CVSS: 4.3EPSS: 1%CPEs: 32EXPL: 4CVE-2009-2733 – Achievo 1.x - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-2733
Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Achievo anterior a v1.4.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el título programador en el módulo planificador, y los parámetros (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], y posiblemente (5) atksearch[contractname] en la pagina de administración Organization Contracts, accesible a través de dispatch.php. Achievo versions 1.3.4 and below suffer from cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/33281 https://www.exploit-db.com/exploits/9863 http://secunia.com/advisories/37035 http://securitytracker.com/id?1023017 http://www.achievo.org/download/releasenotes/1_4_0 http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt http://www.securityfocus.com/archive/1/507133/100/0/threaded http://www.securityfocus.com/bid/36661 https://exchange. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2008-6035
https://notcve.org/view.php?id=CVE-2008-6035
Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2-STABLE allows remote attackers to inject arbitrary web script or HTML via the atknodetype parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en dispatch.php en Achievo v1.3.2-STABLE, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "arknodetype". • http://packetstormsecurity.org/0809-exploits/achievo-xss.txt http://www.securityfocus.com/bid/31326 https://exchange.xforce.ibmcloud.com/vulnerabilities/45344 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2008-6034 – Achievo 1.3.2 - 'atknodetype' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-6034
Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the atkaction parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en dispatch.php en Achievo v1.3.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "atkaction". NOTA: el origen de esta información es desconocido; los detalles han sido obtenidos a partir de información de terceros. • https://www.exploit-db.com/exploits/32409 http://secunia.com/advisories/31973 http://www.securityfocus.com/bid/31325 https://exchange.xforce.ibmcloud.com/vulnerabilities/45331 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 7%CPEs: 5EXPL: 1CVE-2008-2742 – Achievo 1.3.2 - 'FCKeditor' Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-2742
Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) in Achievo 1.2.0 through 1.3.2 allows remote attackers to execute arbitrary code by uploading a file with .php followed by a safe extension, then accessing it via a direct request to the file in the Achievo root directory. NOTE: this is only a vulnerability in environments that support multiple extensions, such as Apache with the mod_mime module enabled. Vulnerabilidad de subida de fichero no restringido en el editor de ficheros mcpuk (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) en Achievo 1.2.0 hasta 1.3.2, permite a atacantes remotos ejecutar código de su elección al subir un fichero con .php seguido de una extensión segura y luego accediendo a él mediante una solicitud directa al fichero del directorio raíz de Achievo. NOTA: Se trata sólo es una vulnerabilidad en entornos que soportan múltiples extensiones como Apache con el módulo mod_mime habilitado. • https://www.exploit-db.com/exploits/5770 http://secunia.com/advisories/30597 http://www.achievo.org/blog/archives/631-Achievo-1.3.3-Security-Release.html http://www.securityfocus.com/bid/29621 https://exchange.xforce.ibmcloud.com/vulnerabilities/42980 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 5%CPEs: 18EXPL: 1CVE-2007-2736 – Achievo 1.1.0 - 'config_atkroot' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2007-2736
PHP remote file inclusion vulnerability in index.php in Achievo 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter. Vulnerabilidad de inclusión remota de archivo en PHP en index.php de Achievo 1.1.0 permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro config_atkroot. • https://www.exploit-db.com/exploits/3928 http://osvdb.org/37919 http://www.securityfocus.com/bid/23992 https://exchange.xforce.ibmcloud.com/vulnerabilities/34305 •