, 2014 · Updated Jun 9, 2025
Medium · CVSS 6.5
Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
Published May 6, 2014 · Updated Jun 9, 2025
Medium · CVSS 4.8
A vulnerability was found in HTC One/Sense 4.x. It has been rated as problematic. Affected by this issue is the certification validation of the mail client. An exploit has been disclosed to the public and may be used.
Published May 17, 2022 · Updated Apr 15, 2025
Medium · CVSS 6.5
A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Authentication is possible with hard-coded credentials. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
Published May 24, 2022 · Updated Apr 15, 2025
Medium · CVSS 6.5
A vulnerability classified as critical has been found in Telecommunication Software SAMwin Contact Center Suite 5.1. This affects the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the database handler. The manipulation leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
Published May 24, 2022 · Updated Apr 15, 2025
Medium · CVSS 6.5
A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.
Published May 24, 2022 · Updated Apr 15, 2025
Unknown · CVSS Not scored
A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file.
Published May 12, 2014 · Updated Feb 13, 2025
High · CVSS 7.5
The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id.
Published May 31, 2013 · Updated Jan 16, 2025
Unknown · CVSS Not scored
The LG Hidden Menu component for Android on the LG Optimus G E973 allows physically proximate attackers to execute arbitrary commands by entering USB Debugging mode, using Android Debug Bridge (adb) to establish a USB connection, dialing 3845#*973#, modifying the WLAN Test Wi-Fi Ping Test/User Command tcpdump command string, and pressing the CANCEL button.
Published May 29, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the gp_LoadUserFromHash function in functions_hash.php in the Group Pay module 1.5 and earlier for WHMCS allows remote attackers to execute arbitrary SQL commands via the hash parameter.
Published May 13, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The CallServer component in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to cause a denial of service (call-acceptance outage) via malformed SIP INVITE messages, aka Bug ID CSCua65148.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published May 22, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in administrative-interface pages in the management console in Symantec Brightmail Gateway 9.5.x allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal does not restrict unspecified size and amount values, which allows remote attackers to execute arbitrary code or cause a denial of service (resource consumption) via unknown vectors.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute arbitrary code via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38384.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to read arbitrary files via a crafted URL, aka Bug ID CSCud51034.
Published May 1, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter.
Published May 31, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published May 3, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cisco Wireless LAN Controller (WLC) devices do not properly address the resource consumption of terminated TELNET sessions, which allows remote attackers to cause a denial of service (TELNET outage) by making many TELNET connections and improperly ending these connections, aka Bug ID CSCug35507.
Published May 4, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, and 9.x before 9.1.0.3 relies on the MD5 algorithm for signatures in X.509 certificates, which makes it easier for man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Published May 27, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The encryption functionality in Cisco NX-OS on the Nexus 1000V does not properly handle Virtual Supervisor Module (VSM) to Virtual Ethernet Module (VEM) communication, which allows remote attackers to intercept or modify network traffic by leveraging certain Layer 2 or Layer 3 access, aka Bug ID CSCud14691.
Published May 29, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in the Noma component in GroundWork Monitor Enterprise 6.7.0 allow remote attackers to hijack the authentication of unspecified victims for requests that (1) store XSS sequences or (2) delete entries.
Published May 8, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Memory leak in the web framework in the server in Cisco Unified Presence (CUP) allows remote attackers to cause a denial of service (memory consumption) via malformed TCP packets, aka Bug ID CSCug38080.
Published May 10, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to create or overwrite arbitrary files, and consequently execute arbitrary code or cause a denial of service, by leveraging Virtual Appliance Management Interface (VAMI) web-interface access.
Published May 1, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Session fixation vulnerability in Cisco Secure Access Control System (ACS) allows remote attackers to hijack web sessions via unspecified vectors, aka Bug ID CSCud95787.
Published May 16, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cisco Unified Communications Domain Manager allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets, aka Bug ID CSCug47057.
Published May 1, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the wireless configuration module in Cisco Prime Infrastructure allows remote attackers to inject arbitrary web script or HTML via an SSID that is not properly handled during display of the XML windowing table, aka Bug ID CSCuf04356.
Published May 31, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published May 7, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The SNMP module in Cisco IOS XR allows remote authenticated users to cause a denial of service (process restart) via crafted SNMP packets, aka Bug ID CSCue69472.
Published May 3, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue.
Published May 10, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The user-management page in Cisco WebEx Social relies on client-side validation of values in the Screen Name, First Name, Middle Name, Last Name, Email Address, and Job Title fields, which allows remote authenticated users to bypass intended access restrictions via crafted requests, aka Bug ID CSCue67190.
Published May 16, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in GroundWork Monitor Enterprise 6.7.0 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the foundation-webapp/admin/ directory, (2) the NeDi component, or (3) the Noma component.
Published May 8, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.10, possibly before revision 82710, allow remote attackers to hijack the authentication of administrators, as demonstrated by requests that conduct directory traversal attacks via the group parameter to (1) plugin-preferences.php or (2) plugin-settings.php in www/admin, a different vulnerability than CVE-2013-3514.
Published May 14, 2014 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and 8.x before 8.0.1.4 sets weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.
Published May 3, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Memory leak in the SNMP process in Cisco IOS XR allows remote attackers to cause a denial of service (memory consumption or process reload) by sending many port-162 UDP packets, aka Bug ID CSCug80345.
Published May 23, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in the Easy AdSense Lite plugin before 6.10 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings.
Published May 5, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the aiContactSafe component before 2.0.21 for Joomla! allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published May 31, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The server in TIBCO Silver Mobile 1.1.0 does not properly verify access to the administrator role before executing a command, which allows authenticated users to gain privileges via unspecified vectors.
Published May 31, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the node secret for the SecurID Authentication API, which allows local users to obtain sensitive information via cryptographic attacks on this data.
Published May 22, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability on IBM WebSphere DataPower XC10 Appliance devices 2.0 and 2.1 through 2.1 FP3 allows remote attackers to bypass authentication and perform administrative actions via unknown vectors.
Published May 9, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in monarch.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to overwrite arbitrary files by leveraging access to the nagios account.
Published May 8, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.
Published May 5, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
html/System-Files.php in the System File Overview feature in the NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands via vectors involving file editing.
Published May 8, 2013 · Updated Sep 17, 2024