cbcvebase.
CVE-2013-7449
published 2016-04-21

CVE-2013-7449: The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name…

PriorityP432medium6.5CVSS 3.0
AVNACLPRNUINSUCLILAN
EPSS
0.76%
50.5th percentile
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected

8 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianhexchat< hexchat 2.10.2-1 (bookworm)hexchat 2.10.2-1 (bookworm)
hexchat_projecthexchat<= 2.10.1
hexchat_projecthexchat>= 0 < 2.10.2-12.10.2-1
hexchat_projecthexchat>= 0 < 2.10.2-12.10.2-1
hexchat_projecthexchat>= 0 < 2.10.2-12.10.2-1

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.