CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26289 – Remote Code Inclusion Vulnerability in Multiple PMB Versions
https://notcve.org/view.php?id=CVE-2024-26289
27 May 2024 — Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18. Vulnerabilidad de deserialización de datos no confiables en PMB Services PMB permite la inclusión remota de código. Este problema afecta a PMB: desde 7.5.1 anterior a 7.5.6-2, desde 7.4.1 anterior a 7.4.9, desde 7.3.1 anterior a 7.3.18. • https://forge.sigb.net/projects/pmb/files • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37177
https://notcve.org/view.php?id=CVE-2023-37177
21 Feb 2024 — SQL Injection vulnerability in PMB Services PMB v.7.4.7 and before allows a remote unauthenticated attacker to execute arbitrary code via the query parameter in the /admin/convert/export_z3950.php endpoint. Vulnerabilidad de inyección SQL en PMB Services PMB v.7.4.7 y anteriores permite que un atacante remoto no autenticado ejecute código arbitrario a través del parámetro de consulta en el endpoint /admin/convert/export_z3950.php. • https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-9457 – PMB 4.1.3 - (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2014-9457
02 Jan 2015 — SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php. Vulnerabilidad de inyección SQL en classes/mono_display.class.php en PMB 4.1.3 y anteriores permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro id en catalog.php. • https://www.exploit-db.com/exploits/35625 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 30%CPEs: 1EXPL: 2CVE-2007-1415 – PMB Services 3.0.13 - Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2007-1415
12 Mar 2007 — Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) opt... • https://www.exploit-db.com/exploits/3443 • CWE-94: Improper Control of Generation of Code ('Code Injection') •