CVE-2010-0013

Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.

Published: Jan 9, 2010
Updated: May 9, 2024
CVE: CVE-2010-0013
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
adium / adium	1.3.8	1.3.8.x
pidgin / pidgin	2.6.4	2.6.4.x
fedoraproject / fedora	11	11.x
fedoraproject / fedora	12	12.x
suse / linux_enterprise_server	10-sp2	10-sp2.x
suse / linux_enterprise_server	10-sp3	10-sp3.x
suse / linux_enterprise	11.0	11.0.x
opensuse / opensuse	11.0	11.2.x
redhat / enterprise_linux	4.0	4.0.x
redhat / enterprise_linux	5.0	5.0.x

Vulnerability Database

289,599

CVE-2010-0013