Total
89 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2010-1624 | 2 Canonical, Pidgin | 2 Ubuntu Linux, Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message. | |||||
CVE-2010-0013 | 6 Adium, Fedoraproject, Opensuse and 3 more | 7 Adium, Fedora, Opensuse and 4 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | |||||
CVE-2011-4601 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition. | |||||
CVE-2010-4528 | 1 Pidgin | 2 Libpurple, Pidgin | 2024-02-04 | 4.0 MEDIUM | N/A |
directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidgin before 2.7.9 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a short p2pv2 packet in a DirectConnect (aka direct connection) session. | |||||
CVE-2010-0277 | 2 Adium, Pidgin | 2 Adium, Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. | |||||
CVE-2010-3711 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 4.0 MEDIUM | N/A |
libpurple in Pidgin before 2.7.4 does not properly validate the return value of the purple_base64_decode function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a crafted message, related to the plugins for MSN, MySpaceIM, XMPP, and Yahoo! and the NTLM authentication support. | |||||
CVE-2012-1178 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. | |||||
CVE-2010-0423 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | |||||
CVE-2009-1375 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol. | |||||
CVE-2009-1373 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 7.1 HIGH | N/A |
Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information. | |||||
CVE-2009-2694 | 2 Adium, Pidgin | 2 Adium, Pidgin | 2024-02-04 | 10.0 HIGH | N/A |
The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376. | |||||
CVE-2008-2955 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 4.3 MEDIUM | N/A |
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. | |||||
CVE-2009-1376 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 9.3 HIGH | N/A |
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927. | |||||
CVE-2009-3083 | 1 Pidgin | 2 Libpurple, Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client. | |||||
CVE-2008-2927 | 2 Adium, Pidgin | 2 Adium, Pidgin | 2024-02-04 | 6.8 MEDIUM | N/A |
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955. | |||||
CVE-2009-3025 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 4.3 MEDIUM | N/A |
Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers to cause a denial of service (crash) via a link in a Yahoo IM. | |||||
CVE-2009-3026 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions. | |||||
CVE-2009-1889 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory. | |||||
CVE-2009-3085 | 1 Pidgin | 2 Libpurple, Pidgin | 2024-02-04 | 5.0 MEDIUM | N/A |
The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images. | |||||
CVE-2008-3532 | 1 Pidgin | 1 Pidgin | 2024-02-04 | 6.8 MEDIUM | N/A |
The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. |