CVE-2020-35598 – Advanced Comment System 1.0 - 'ACS_path' Path Traversal
https://notcve.org/view.php?id=CVE-2020-35598
ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. NOTE: this might be the same as CVE-2009-4623 ACS Advanced Comment System versión 1.0, está afectado por Salto de Directorio por medio de un URI ..%2f de advanced_component_system/index.php?ACS_path=. NOTA: esto podría ser lo mismo que CVE-2009-4623 • https://www.exploit-db.com/exploits/49343 https://seclists.org/fulldisclosure/2020/Dec/13 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-18845 – Advanced Comment System 1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-18845
internal/advanced_comment_system/index.php and internal/advanced_comment_system/admin.php in Advanced Comment System, version 1.0, contain a reflected cross-site scripting vulnerability via ACS_path. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The product is discontinued. internal/advanced_comment_system/index.php y internal/advanced_comment_system/admin.php en Advanced Comment System, versión 1.0, contienen una vulnerabilidad de Cross-Site Scripting (XSS) reflejado mediante ACS_path. Un atacante remoto no autenticado podría explotar esta vulnerabilidad para proporcionar código HTML o JavaScript malicioso a una aplicación web vulnerable, que se devuelve a la víctima y es ejecutado por el navegador web. este producto se ha descontinuado. Advanced Comment System version 1.0 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/151799/Advanced-Comment-System-1.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Feb/46 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18619 – Advanced Comment System 1.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2018-18619
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued. internal/advanced_comment_system/admin.php en Advanced Comment System 1.0 es propenso a una vulnerabilidad de inyección SQL porque no sanea correctamente los datos proporcionados por los usuarios antes de usarlos en una consulta SQL, permitiendo que los atacantes remotos ejecuten el ataque sqli mediante una URL en el parámetro "page". NOTA: Este producto está descontinuado. Advanced Comment System version 1.0 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/45853 http://packetstormsecurity.com/files/150261/Advanced-Comment-System-1.0-SQL-Injection.html http://seclists.org/fulldisclosure/2018/Nov/30 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-4623 – Advanced Comment System 1.0 - Multiple Remote File Inclusions
https://notcve.org/view.php?id=CVE-2009-4623
Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598. Multiples vulnerabilidades de inclusión de fichero remoto PHP en Advanced Comment System versión 1.0. Permiten a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro ACS_path de (1) index.php y (2) admin.php de advanced_comment_system/. • https://www.exploit-db.com/exploits/9623 https://github.com/MonsempesSamuel/CVE-2009-4623 https://github.com/kernel-cyber/CVE-2009-4623 https://github.com/hupe1980/CVE-2009-4623 http://secunia.com/advisories/36643 http://www.exploit-db.com/exploits/9623 • CWE-94: Improper Control of Generation of Code ('Code Injection') •