Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2010-0013

Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.5, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), for affected systems. Impacting 7 products from adium, from pidgin, from fedoraproject and 4 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Documented in 2010, this vulnerability occurred amid the cloud computing expansion era, where traditional network perimeter security models were being reevaluated. Organizations were transitioning from isolated infrastructure to interconnected systems, creating new attack surfaces that vulnerabilities like this could exploit.

Published

2010-01-09T18:30:01.697

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	adium	adium	1.3.8	Yes
Application	pidgin	pidgin	2.6.4	Yes
Operating System	fedoraproject	fedora	11	Yes
Operating System	fedoraproject	fedora	12	Yes
Operating System	opensuse	opensuse	≤ 11.2	Yes
Operating System	suse	linux_enterprise	11.0	Yes
Operating System	suse	linux_enterprise_server	10	Yes
Operating System	suse	linux_enterprise_server	10	Yes
Operating System	redhat	enterprise_linux	4.0	Yes
Operating System	redhat	enterprise_linux	5.0	Yes

References

http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 Broken Link ([email protected])
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f Broken Link ([email protected])
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 Broken Link ([email protected])
http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c Broken Link ([email protected])
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html Product ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html Mailing List ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html Mailing List ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html Mailing List ([email protected])
http://secunia.com/advisories/37953 Broken Link, Vendor Advisory ([email protected])
http://secunia.com/advisories/37954 Broken Link, Vendor Advisory ([email protected])
http://secunia.com/advisories/37961 Broken Link ([email protected])
http://secunia.com/advisories/38915 Broken Link ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1 Broken Link ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1 Broken Link ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:085 Broken Link ([email protected])
http://www.openwall.com/lists/oss-security/2010/01/02/1 Mailing List, Patch ([email protected])
http://www.openwall.com/lists/oss-security/2010/01/07/1 Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2010/01/07/2 Mailing List ([email protected])
http://www.vupen.com/english/advisories/2009/3662 Permissions Required, Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/3663 Permissions Required, Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/1020 Permissions Required ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=552483 Issue Tracking, Patch ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333 Broken Link ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620 Broken Link ([email protected])
http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html Product (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37953 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37954 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37961 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/38915 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:085 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2010/01/02/1 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2010/01/07/1 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2010/01/07/2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3662 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3663 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/1020 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=552483 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620 Broken Link (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For adium's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.