CVE-2019-11193 – DirectAdmin 1.561 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2019-11193
The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel. El FileManager en InfinitumIT DirectAdmin a través de la versión 1.561 presenta XSS de CMD_FILE_MANAGER, CMD_SHOW_USER y CMD_SHOW_RESELLER; un atacante puede omitir la protección CSRF con esto, y tomar el control del panel de administración. DirectAdmin versions 1.561 and below suffer from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/46694 http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html https://numanozdemir.com/respdisc/directadmin.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-9625 – DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-9625
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account. JBMC DirectAdmin, en su versión 1.55, permite Cross-Site Request Forgery (CSRF) mediante el URI /CMD_ACCOUNT_ADMIN para crear una nueva cuenta de administrador. DirectAdmin version 1.55 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/46520 https://github.com/ManhNho/CVEs/blob/master/New-Requests/DirectAdmin-CSRF • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-18045
https://notcve.org/view.php?id=CVE-2017-18045
JBMC DirectAdmin before 1.52, when the email_ftp_password_change setting is nonzero, allows remote attackers to obtain access or cause a denial of service (segfault) via an unspecified request. JBMC DirectAdmin, en versiones anteriores a la 1.52, cuando la configuración email_ftp_password_change no es cero, permite que atacantes remotos obtengan acceso o provoquen una denegación de servicio (segfault) mediante una petición sin especificar. • https://www.directadmin.com/features.php?id=2036 •
CVE-2012-5305
https://notcve.org/view.php?id=CVE-2012-5305
Cross-site scripting (XSS) vulnerability in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allows remote attackers to inject arbitrary web script or HTML via the domain parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en CMD_DOMAIN en JBMC Software DirectAdmin v1.403 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a través del parámetro domain. • http://archives.neohapsis.com/archives/bugtraq/2012-04/0034.html http://www.securityfocus.com/bid/52848 http://www.vulnerability-lab.com/get_content.php?id=486 https://exchange.xforce.ibmcloud.com/vulnerabilities/74569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-3842
https://notcve.org/view.php?id=CVE-2012-3842
Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en CMD_DOMAIN en JBMC Software DirectAdmin v1.403, permite a usuarios con ciertos privilegios autenticados remotamente, inyectar secuencias de comandos web o HTML a través de los parámetros (1) select0 o (2) select8. • http://archives.neohapsis.com/archives/bugtraq/2012-04/0214.html http://www.securityfocus.com/bid/53281 http://www.vulnerability-lab.com/get_content.php?id=509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •