Pidgin
Source repositories
CVEs (89)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2380 | Low | 0.20 | 3.1 | 0.02 | Jan 6, 2017 | An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and… | ||
| CVE-2009-2694 | 0.05 | — | 0.20 | Aug 21, 2009 | The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application… | |||
| CVE-2009-1376 | 0.04 | — | 0.13 | May 26, 2009 | Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute… | |||
| CVE-2008-2955 | 0.04 | — | 0.07 | Jul 1, 2008 | Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. | |||
| CVE-2012-1257 | 0.03 | — | 0.01 | Nov 20, 2019 | Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor. | |||
| CVE-2013-6490 | 0.01 | — | 0.15 | Feb 6, 2014 | The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow. | |||
| CVE-2013-6487 | 0.01 | — | 0.08 | Feb 6, 2014 | Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow. | |||
| CVE-2012-3374 | 0.01 | — | 0.06 | Jul 7, 2012 | Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message. | |||
| CVE-2022-26491 | 0.00 | — | 0.02 | May 31, 2022 | An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain,… | |||
| CVE-2014-3698 | 0.00 | — | 0.04 | Oct 29, 2014 | The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. | |||
| CVE-2014-3697 | 0.00 | — | 0.04 | Oct 29, 2014 | Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. | |||
| CVE-2014-3696 | 0.00 | — | 0.03 | Oct 29, 2014 | nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. | |||
| CVE-2014-3695 | 0.00 | — | 0.03 | Oct 29, 2014 | markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. | |||
| CVE-2014-3694 | 0.00 | — | 0.02 | Oct 29, 2014 | The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to… | |||
| CVE-2013-6489 | 0.00 | — | 0.06 | Feb 6, 2014 | Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow. | |||
| CVE-2013-6482 | 0.00 | — | 0.02 | Feb 6, 2014 | Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header. | |||
| CVE-2013-6481 | 0.00 | — | 0.04 | Feb 6, 2014 | libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read. | |||
| CVE-2014-0020 | 0.00 | — | 0.03 | Feb 6, 2014 | The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message. | |||
| CVE-2013-6486 | 0.00 | — | 0.04 | Feb 6, 2014 | gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an… | |||
| CVE-2013-6485 | 0.00 | — | 0.02 | Feb 6, 2014 | Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data. |
- risk 0.20cvss 3.1epss 0.02
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and…
- CVE-2009-2694Aug 21, 2009risk 0.05cvss —epss 0.20
The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application…
- CVE-2009-1376May 26, 2009risk 0.04cvss —epss 0.13
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute…
- CVE-2008-2955Jul 1, 2008risk 0.04cvss —epss 0.07
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
- CVE-2012-1257Nov 20, 2019risk 0.03cvss —epss 0.01
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
- CVE-2013-6490Feb 6, 2014risk 0.01cvss —epss 0.15
The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.
- CVE-2013-6487Feb 6, 2014risk 0.01cvss —epss 0.08
Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow.
- CVE-2012-3374Jul 7, 2012risk 0.01cvss —epss 0.06
Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message.
- CVE-2022-26491May 31, 2022risk 0.00cvss —epss 0.02
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain,…
- CVE-2014-3698Oct 29, 2014risk 0.00cvss —epss 0.04
The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.
- CVE-2014-3697Oct 29, 2014risk 0.00cvss —epss 0.04
Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.
- CVE-2014-3696Oct 29, 2014risk 0.00cvss —epss 0.03
nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.
- CVE-2014-3695Oct 29, 2014risk 0.00cvss —epss 0.03
markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.
- CVE-2014-3694Oct 29, 2014risk 0.00cvss —epss 0.02
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to…
- CVE-2013-6489Feb 6, 2014risk 0.00cvss —epss 0.06
Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow.
- CVE-2013-6482Feb 6, 2014risk 0.00cvss —epss 0.02
Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header.
- CVE-2013-6481Feb 6, 2014risk 0.00cvss —epss 0.04
libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read.
- CVE-2014-0020Feb 6, 2014risk 0.00cvss —epss 0.03
The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.
- CVE-2013-6486Feb 6, 2014risk 0.00cvss —epss 0.04
gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an…
- CVE-2013-6485Feb 6, 2014risk 0.00cvss —epss 0.02
Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data.
Page 2 of 5