CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40238
https://notcve.org/view.php?id=CVE-2021-40238
A Cross Site Scriptiong (XSS) vulnerability exists in the admin panel in Webuzo < 2.9.0 via an HTTP request to a non-existent page, which is activated by administrators viewing the "Error Log" page. An attacker can leverage this to achieve Unauthenticated Remote Code Execution via the "Cron Jobs" functionality of Webuzo. Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en el panel de administración de Webuzo versiones anteriores a 2.9.0, por medio de una petición HTTP a una página no existente, que es activada por los administradores que visualizan la página "Error Log". Un atacante puede aprovechar esto para lograr una ejecución de código remota sin autenticación por medio de la funcionalidad "Cron Jobs" de Webuzo • https://gist.github.com/omriinbar/5a24ccc2127ac61b6d9872c9405ebc8e https://www.webuzo.com/blog/webuzo-2-9-0-launched • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 1CVE-2013-6043 – Webuzo 2.1.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-6043
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests. La función de login en Softaculous Webuzo anterior a 2.1.4 proporciona mensajes diferentes de error para intentos de autenticación inválidas dependiendo de si la cuenta de usuario existe, lo que permite a atacantes remotos enumerar los nombres de usuario a través de peticiones en serie. • https://www.exploit-db.com/exploits/31982 http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched https://web.archive.org/web/20140126212101/http://www.baesystemsdetica.com.au/Research/Advisories/Webuzo-Multiple-Vulnerabilities-%28DS-2013-007%29 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2013-6041 – Webuzo 2.1.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-6041
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action. index.php en Softaculous Webuzo anterior a 2.1.4 permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en una cookie SOFTCookies dentro de la acción login. • https://www.exploit-db.com/exploits/31982 http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched https://web.archive.org/web/20140126212101/http://www.baesystemsdetica.com.au/Research/Advisories/Webuzo-Multiple-Vulnerabilities-%28DS-2013-007%29 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 1CVE-2013-6042 – Webuzo 2.1.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-6042
Cross-site scripting (XSS) vulnerability in filemanager/login.php in the File Manager module in Softaculous Webuzo before 2.1.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter. Vulnerabilidad de XSS en filemanager/login.php del módulo File Manager en Softaculous Webuzo anterior a la versión 2.1.4 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro user. • https://www.exploit-db.com/exploits/31982 http://osvdb.org/99203 http://www.baesystemsdetica.com.au/Research/Advisories/Webuzo-Multiple-Vulnerabilities-%28DS-2013-007%29 http://www.securityfocus.com/bid/63464 http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •