Vulnerability Description
Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quassel-Irc | Quassel Irc | <= 0.9.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00092.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00078.html
- http://osvdb.org/100432
- http://quassel-irc.org/node/123PatchVendor Advisory
- http://secunia.com/advisories/55640Vendor Advisory
- http://www.openwall.com/lists/oss-security/2013/11/28/8
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89377
- https://github.com/quassel/quassel/commit/a1a24daExploitPatch
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00092.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00078.html
- http://osvdb.org/100432
- http://quassel-irc.org/node/123PatchVendor Advisory
- http://secunia.com/advisories/55640Vendor Advisory
- http://www.openwall.com/lists/oss-security/2013/11/28/8
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89377
FAQ
What is CVE-2013-6404?
CVE-2013-6404 is a vulnerability with a CVSS score of 4.0 (MEDIUM). Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via th...
How severe is CVE-2013-6404?
CVE-2013-6404 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-6404?
Check the references section above for vendor advisories and patch information. Affected products include: Quassel-Irc Quassel Irc.