cpe:/a:adium:adium:1.3.8 cpe:/a:pidgin:pidgin:2.6.4 CVE-2010-0013 2010-01-09T13:30:01.697-05:00 2017-09-18T21:30:09.797-04:00 5.0 NETWORK LOW NONE PARTIAL NONE NONE http://nvd.nist.gov 2010-01-11T09:45:00.000-05:00 SUNALERT 1022203 SUNALERT 277450 SECUNIA 37953 SECUNIA 37954 SECUNIA 37961 SECUNIA 38915 VUPEN ADV-2009-3662 VUPEN ADV-2009-3663 VUPEN ADV-2010-1020 FEDORA FEDORA-2010-0368 FEDORA FEDORA-2010-0429 MANDRIVA MDVSA-2010:085 SUSE SUSE-SR:2010:006 MLIST [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload MLIST [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload MISC http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 MISC http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f CONFIRM http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 CONFIRM http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c MISC http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=552483 Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.