CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2008-4341 – MyBlog 0.9.8 - Insecure Cookie Handling
https://notcve.org/view.php?id=CVE-2008-4341
add.php in MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication and gain administrative access by setting a cookie with admin=yes and login=admin. add.php en MyBlog v0.9.8 y anteriores permite a atacantes remotos evitar la autenticación y obtener acceso con privilegios de administrador asignando el valor admin=yes y login=admin en la cookie de sesión. • https://www.exploit-db.com/exploits/6531 http://www.securityfocus.com/bid/31311 http://www.vupen.com/english/advisories/2008/2654 https://exchange.xforce.ibmcloud.com/vulnerabilities/45576 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 2CVE-2007-2081 – MyBlog 0.9.8 - 'Settings.php' Authentication Bypass
https://notcve.org/view.php?id=CVE-2007-2081
MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication requirements via the admin cookie parameter to certain admin files, as demonstrated by admin/settings.php. MyBlog 0.9.8 y anteriores permite a atacantes remotos evitar los requerimientos de autenticación mediante el parámetro de administración cookie a ciertos ficheros de administración, como ha sido demostrado por admin/settings.php. • https://www.exploit-db.com/exploits/29864 http://osvdb.org/41593 http://securityreason.com/securityalert/2581 http://www.securityfocus.com/archive/1/465873/100/0/threaded http://www.securityfocus.com/bid/23521 https://exchange.xforce.ibmcloud.com/vulnerabilities/34025 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2082
https://notcve.org/view.php?id=CVE-2007-2082
Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers. Vulnerabilidad de inyección directa de código estático en admin/settings.php de MyBlog 0.9.8 y anteriores permite a administradores remotos autenticados inyectar código PHP mediante el parámetro content, el cual puede ser ejecutado accediendo al index.php. NOTA: una vulnerabilidad separada podría hacer que este asunto fuese explotable por atacantes remotos no autenticados. • http://osvdb.org/35392 http://securityreason.com/securityalert/2581 http://www.securityfocus.com/archive/1/465873/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/33707 •