CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2019-8924 – XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8924
XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. XAMPP a través de la versión 5.6.8 permite una vulnerabilidad de XSS por medio del archivo cds-fpdf.php en el parámetro interpret o titel. NOTA: Este producto está suspendido. XAMPP version 5.6.8 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/46424 http://packetstormsecurity.com/files/151756/XAMPP-5.6.8-Cross-Site-Scripting-SQL-Injection.html http://seclists.org/fulldisclosure/2019/Feb/43 http://www.securityfocus.com/bid/107168 https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2 https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19 https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 109EXPL: 0CVE-2009-0919
https://notcve.org/view.php?id=CVE-2009-0919
XAMPP installs multiple packages with insecure default passwords, which makes it easier for remote attackers to obtain access via (1) the "lampp" default password for the "nobody" account within the included ProFTPD installation, (2) a blank default password for the "root" account within the included MySQL installation, (3) a blank default password for the "pma" account within the phpMyAdmin installation, and possibly other unspecified passwords. NOTE: this was originally reported as a problem in DFLabs PTK, but this issue affects any product that is installed within the XAMPP environment, and should not be viewed as a vulnerability within that product. NOTE: DFLabs states that PTK is intended for use in a laboratory with "no contact from / to internet." XAMPP instala varios paquetes con contraseñas predeterminadas no confiables, lo que facilita a los atacantes remotos obtener acceso por medio de (1) la contraseña predeterminada "lampp" para la cuenta "nobody" dentro de la instalación ProFTPD incluida, (2) una contraseña predeterminada en blanco para la cuenta "root" dentro de la instalación MySQL incluida, (3) una contraseña predeterminada en blanco para la cuenta "pma" dentro de la instalación de phpMyAdmin, y posiblemente otras contraseñas no especificadas. NOTA: esto se informó originalmente como un problema en DFLabs PTK, pero este problema afecta a cualquier producto que está instalado dentro del entorno XAMPP, y no debe ser visto como una vulnerabilidad dentro de ese producto. • http://ptk.dflabs.com/security.html http://www.apachefriends.org/en/faq-xampp-linux.html http://www.debianhelp.co.uk/xampp.htm http://www.ibm.com/developerworks/linux/library/l-xampp https://exchange.xforce.ibmcloud.com/vulnerabilities/49306 • CWE-255: Credentials Management Errors •