CVE-2012-6666
https://notcve.org/view.php?id=CVE-2012-6666
vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter. vBSeo versiones anteriores a 3.6.0PL2, permite un ataque de tipo XSS por medio del parámetro u del archivo member.php. • https://www.exploit-db.com/exploits/37944 https://www.securityfocus.com/bid/55908 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-5223 – vBSEO 3.6.0 - 'proc_deutf()' Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2012-5223
The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch. La función proc_deutf en includes/functions_vbseocp_abstract.php en vBSEO v3.5.0, v3.5.1, v3.5.2, v3.6.0, y anteriores permite a atacantes remotos insertar y ejecutar código PHP a través "complex curly syntax" en el parámetro char_repl, el cual es insertado en una expresión regular que es procesada por la función preg_replace con el modificador eval. • https://www.exploit-db.com/exploits/18424 http://osvdb.org/78508 http://secunia.com/advisories/47699 http://www.exploit-db.com/exploits/18424 http://www.securityfocus.com/bid/51647 http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783 https://exchange.xforce.ibmcloud.com/vulnerabilities/72689 - • CWE-94: Improper Control of Generation of Code ('Code Injection') •