CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47397
https://notcve.org/view.php?id=CVE-2023-47397
08 Nov 2023 — WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. WeBid en versiones <= 1.2.2 es vulnerable a la inyección de código a través de admin/categoriestrans.php. • https://liotree.github.io/2023/webid.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41477
https://notcve.org/view.php?id=CVE-2022-41477
14 Oct 2022 — A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories. Se ha detectado un problema de seguridad en WeBid versiones anteriores a 1.2.2 incluyéndola. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el archivo admin/theme.php permite a atacantes remotos inyectar cargas útiles por medio de parámetros del tema para leer archiv... • https://github.com/zer0yu/CVE_Request/blob/master/Webid/WeBid_Path_Traversal.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000882
https://notcve.org/view.php?id=CVE-2018-1000882
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a Directory Traversal vulnerability in getthumb.php that can result in Arbitrary Image File Read. This attack appear to be exploitable via HTTP GET Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad de salto de directorio en getthumb.php que puede resultar en la lectura de archivos de imagen arbitrarios. Este ataque parece ser expl... • http://bugs.webidsupport.com/view.php?id=646 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000867
https://notcve.org/view.php?id=CVE-2018-1000867
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad de inyección SQL en los 5 scripts yourauctions*.php que puede resultar en la lectura de la base de datos media... • http://bugs.webidsupport.com/view.php?id=647 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000868
https://notcve.org/view.php?id=CVE-2018-1000868
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, register.php that can result in Javascript execution in the user's browser, injection of malicious markup into the page. This attack appear to be exploitable via The victim user must click a malicous link. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad Cross-Site Scripting (X... • http://bugs.webidsupport.com/view.php?id=648 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5114
https://notcve.org/view.php?id=CVE-2014-5114
29 Jul 2014 — WeBid 1.1.1 allows remote attackers to conduct an LDAP injection attack via the (1) js or (2) cat parameter. WeBid 1.1.1 permite a atacantes remotos realizar un ataque de inyección LDAP a través del parámetro (1) js o (2) cat. • http://packetstormsecurity.com/files/127431/WeBid-1.1.1-Cross-Site-Scripting-LDAP-Injection.html •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-5101 – WeBid - Multiple Cross-Site Scripting / LDAP Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-5101
25 Jul 2014 — Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authnet_id, (12) TPL_authnet_pass, (13) TPL_worldpay_id, (14) TPL_toocheckout_id, or (15) TPL_moneybookers_email in a first action to register.php or the (16) username parameter in a login action to user_login.php. Mú... • https://www.exploit-db.com/exploits/39249 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •