#VU33305 Input validation error in ZNC - CVE-2013-2130

Cybersecurity Help s.r.o.

Published: 2014-06-05 | Updated: 2020-08-03

Vulnerability identifier: #VU33305

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-2130

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ZNC
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: ZNC

Description

The vulnerability allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer reference and crash) via a crafted request to the (1) editnetwork, (2) editchan, (3) addchan, or (4) delchan page in modules/webadmin.cpp.

Mitigation
Update to version 1.2.

Vulnerable software versions

ZNC: 1.0

External links
https://advisories.mageia.org/MGASA-2013-0257.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114144.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114172.html
https://secunia.com/advisories/53450
https://www.mandriva.com/security/advisories?name=MDVSA-2015:013
https://www.openwall.com/lists/oss-security/2013/05/30/3
https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in ZNC

Fedora EPEL 6 update for znc

Input validation error in znc (Alpine package)