CVE-2018-18200
https://notcve.org/view.php?id=CVE-2018-18200
There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. Hay una inyección SQL en Benutzerverwaltung en REDAXO en versiones anteriores a la 5.6.4. • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-18199
https://notcve.org/view.php?id=CVE-2018-18199
Mediamanager in REDAXO before 5.6.4 has XSS. Mediamanager en REDAXO en versiones anteriores a la 5.6.4 tiene Cross-Site Scripting (XSS). • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18198
https://notcve.org/view.php?id=CVE-2018-18198
The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page. The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=[XSS] request. La variable $opener_input_field en addons/mediapool/pages/index.php en REDAXO 5.6.3 no está filtrada de forma efectiva y se envía directamente a la página. El atacante puede insertar cargas útiles XSS mediante una petición index.php? • https://github.com/redaxo/redaxo/releases/tag/5.6.4 https://github.com/redaxo/redaxo4/issues/422 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17831
https://notcve.org/view.php?id=CVE-2018-17831
In REDAXO before 5.6.3, a critical SQL injection vulnerability has been discovered in the rex_list class because of the prepareQuery function in core/lib/list.php, via the index.php?page=users/users sort parameter. Endangered was the backend and the frontend only if rex_list were used. En REDAXO en versiones anteriores a la 5.6.3, se ha descubierto una vulnerabilidad crítica de inyección SQL en la clase rex_list debido a la función prepareQuery en core/lib/list.php, mediante el parámetro sort en index.php?page=users/users. • https://github.com/redaxo/redaxo/issues/2043 https://github.com/redaxo/redaxo/releases/tag/5.6.3 https://redaxo.org/cms/news/sicherheitsluecke-und-neue-yform-version • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-17830
https://notcve.org/view.php?id=CVE-2018-17830
The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 is not effectively filtered, because names are not restricted (only values are restricted). The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=&args[ substring. La variable $args en addons/mediapool/pages/index.php en REDAXO 5.6.2 no está filtrada de forma efectiva, dado que los nombres no están restringidos (solo están restringidos los valores). El atacante puede insertar cargas útiles XSS mediante una subcadena index.php? • https://github.com/redaxo/redaxo4/issues/421 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •