CVE-2010-0013

CVSS V2 Medium 5 CVSS V3 None
Description
Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.
Overview
  • CVE ID
  • CVE-2010-0013
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2010-01-09T18:30:01
  • Last Modified Date
  • 2023-02-13T02:21:00
Weakness Enumerations
CWE URL
CWE-22 http://cwe.mitre.org/data/definitions/22.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:adium:adium:1.3.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
References
Reference URL Reference Tags
https://bugzilla.redhat.com/show_bug.cgi?id=552483
http://www.vupen.com/english/advisories/2009/3663 Vendor Advisory
http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
http://www.vupen.com/english/advisories/2009/3662 Vendor Advisory
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c
http://secunia.com/advisories/37954 Vendor Advisory
http://www.openwall.com/lists/oss-security/2010/01/07/1
http://secunia.com/advisories/37953 Vendor Advisory
http://www.openwall.com/lists/oss-security/2010/01/07/2
http://www.openwall.com/lists/oss-security/2010/01/02/1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1
http://secunia.com/advisories/38915
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html
http://secunia.com/advisories/37961
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html
http://www.vupen.com/english/advisories/2010/1020
http://www.mandriva.com/security/advisories?name=MDVSA-2010:085
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2010-0013
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
History
Created Old Value New Value Data Type Notes
2022-05-10 08:35:15 Added to TrackCVE
2023-02-13 03:03:28 2023-02-13T02:21:00 CVE Modified Date updated
2023-02-13 03:03:29 Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. Description updated