CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43873
https://notcve.org/view.php?id=CVE-2023-43873
A Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Name filed in the Manage Menu. Vulnerabilidad de Cross Site Scripting (XSS) en e017 CMS v.2.3.2 permite a un atacante local ejecutar código arbitrario a través de un script manipulado para el Nombre archivado en el Menú Administrar. • https://github.com/sromanhu/CVE-2023-43873-e107-CMS-Stored-XSS---Manage https://github.com/sromanhu/e107-CMS-Stored-XSS---Manage/blob/main/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43874
https://notcve.org/view.php?id=CVE-2023-43874
Multiple Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Copyright and Author fields in the Meta & Custom Tags Menu. Vulnerabilidad de múltiples Cross Site Scripting (XSS) en e017 CMS v.2.3.2 permite a un atacante local ejecutar código arbitrario a través de un script manipulado a en los campos Copyright y Autor en el Menú Meta y Etiquetas Personalizadas. • https://github.com/sromanhu/CVE-2023-43874-e107-CMS-Stored-XSS---MetaCustomTags https://github.com/sromanhu/e107-CMS-Stored-XSS---MetaCustomTags/blob/main/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2023-36121
https://notcve.org/view.php?id=CVE-2023-36121
Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project. La vulnerabilidad Cross-Site Scripting en e107 v.2.3.2 permite a un atacante remoto ejecutar código arbitrario a través de la función de descripción en el proyecto SEO. • https://github.com/Trinity-SYT-SECURITY/XSS_vuln_issue/blob/main/e107%20v2.3.2.md https://www.chtsecurity.com/news/0a4743a5-491e-4685-95ee-df8316ab5284 https://www.chtsecurity.com/news/6c6675d4-3254-46ce-a16d-26523ff80540 https://www.exploit-db.com/exploits/51449 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 2%CPEs: 66EXPL: 0CVE-2010-0996
https://notcve.org/view.php?id=CVE-2010-0996
Unrestricted file upload vulnerability in e107 before 0.7.20 allows remote authenticated users to execute arbitrary code by uploading a .php.filetypesphp file. NOTE: the vendor disputes the significance of this issue, noting that "an odd set of preferences and a missing file" are required. Vulnerabilidad de subida de fichero sin restricciones en e107 en versiones anteriores a la v0.7.20. Permite a usuarios remotos autenticados ejecutar comandos de su elección subiendo un fichero .php.filetypesphp. NOTA: el fabricante cuestiona la importancia de esta vulnerabilidad, arguyendo que se necesita "un conjunto poco común de preferencias y un fichero perdido". • http://e107.org/comment.php?comment.news.864 http://e107.org/svn_changelog.php?version=0.7.20 http://secunia.com/advisories/39013 http://secunia.com/secunia_research/2010-44 http://www.securityfocus.com/archive/1/510805/100/0/threaded http://www.securityfocus.com/bid/39540 http://www.vupen.com/english/advisories/2010/0919 https://exchange.xforce.ibmcloud.com/vulnerabilities/57932 •
CVSS: 5.1EPSS: 1%CPEs: 68EXPL: 1CVE-2009-1409 – e107 < 0.7.15 - 'extended_user_fields' Blind SQL Injection
https://notcve.org/view.php?id=CVE-2009-1409
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320. Una vulnerabilidad de inyección de SQL en usersettings.php en e107 v0.7.15 y anteriores, cuando la opción "Campos de usuario extendidos" está activado y magic_quotes_gpc está desactivado, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro Hide. Se trata de un vector diferente al de CVE-2005-4224 y CVE-2008-5320. • https://www.exploit-db.com/exploits/8495 http://osvdb.org/53812 http://secunia.com/advisories/34823 http://www.securityfocus.com/bid/34614 https://exchange.xforce.ibmcloud.com/vulnerabilities/49981 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •