Vulnerability Details CVE-2013-7449
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.5%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.8
References
- http://hexchat.readthedocs.org/en/latest/changelog.html
- http://www.ubuntu.com/usn/USN-2945-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1081839
- https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
- https://github.com/hexchat/hexchat/issues/524
- http://hexchat.readthedocs.org/en/latest/changelog.html
- http://www.ubuntu.com/usn/USN-2945-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1081839
- https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
- https://github.com/hexchat/hexchat/issues/524
Products affected by CVE-2013-7449
-
cpe:2.3:a:hexchat_project:hexchat:2.10.0
-
cpe:2.3:a:hexchat_project:hexchat:2.10.1
-
cpe:2.3:a:hexchat_project:hexchat:2.9.0
-
cpe:2.3:a:hexchat_project:hexchat:2.9.1
-
cpe:2.3:a:hexchat_project:hexchat:2.9.2
-
cpe:2.3:a:hexchat_project:hexchat:2.9.3
-
cpe:2.3:a:hexchat_project:hexchat:2.9.4
-
cpe:2.3:a:hexchat_project:hexchat:2.9.5
-
cpe:2.3:a:hexchat_project:hexchat:2.9.6
-
cpe:2.3:a:xchat:xchat:-
-
cpe:2.3:a:xchat:xchat_gnome:-
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:15.10