11 results (0.012 seconds)

CVSS: 8.3EPSS: 86%CPEs: 2EXPL: 2

CVE-2023-46818 – ISPConfig 3.2.11 PHP Code Injection

https://notcve.org/view.php?id=CVE-2023-46818

27 Oct 2023 — An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled. Se descubrió un problema en ISPConfig antes de 3.2.11p1. Un administrador puede lograr la inyección de código PHP en el editor de archivos de idioma si admin_allow_langedit está habilitado. ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php. • https://packetstorm.news/files/id/176126 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-3021

https://notcve.org/view.php?id=CVE-2021-3021

05 Jan 2021 — ISPConfig before 3.2.2 allows SQL injection. ISPConfig versiones anteriores a 3.2.2, permite una inyección de SQL • https://twitter.com/ispconfig/status/1346142615511724032 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0

CVE-2020-9398

https://notcve.org/view.php?id=CVE-2020-9398

25 Feb 2020 — ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection. ISPConfig versiones anteriores a 3.1.15p3, cuando la opción reverse_proxy_panel_allowed=sites no documentada es habilitada manualmente, permite una inyección SQL. • https://www.ispconfig.org/blog/ispconfig-3-1-15p3-released-security-bugfix-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1

CVE-2012-2087

https://notcve.org/view.php?id=CVE-2012-2087

23 Jan 2020 — ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface. ISPConfig versión 3.0.4.3: el "Add new Webdav user" puede cambiar el modo y cambiar el propietario en todo el servidor desde la interfaz del cliente. • http://www.openwall.com/lists/oss-security/2012/04/08/3 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2

CVE-2018-17984

https://notcve.org/view.php?id=CVE-2018-17984

04 Oct 2018 — An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access. Una expresión regular /[a-z]{2}/ no anclada en ISPConfig en versiones anteriores a la 3.1.13 hace posible incluir archivos arbitrarios, conduciendo a una ejecución de código. Esto es explotable por usuarios autentificados que tienen acceso al sistema de archivos local. • https://0x09al.github.io/security/ispconfig/exploit/vulnerability/2018/08/20/bug-or-backdoor-ispconfig-rce.html • CWE-185: Incorrect Regular Expression •

CVSS: 9.0EPSS: 0%CPEs: 56EXPL: 0

CVE-2017-17384

https://notcve.org/view.php?id=CVE-2017-17384

07 Dec 2017 — ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job. Las versiones 3.x de ISPConfig anteriores a la 3.1.9 permiten que usuarios remotos autenticados obtengan acceso root mediante la creación de un trabajo cron manipulado. • https://www.ispconfig.org/blog/ispconfig-3-1-9-released-important-security-update • CWE-269: Improper Privilege Management •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4

CVE-2015-4118 – ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2015-4118

10 Jun 2015 — SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2. Vulnerabilidad de inyección SQL en monitor/show_sys_state.php en ISPConfig anterior a 3.0.5.4p7 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro server. NOTA: esto puede ser aprovechado ... • https://packetstorm.news/files/id/132238 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 4

CVE-2015-4119 – ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2015-4119

10 Jun 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php. Múltiples vulnerabilidades de CSRF en ISPConfig anterior a 3.0.5.4p7 permiten a atacantes remotos secuestrar la autenticación de (1) a... • https://packetstorm.news/files/id/132238 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 89%CPEs: 1EXPL: 4

CVE-2013-3629 – ISPConfig - (Authenticated) Arbitrary PHP Code Execution

https://notcve.org/view.php?id=CVE-2013-3629

30 Oct 2013 — ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution ISPConfig versión 3.0.5.2, presenta una Ejecución de Código PHP Arbitraria. • https://packetstorm.news/files/id/123855 •

CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 2

CVE-2006-3042 – ISPConfig 2.2.3 - Multiple Remote File Inclusions

https://notcve.org/view.php?id=CVE-2006-3042

15 Jun 2006 — Multiple PHP remote file inclusion vulnerabilities in ISPConfig 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) go_info[isp][classes_root] parameter in (a) server.inc.php, and the (2) go_info[server][classes_root] parameter in (b) app.inc.php, (c) login.php, and (d) trylogin.php. NOTE: this issue has been disputed by the vendor, who states that the original researcher "reviewed the installation tarball that is not identical with the resulting system after installtion. The fil... • https://www.exploit-db.com/exploits/28027 •