6 results (0.001 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

An information disclosure vulnerability in the component users-grid-data.php of Ocomon before v4.0.1 allows attackers to obtain sensitive information such as e-mails and usernames. Una vulnerabilidad de divulgación de información en el componente users-grid-data.php de Ocomon anterior a v4.0.1 permite a los atacantes obtener información confidencial como correos electrónicos y nombres de usuarios. • https://github.com/ninj4c0d3r/OcoMon-Research https://github.com/ninj4c0d3r/OcoMon-Research/commit/6357def478b11119270b89329fceb115f12c69fc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

A local file inclusion vulnerability via the lang parameter in OcoMon before v4.0.1 allows attackers to execute arbitrary code by supplying a crafted PHP file. Una vulnerabilidad de inclusión de archivo local a través del parámetro lang en OcoMon anterior a v4.0.1 permite a los atacantes ejecutar código arbitrario proporcionando un archivo PHP manipulado. • https://github.com/ninj4c0d3r/OcoMon-Research https://github.com/ninj4c0d3r/OcoMon-Research/commit/7459ff397f48b5356930c16c522331e39158461dv • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1

OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a request the user can obtain the real email, sending the same request with correct email its possible to account takeover. OcoMon versión 4.0RC1, es vulnerable a un Control de Acceso Incorrecto. Mediante una petición el usuario puede obtener el correo electrónico real, enviando la misma petición con el correo electrónico correcto es una toma de control de cuenta • https://gist.github.com/ninj4c0d3r/89bdd6702bf00d768302f5e0e5bb8adc https://ocomonphp.sourceforge.io •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in OcoMon 1.20, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://secunia.com/advisories/17470 http://sourceforge.net/project/showfiles.php?group_id=45554 http://sourceforge.net/project/shownotes.php?release_id=369163 •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1

SQL injection vulnerability in OcoMon 1.21, and possibly other versions, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the logon page, a different vulnerability than CVE-2005-4662. • https://www.exploit-db.com/exploits/40285 http://secunia.com/advisories/17470 http://sourceforge.net/project/showfiles.php?group_id=45554 http://www.osvdb.org/20751 https://exchange.xforce.ibmcloud.com/vulnerabilities/23085 •