CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2010-4810 – AWCM 2.1 Final - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2010-4810
Multiple PHP remote file inclusion vulnerabilities in AR Web Content Manager (AWCM) 2.1 final allow remote attackers to execute arbitrary PHP code via a URL in the theme_file parameter to (1) includes/window_top.php and (2) header.php, and the (3) lang_file parameter to control/common.php. Múltiples vulnerabilidades PHP de inclusión remota de ficheros en AR Web Content Manager (AWCM) v2.1 final, permite a usuarios remotos ejecutar código PHP de su elección a través de una URL en el parámetro theme_file de (1) includes/window_top.php y (2) header.php, y el parámetro (3) lang_file de control/common.php. • https://www.exploit-db.com/exploits/15510 http://www.exploit-db.com/exploits/15510 http://www.securityfocus.com/bid/44868 https://exchange.xforce.ibmcloud.com/vulnerabilities/63236 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 3CVE-2011-1668 – AWCM 2.x - 'search.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1668
Cross-site scripting (XSS) vulnerability in search.php in AR Web Content Manager (AWCM) 2.1, 2.2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the search parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en search.php en AR Web Content Manager (AWCM) v2.1, v2.2, y posiblemente otras versiones permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro search. • https://www.exploit-db.com/exploits/35555 http://secpod.org/advisories/SECPOD_AWCM_XSS.txt http://securityreason.com/securityalert/8193 http://www.securityfocus.com/archive/1/517294/100/0/threaded http://www.securityfocus.com/bid/47126 https://exchange.xforce.ibmcloud.com/vulnerabilities/66536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3CVE-2010-1066 – AWCM - Database Disclosure
https://notcve.org/view.php?id=CVE-2010-1066
AR Web Content Manager (AWCM) 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for control/db_backup.php. AR Web Content Manager (AWCM) v2.1 almacena información sensible bajo el directorio web raíz con un control de acceso insuficiente, lo que permite a atacantes remotos descargar la base de datos a través de una petición directa para control/db_backup.php. • https://www.exploit-db.com/exploits/11025 http://packetstormsecurity.org/1001-exploits/awcm-backup.txt http://secunia.com/advisories/38065 http://www.exploit-db.com/exploits/11025 https://exchange.xforce.ibmcloud.com/vulnerabilities/55445 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 2CVE-2009-3218 – AWCM 2.1 - Local File Inclusion / Authentication Bypass
https://notcve.org/view.php?id=CVE-2009-3218
SQL injection vulnerability in control/login.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. Vulnerabilidad de inyección SQL en control/login.php en AR Web Content Manager (AWCM) v2.1, cuando magic_quotes_gpc es disactivado, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro username. • https://www.exploit-db.com/exploits/9237 http://osvdb.org/56338 http://secunia.com/advisories/35955 http://www.exploit-db.com/exploits/9237 https://exchange.xforce.ibmcloud.com/vulnerabilities/51980 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2009-3219 – AWCM 2.1 - Local File Inclusion / Authentication Bypass
https://notcve.org/view.php?id=CVE-2009-3219
Directory traversal vulnerability in a.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the a parameter. Vulnerabilidad de salto de directorio en a.php en AR Web Content Manager (AWCM) v2.1, cuando magic_quotes_gpc es desactivado, permite a atacantes remotos incluir y ejecutar archivos locales de su elección a través de ... (punto a punto) en el parámetro a. • https://www.exploit-db.com/exploits/9237 http://osvdb.org/56336 http://secunia.com/advisories/35955 http://www.exploit-db.com/exploits/9237 https://exchange.xforce.ibmcloud.com/vulnerabilities/51979 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •