CVE-2009-4431 – Joomla! Component com_jcalpro 1.5.3.6 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-4431
PHP remote file inclusion vulnerability in cal_popup.php in the Anything Digital Development JCal Pro (aka com_jcalpro or JCP) component 1.5.3.6 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. Vulnerabilidad de inclusión remota de archivo en PHP en cal_popup.php en el componente Anything Digital Development JCal Pro (también conocido como com_jcalpro o JCP) v1.5.3.6 para Joomla! permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro "mosConfig_absolute_path". • https://www.exploit-db.com/exploits/10587 http://packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt http://www.securityfocus.com/bid/37438 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2009-4428 – Joomla! Component com_joomportfolio - 'secid' SQL Injection
https://notcve.org/view.php?id=CVE-2009-4428
SQL injection vulnerability in the JoomPortfolio (com_joomportfolio) component 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the secid parameter in a showcat action to index.php. Vulnerabilidad de inyección SQL en el componente JoomPortfolio (com_joomportfolio) v1.0.0 para Joomla! permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "secid" in una acción "showcat" en index.php. • https://www.exploit-db.com/exploits/33418 http://osvdb.org/61138 http://packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt http://secunia.com/advisories/37838 http://www.securityfocus.com/bid/37403 https://exchange.xforce.ibmcloud.com/vulnerabilities/54912 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-4255
https://notcve.org/view.php?id=CVE-2009-4255
Cross-site scripting (XSS) vulnerability in the You!Hostit! template 1.0.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the created_by_alias parameter in index.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la plantilla You! • http://secunia.com/advisories/37601 http://www.exploit-db.com/exploits/10301 https://exchange.xforce.ibmcloud.com/vulnerabilities/54570 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-4233
https://notcve.org/view.php?id=CVE-2009-4233
Cross-site scripting (XSS) vulnerability in modules/mod_yj_whois.php in the YJ Whois component 1.0x and 1.5.x for Joomla! allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php. NOTE: some of these details are obtained from third party information. ulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en modules/mod_yj_whois.php en el componente YJ Whois v1.0x y v1.5.x para Joomla! permite a atacantes remotos inyectar código web o HTMl de su elección a través del parámetro domain de index.php. NOTA: algunos de estos detalles se han obtenido de información de terceros. • http://extensions.joomla.org/extensions/external-contents/domain-search/5774 http://secunia.com/advisories/37525 http://www.youjoomla.com/joomla_support/yj-whois-module/4950-xss-security-patch-yj-whois.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-4232
https://notcve.org/view.php?id=CVE-2009-4232
The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. El componente Kide Shoutbox (com_kide) v0.4.6 para Joomla! no realiza adecuadamente la autenticación, lo que permite a atacantes remotos enviar mensajes con un nombre de cuenta a su elección a través de una acción insertar en index.php. • http://secunia.com/advisories/37508 • CWE-287: Improper Authentication •