VDB
CVE-2010-0013
CVE-2010-0013
PUBLISHED
CVSS 7.5 HIGH
Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.
EPSS 12.85% · 94.2th percentile
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
12.85%
94.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| opensuse | opensuse | 11.0 |
| redhat | enterprise_linux | 4.0, 5.0 |
| suse | linux_enterprise | 11.0 |
| pidgin | pidgin | 2.6.4 |
| suse | linux_enterprise_server | 10, 10 |
| adium | adium | 1.3.8 |
| fedoraproject | fedora | 12, 11 |
| n/a | n/a | n/a |
Exploit Intelligence
- CIRCL confirmed: CVE-2010-0013 (circl-sighting)
- FEDORA-2010-0368 (circl)
- 38915 (circl)
- https://bugzilla.redhat.com/show_bug.cgi?id=552483 (circl)
- 277450 (circl)
- 37954 (circl)
- MDVSA-2010:085 (circl)
- [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload (circl)
- oval:org.mitre.oval:def:17620 (circl)
- 1022203 (circl)
…and 17 more exploits
Timeline
- Jan 9, 2010 CVE Published
- Jan 19, 2010 PoC Published
- Jan 19, 2010 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 25, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload mailing-list
- 37953 third-party-advisory
- http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 url
- https://bugzilla.redhat.com/show_bug.cgi?id=552483 url
- 277450 vendor-advisory
- 37954 third-party-advisory
- MDVSA-2010:085 vendor-advisory
- [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload mailing-list
- oval:org.mitre.oval:def:17620 vdb
- 1022203 vendor-advisory
- ADV-2009-3663 vdb
- http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c url
- FEDORA-2010-0368 vendor-advisory
- FEDORA-2010-0429 vendor-advisory
- ADV-2010-1020 vdb
- SUSE-SR:2010:006 vendor-advisory
- oval:org.mitre.oval:def:10333 vdb
- http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html url
- http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f url
- ADV-2009-3662 vdb
…and 5 more