CVE-2013-0267
HIGHApache VCL 2.1-2.2.1, 2.3-2.3.1 - Privilege Escalation, DoS, and XSS via Improper Data Validation
Title source: llmDescription
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation.
References (4)
Core 4
Core References
Various Sources mailing-list
x_refsource_mlist
https://mail-archives.apache.org/mod_mbox/www-announce/201305.mbox/%3C1658214.8zndv4WEi7%40treebeard%3E
Third Party Advisory x_refsource_confirm
https://github.com/apache/vcl/commit/56c0f040056d6ad8693b20cfd3351367c2ffeabc#diff-2567a5ec9705eb7ac2c984033e06189d
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/944592973c91cd106a42095271c3f6c7ab9c8d70077b8c6a8d4d92d0%40%3Ccommits.vcl.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/632da9e45fce333f21782f1fe10b1d8e77a63811a34fe8e286dedc99%40%3Ccommits.vcl.apache.org%3E
Scores
CVSS v3
8.8
EPSS
0.0033
EPSS Percentile
55.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-264
Status
published
Products (2)
apache/vcl
2.1
apache/vcl
2.2 - 2.2.2
Published
Feb 21, 2018
Tracked Since
Feb 18, 2026