CVE-2021-32172 – Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
https://notcve.org/view.php?id=CVE-2021-32172
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin. Maian Cart versión v3.8, contiene una explotación de ejecución de código remota (RCE) por medio de un problema de control de acceso roto en el plugin Elfinder • https://www.exploit-db.com/exploits/50394 http://packetstormsecurity.com/files/164445/Maian-Cart-3.8-Remote-Code-Execution.html https://dreyand.github.io/maian-cart-rce https://github.com/DreyAnd/maian-cart-rce https://www.maianscriptworld.co.uk • CWE-862: Missing Authorization •
CVE-2014-10006
https://notcve.org/view.php?id=CVE-2014-10006
Multiple cross-site request forgery (CSRF) vulnerabilities in Maian Uploader 4.0 allow remote attackers to hijack the authentication of unspecified users for requests that conduct cross-site scripting (XSS) attacks via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php. Múltiples vulnerabilidades de CSRF en Maian Uploader 4.0 permiten a atacantes remotos secuestrar la autenticación de usuarios no especifcados para solicitudes que realizan ataques de XSS a través del parámetro width en (1) uploader/admin/js/load_flv.js.php o (2) uploader/js/load_flv.js.php. • http://packetstormsecurity.com/files/124918 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-10007
https://notcve.org/view.php?id=CVE-2014-10007
Multiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, or (3) subject parameter in a contact action to index.php. Múltiples vulnerabilidades de XSS en Maian Weblog 4.0 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) name, (2) email, o (3) subject en una acción contact en index.php. • http://secunia.com/advisories/56797 https://exchange.xforce.ibmcloud.com/vulnerabilities/90961 https://www.netsparker.com/critical-xss-vulnerabilities-in-maian-weblog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-10004
https://notcve.org/view.php?id=CVE-2014-10004
SQL injection vulnerability in admin/data_files/move.php in Maian Uploader 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en admin/data_files/move.php en Maian Uploader 4.0 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id. • http://osvdb.org/102488 http://packetstormsecurity.com/files/124918 https://exchange.xforce.ibmcloud.com/vulnerabilities/90715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-10005
https://notcve.org/view.php?id=CVE-2014-10005
Maian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message. Maian Uploader 4.0 permite a atacantes remotos obtener información sensible a través de una solicitud sin el parámetro height en load_flv.js.php, lo que revela la ruta de instalación en un mensaje de error. • http://packetstormsecurity.com/files/124918 http://www.osvdb.org/102487 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •