CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 0CVE-2007-4861
https://notcve.org/view.php?id=CVE-2007-4861
SAXON 5.4, with display_errors enabled, allows remote attackers to obtain sensitive information via (1) a direct request for news.php, (2) an invalid use of a newsid array parameter to admin/edit-item.php, and possibly unspecified vectors related to additional scripts in (3) admin/, (4) rss/, and (5) the root directory of the installation, which reveal the path in various error messages. SAXON 5.4, con display_errors habilitado, permite a atacantes remotos obtener información sensible a través de (1) una respuesta directa para news.php, (2) una utilización inválida de un parámetro array newsid en admin/edit-item.php, y posiblemente vectores no especificados relacionado con secuencias de comandos adicionales en (3) admin/, (4) rss/, y (5) el directorio raiz de instalación, lo cual revela la ruta en varios mensajes de error. • http://osvdb.org/45330 http://osvdb.org/45331 http://osvdb.org/45332 http://osvdb.org/45333 http://osvdb.org/45334 http://securityreason.com/securityalert/3311 http://www.netvigilance.com/advisory0053 http://www.quirm.net/punbb/viewtopic.php?id=129 http://www.securityfocus.com/archive/1/482930/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/38138 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 2CVE-2007-4863 – Saxon 5.4 - 'Example.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-4863
SQL injection vulnerability in example.php in SAXON 5.4 allows remote attackers to execute arbitrary SQL commands via the template parameter. Vulnerabilidad de inyección SQL en example.php en SAXON 5.4 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro template. SAXON version 5.4 is susceptible to a SQL injection vulnerability. • https://www.exploit-db.com/exploits/30719 http://osvdb.org/38839 http://securityreason.com/securityalert/3309 http://www.netvigilance.com/advisory0055 http://www.quirm.net/punbb/viewtopic.php?id=129 http://www.securityfocus.com/archive/1/482921/100/0/threaded http://www.securityfocus.com/bid/26238 https://exchange.xforce.ibmcloud.com/vulnerabilities/38136 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 2CVE-2007-4862 – Saxon 5.4 - 'Menu.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4862
Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5.4 allows remote attackers to inject arbitrary web script or HTML via the config[news_url] parameter. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en admin/menu.php en SAXON 5.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro config[news_url]. SAXON version 5.4 is susceptible to a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/30718 http://secunia.com/advisories/27444 http://securityreason.com/securityalert/3310 http://www.netvigilance.com/advisory0054 http://www.quirm.net/punbb/viewtopic.php?id=129 http://www.securityfocus.com/archive/1/482920/100/0/threaded http://www.securityfocus.com/bid/26237 https://exchange.xforce.ibmcloud.com/vulnerabilities/38134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •