CVE-2013-6404 — Quassel vulnerability

CWE-2645 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.4%

top 36.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Quassel-irc Quassel Debian Quassel Quassel-irc Quassel IRC

Timeline

PublishedDec 9

Latest updateMay 17

Description

Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/quassel< quassel 0.9.2-1 (bookworm)

▶Debianquassel-irc/quassel< 0.9.2-1+3

▶NVDquassel-irc/quassel_irc0.9.1+1

Patches

Patch: quassel-irc.org ↗Patch: github.com ↗Patch: quassel-irc.org ↗

🔴Vulnerability Details

GHSA

GHSA-pvv4-25p8-vqx8: Quassel core (server daemon) in Quassel IRC before 0↗2022-05-17

▶

OSV

CVE-2013-6404: Quassel core (server daemon) in Quassel IRC before 0↗2013-12-09

▶

📋Vendor Advisories

Debian

CVE-2013-6404: quassel - Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verif...↗2013

▶

💬Community

Bugzilla

CVE-2013-6404 quassel: manipulated clients can access backlog of all users on a shared core↗2013-11-28

▶