CVE-2012-6519 – DIY CMS 1.0 Poll - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-6519
SQL injection vulnerability in modules/poll/index.php in DIY-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the start parameter to mod.php. Vulnerabilidad de inyección SQL en modules/poll/index.php en DIY-CMS v1.0, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro start a mod.php. • https://www.exploit-db.com/exploits/18804 http://archives.neohapsis.com/archives/bugtraq/2012-04/0213.html http://packetstormsecurity.org/files/112224/DIY-CMS-1.0-Poll-XSS-CSRF-SQL-Injection.html http://secunia.com/advisories/49011 http://www.exploit-db.com/exploits/18804 http://www.osvdb.org/81560 http://www.securityfocus.com/bid/53266 http://www.vulnerability-lab.com/get_content.php?id=518 https://exchange.xforce.ibmcloud.com/vulnerabilities/75228 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2012-6517 – DIY CMS 1.0 Poll - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-6517
Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) question parameter to in /modules/poll/add.php or (2) question or (3) answer parameter to modules/poll/edit.php. Múltiples vulnerabilidades XSS en DiY-CMS v1.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) question en /modules/poll/add.php o del parámetro (2) question o (3) answer a modules/poll/edit.php. • https://www.exploit-db.com/exploits/18804 http://archives.neohapsis.com/archives/bugtraq/2012-04/0213.html http://packetstormsecurity.org/files/112224/DIY-CMS-1.0-Poll-XSS-CSRF-SQL-Injection.html http://www.exploit-db.com/exploits/18804 http://www.osvdb.org/81561 http://www.securityfocus.com/bid/53266 http://www.vulnerability-lab.com/get_content.php?id=518 https://exchange.xforce.ibmcloud.com/vulnerabilities/75229 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-6518 – DIY CMS 1.0 Poll - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-6518
Cross-site request forgery (CSRF) vulnerability in mod.php in DiY-CMS 1.0 allows remote attackers to hijack the authentication of administrators for requests that create a poll via an add action to the poll module. Falsificación de petición en sitios cruzados (CSFR) en mod.php en DiY-CMS v1.0, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean una encuesta a través de una acción de "añadir" en el módulo de las mismas. • https://www.exploit-db.com/exploits/18804 http://archives.neohapsis.com/archives/bugtraq/2012-04/0213.html http://packetstormsecurity.org/files/112224/DIY-CMS-1.0-Poll-XSS-CSRF-SQL-Injection.html http://secunia.com/advisories/49011 http://www.exploit-db.com/exploits/18804 http://www.osvdb.org/81562 http://www.securityfocus.com/bid/53266 http://www.vulnerability-lab.com/get_content.php?id=518 https://exchange.xforce.ibmcloud.com/vulnerabilities/75230 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-5140 – DIY-CMS blog mod - SQL Injection
https://notcve.org/view.php?id=CVE-2011-5140
Multiple SQL injection vulnerabilities in the blog module 1.0 for DiY-CMS allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to (a) tags.php, (b) list.php, (c) index.php, (d) main_index.php, (e) viewpost.php, (f) archive.php, (g) control/approve_comments.php, (h) control/approve_posts.php, and (i) control/viewcat.php; and the (2) month and (3) year parameters to archive.php. Múltiples vulnerabilidades de inyección SQL en el módulo de blog v1.0 para DiY-CMS permite a atacantes remotos ejecutar comandos SQL a través de la puesta en (1) el parámetro a (a) tags.php, (b) list.php, (c) index.php, (d) main_index.php, (e) viewpost.php, (f) archive.php, (g) de control / approve_comments.php, (h) de control / approve_posts.php, y (i) control / viewcat.php; y los (2) meses y (3) años a archive.php parámetros. • https://www.exploit-db.com/exploits/18288 http://secunia.com/advisories/47337 http://www.exploit-db.com/exploits/18288 http://www.osvdb.org/78071 http://www.osvdb.org/78080 http://www.osvdb.org/78081 http://www.osvdb.org/78082 http://www.osvdb.org/78083 https://exchange.xforce.ibmcloud.com/vulnerabilities/72022 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2010-3206 – DIY-CMS 1.0 - Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2010-3206
Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php, (2) main_module parameter to index.php, and (3) getFile parameter to includes/general.functions.php. Múltiples vulnerabilidades de inclusión de fichero remoto PHP en Seagull v0.6.7 permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro (1) lang en modules/guestbook/blocks/control.block.php, (2) parámetro main_module en index.php, y (3) parámetro getFile en includes/general.functions.php. • https://www.exploit-db.com/exploits/14822 http://packetstormsecurity.org/1008-exploits/diycms-rfi.txt http://www.exploit-db.com/exploits/14822 https://exchange.xforce.ibmcloud.com/vulnerabilities/61454 • CWE-94: Improper Control of Generation of Code ('Code Injection') •