4 results (0.011 seconds)

CVSS: 3.5EPSS: 0%CPEs: 15EXPL: 0

Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x before 5.x-1.5 and 6.x before 6.x-1.0-beta4, a module for Drupal, allows remote authenticated users, with "administer taxonomy" permissions, to inject arbitrary web script or HTML via a Newsletter category field. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Simplenews v5.x anterior a v5.x-1.5 y v6.x previo a v6.x-1.0-beta4, para Drupal, permite a usuarios autenticados remotamente con "administrar taxonomy (administer taxonomy)" inyectar secuencias de comandos web o HTML de su elección a través de un campo de la categoría Newsletter. • http://drupal.org/node/312944 http://secunia.com/advisories/32022 http://www.securityfocus.com/bid/31377 https://exchange.xforce.ibmcloud.com/vulnerabilities/45407 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

SimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc. SimpNews 2.41.03 almacena información sensible bajo la raíz de documentos web con control de acceso insuficiente, lo cual permite a atacantes remotos descargar ficheros .inc de su elección mediante una petición directa, como ha sido demostrado por admin/includes/dbtables.inc. SimpNews version 2.41.03 suffers from a local file inclusion vulnerability. • http://forum.boesch-it.de/viewtopic.php?t=2791 http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066056.html http://osvdb.org/45479 http://securityreason.com/securityalert/3173 http://www.netvigilance.com/advisory0069 http://www.securityfocus.com/archive/1/480601/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36778 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 0

SimpNews 2.41.03 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php; or a direct request to (2) admin/dbg_infos.php, (3) admin/heading.php, or (4) evsearch.php; which reveals the path in various error messages. SimpNews 2.41.03 permite a atacantes remotos obtener información sensible mediante (1) un parámetro lang inválido a admin/index.php; o una petición directa a (2) admin/dbg_infos.php, (3) admin/heading.php, o (4) evsearch.php; lo cual revela la ruta en varios mensajes de error. • http://forum.boesch-it.de/viewtopic.php?t=2791 http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066052.html http://osvdb.org/43540 http://osvdb.org/43541 http://osvdb.org/43542 http://osvdb.org/43543 http://securityreason.com/securityalert/3174 http://www.netvigilance.com/advisory0068 http://www.securityfocus.com/archive/1/480588/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36779 •

CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1

SQL injection vulnerability in print.php in SimpleNews 1.0.0 FINAL allows remote attackers to execute arbitrary SQL commands via the news_id parameter. Vulnerabilidad de inyección SQL en print.php en SimpleNews 1.0.0 FINAL permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro news_id. • https://www.exploit-db.com/exploits/3886 http://osvdb.org/35910 http://secunia.com/advisories/25223 http://www.securityfocus.com/bid/23904 http://www.vupen.com/english/advisories/2007/1741 http://www.w4ck1ng.com/exploits/w4ck1ng_simplenews.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/34220 •