CVSS: 6.8EPSS: 2%CPEs: 8EXPL: 6CVE-2006-5830 – AIOCP 1.3.x - 'cp_dpage.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5830
Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) topid, (2) forid, and (3) catid parameters to code/cp_forum_view.php; (4) choosed_language parameter to cp_dpage.php; (5) orderdir parameter to cp_links_search.php; (6) order_field parameter to (a) cp_show_ec_products.php and (b) cp_users_online.php; and the (7) signature and (8) fiscal code fields in the user profile. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en All In One Control Panel (AIOCP) 1.3.007 y versiones anteriores permite a atacantes remotos inyectar scripts web o HTML de su elección a través de los parámetros (1) topid, (2) forid, y (3) catid en code/cp_forum_view.php; (4) choosed_language en cp_dpage.php; (5) orderdir en cp_links_search.php; (6) order_field en (a) cp_show_ec_products.php y (b) cp_users_online.php; y los campos de código (7) signature y (8) fiscal en el perfil de usuario. • https://www.exploit-db.com/exploits/28918 https://www.exploit-db.com/exploits/28917 https://www.exploit-db.com/exploits/28921 https://www.exploit-db.com/exploits/28919 https://www.exploit-db.com/exploits/28920 http://secunia.com/advisories/22719 http://securityreason.com/securityalert/1839 http://sourceforge.net/project/shownotes.php?release_id=478370 http://www.securityfocus.com/archive/1/450701/100/0/threaded http://www.securityfocus.com/bid/20931 http://www.vupen.com •
CVSS: 5.0EPSS: 2%CPEs: 8EXPL: 4CVE-2006-5832 – AIOCP 1.3.x - 'cp_show_ec_products.php' Full Path Disclosure
https://notcve.org/view.php?id=CVE-2006-5832
All In One Control Panel (AIOCP) 1.3.007 and earlier allows remote attackers to obtain the full path of the web server via certain requests to (1) public/code/cp_dpage.php, possibly involving the aiocp_dp[] parameter, (2) public/code/cp_show_ec_products.php, possibly involving the order_field[] parameter, and (3) public/code/cp_show_page_help.php, possibly involving the hp[] parameter, which reveal the path in various error messages. All In One Control Panel (AIOCP) 1.3.007 y versiones anteriores permite a atacantes remotos obtener la ruta completa al servidor secuencias de comandos web o HTML de su elección mediante peticiones concretas a (1) public/code/cp_dpage.php, posiblemente involucrando al parámetro aiocp_dp[], (2) public/code/cp_show_ec_products.php, posiblemente involucrando al parámetro order_field[], y (3) public/code/cp_show_page_help.php, posiblemente involucrando al parámetro hp[], que revela la ruta en varios mensajes de error. • https://www.exploit-db.com/exploits/28936 https://www.exploit-db.com/exploits/28937 https://www.exploit-db.com/exploits/28935 http://securityreason.com/securityalert/1839 http://sourceforge.net/project/shownotes.php?release_id=478370 http://www.securityfocus.com/archive/1/450701/100/0/threaded http://www.securityfocus.com/bid/20931 https://exchange.xforce.ibmcloud.com/vulnerabilities/30052 •
CVSS: 7.5EPSS: 8%CPEs: 8EXPL: 2CVE-2006-5831 – AIOCP 1.3.x - 'load_page' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-5831
PHP remote file inclusion vulnerability in admin/code/index.php in All In One Control Panel (AIOCP) 1.3.007 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the load_page parameter. Vulnerabilidad de inclusión remota de archivo en PHP en admin/code/index.php de All In One Control Panel (AIOCP) 1.3.007 y versiones anteriores permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro load_page. • https://www.exploit-db.com/exploits/28922 http://securityreason.com/securityalert/1839 http://sourceforge.net/project/shownotes.php?release_id=478370 http://www.securityfocus.com/archive/1/450701/100/0/threaded http://www.securityfocus.com/bid/20931 https://exchange.xforce.ibmcloud.com/vulnerabilities/30050 •