7.5

CVE-2010-0013

Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122.  NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.

Data is provided by the National Vulnerability Database (NVD)
AdiumAdium Version1.3.8
PidginPidgin Version2.6.4
FedoraprojectFedora Version11
FedoraprojectFedora Version12
OpensuseOpensuse Version >= 11.0 <= 11.2
SuseLinux Enterprise Version11.0 Update-
SuseLinux Enterprise Server Version10 Updatesp2 SwEdition-
SuseLinux Enterprise Server Version10 Updatesp3 SwEdition-
RedhatEnterprise Linux Version4.0
RedhatEnterprise Linux Version5.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 12.31% 0.932
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://secunia.com/advisories/37953
Vendor Advisory
Broken Link
http://secunia.com/advisories/37954
Vendor Advisory
Broken Link
http://www.vupen.com/english/advisories/2009/3662
Vendor Advisory
Permissions Required
http://www.vupen.com/english/advisories/2009/3663
Vendor Advisory
Permissions Required