29 results (0.005 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

TWiki allows arbitrary shell command execution via the Include function Twiki, permite una ejecución de comandos de shell arbitraria por medio de la función Include • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330733 https://security-tracker.debian.org/tracker/CVE-2005-3056 https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via the webs parameter. bin/statistics en TWiki 6.0.2 permite Cross-Site Scripting (XSS) mediante el parámetro webs. TWiki version 6.0.2 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/151028/TWiki-6.0.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Jan/7 http://twiki.org/cgi-bin/view/Codev/DownloadTWiki • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 3

Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch. Vulnerabilidad de lista negra incompleta en la función urlEncode en lib/TWiki.pm en TWiki 6.0.0 y 6.0.1 permite a atacantes remotos llevar a cabo un ataque de XSS a través de ''' (comillas simples) en el parámetro scope en do/view/TWiki/WebSearch. TWiki versions 6.0.0 and 6.0.1 suffer from a WebSearch cross site scripting vulnerability. • http://packetstormsecurity.com/files/129655/TWiki-6.0.0-6.0.1-WebSearch-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Dec/82 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367 http://www.securitytracker.com/id/1031400 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3

Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. Múltiples vulnerabilidades de XSS en TWiki 6.0.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) la variable QUERYSTRING en lib/TWiki.pm o (2) la variable QUERYPARAMSTRING en lib/TWiki/UI/View.pm, tal y como fue demostrado por QUERY_STRING en do/view/Main/TWikiPreferences. TWiki version 6.0.1 suffers from a cross site scripting vulnerability in the QUERYSTRING and QUERYPARAMSTRING variables. • http://packetstormsecurity.com/files/129654/TWiki-6.0.1-QUERYSTRING-QUERYPARAMSTRING-XSS.html http://seclists.org/fulldisclosure/2014/Dec/81 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325 http://www.securitytracker.com/id/1031399 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.1EPSS: 92%CPEs: 7EXPL: 3

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. Una vulnerabilidad de inyección Eval en la biblioteca lib/TWiki/Plugins.pm en TWiki versiones anteriores a 6.0.1, permite a atacantes remotos ejecutar código de Perl arbitrario por medio del parámetro debugenableplugins en el archivo do/view/Main/WebHome. TWiki versions 4.0.x through 6.0.0 contain a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution. • https://www.exploit-db.com/exploits/36438 http://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.html http://seclists.org/fulldisclosure/2014/Oct/44 http://www.securityfocus.com/bid/70372 http://www.securitytracker.com/id/1030981 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •