CVE-2013-6404

NameCVE-2013-6404
DescriptionQuassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
quassel (PTS)stretch (security), stretch1:0.12.4-2+deb9u1fixed
buster1:0.13.1-1+deb10u2fixed
bookworm, bullseye, sid1:0.13.1-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
quasselsourcewheezy0.8.0-1+deb7u1
quasselsource(unstable)0.9.2-1low

Notes

[squeeze] - quassel <no-dsa> (Minor issue)
https://github.com/quassel/quassel/commit/a1a24da

Search for package or bug name: Reporting problems