6 results (0.010 seconds)

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0

Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution. Kunena anterior a la versión 5.0.4 no restringe las extensiones de archivos de avatar a gif, jpeg, jpg y png. Esto puede conducir a XSS y a la ejecución remota de código. • https://github.com/Kunena/Kunena-Forum/pull/5028 https://www.kunena.org/blog/179-kunena-5-0-4-released https://www.kunena.org/bugs/changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. La extensión de Kunena versiones anteriores a 5.1.14 para Joomla!, permite un ataque de tipo XSS por medio de BBCode. • https://github.com/h3llraiser/CVE-2019-15120 https://vel.joomla.org/resolved/2260-kunena-5-0-x-5-1-14-xss-cross-site-scripting https://www.kunena.org/blog/207-kunena-5-1-14-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1

In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum message subject (aka topic subject) accepts JavaScript, leading to XSS. Six files are affected: crypsis/layouts/message/item/default.php, crypsis/layouts/message/item/top/default.php, crypsis/layouts/message/item/bottom/default.php, crypsisb3/layouts/message/item/default.php, crypsisb3/layouts/message/item/top/default.php, and crypsisb3/layouts/message/item/bottom/default.php. This is fixed in 5.0.5. En la extensión Kunena 5.0.2 en versiones hasta 5.0.4 para Joomla! • http://www.fox.ra.it/technical-articles/kunena-vulnerability-2017-01.html http://www.securityfocus.com/bid/101677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

Multiple SQL injection vulnerabilities in the Kunena component before 3.0.6 for Joomla! allow remote authenticated users to execute arbitrary SQL commands via the index value in an array parameter, as demonstrated by the topics[] parameter in an unfavorite action to index.php. Múltiples vulnerabilidades de inyección SQL en el componente Kunena anterior a 3.0.6 para Joomla! permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del valor de indice en un parámetro del array, tal y como fue demostrado por el parámetro topics[] en una acción unfavorite en index.php. • http://packetstormsecurity.com/files/127683/Joomla-Kunena-Forum-3.0.5-SQL-Injection.html http://www.kunena.org/blog/139-kunena-3-0-6-released http://www.kunena.org/docs/Kunena_3.0.6_Read_Me http://www.securityfocus.com/bid/68956 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in the Kunena component before 3.0.6 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) index value of an array parameter or the filename parameter in the Content-Disposition header to the (2) file or (3) profile image upload functionality. Múltiples vulnerabilidades de XSS en el componente Kunena anterior a 3.0.6 para Joomla! permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el valor de indice de un parámetro del array o el parámetro filename en la cabecera Content-Disposition en la funcionalidad de subida de imagen de (2) ficheros o (3) perfiles. • http://packetstormsecurity.com/files/127684/joomlakunena305-xss.txt http://www.kunena.org/blog/139-kunena-3-0-6-released http://www.kunena.org/docs/Kunena_3.0.6_Read_Me http://www.securityfocus.com/bid/68956 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •