Vulnerability Name: | CVE-2013-6404 (CCN-89377) | ||||||||||||
Assigned: | 2013-11-28 | ||||||||||||
Published: | 2013-11-28 | ||||||||||||
Updated: | 2017-08-29 | ||||||||||||
Summary: | Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/. | ||||||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||
CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||
Vulnerability Type: | CWE-264 | ||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2013-6404 Source: SUSE Type: UNKNOWN openSUSE-SU-2013:1929 Source: SUSE Type: UNKNOWN openSUSE-SU-2014:0114 Source: OSVDB Type: UNKNOWN 100432 Source: CCN Type: Quassel IRC Web site Quassel IRC Source: CONFIRM Type: Patch, Vendor Advisory http://quassel-irc.org/node/123 Source: CCN Type: oss-sec Mailing List, Thu, 28 Nov 2013 01:05:39 -0700 Re: CVE Request: Quassel IRC - manipulated clients can access backlog of all users on a shared core Source: CCN Type: SA55640 Quassel IRC Backlog Access Bypass Vulnerabilities Source: SECUNIA Type: Vendor Advisory 55640 Source: MLIST Type: UNKNOWN [oss-security] 20131127 Re: CVE Request: Quassel IRC - manipulated clients can access backlog of all users on a shared core Source: CCN Type: OSVDB ID: 100432 Quassel IRC Crafted Request Arbitrary User Backlog Remote Disclosure Source: CCN Type: BID-63980 Quassel IRC CVE-2013-6404 Security Bypass Vulnerability Source: XF Type: UNKNOWN quasselirc-cve20136404-sec-bypass(89377) Source: XF Type: UNKNOWN quasselirc-cve20136404-sec-bypass(89377) Source: CONFIRM Type: Exploit, Patch https://github.com/quassel/quassel/commit/a1a24da Source: CCN Type: WhiteSource Vulnerability Database CVE-2013-6404 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
Oval Definitions | |||||||||||||
| |||||||||||||
BACK |