CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5553
https://notcve.org/view.php?id=CVE-2017-5553
23 Jan 2017 — Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL. Vulnerabilidad de XSS en plugins/markdown_plugin/_markdown.plugin.php en b2evolution en versiones anteriores a 6.8.5 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de una URL javascript:. • http://b2evolution.net/downloads/6-8-5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5539
https://notcve.org/view.php?id=CVE-2017-5539
23 Jan 2017 — The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. An attacker can use ..\/ to bypass the filter rule. Then, this attacker can exploit this vulnerability to delete or read any files on the server. It can also be used to determine whether a file exists. El parche para el salto de directorio (CVE-2017-5480) en b2evolution versión 6.8.4-stable tiene una vulnerabilidad eludible. • http://b2evolution.net/downloads/6-8-5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7149
https://notcve.org/view.php?id=CVE-2016-7149
18 Jan 2017 — Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. Vulnerabilidad de XSS en b2evolution 6.7.5 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con la función autolink. • http://www.openwall.com/lists/oss-security/2016/09/12/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7150
https://notcve.org/view.php?id=CVE-2016-7150
18 Jan 2017 — Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. Vulnerabilidad de XSS en b2evolution 6.7.5 y versiones anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre del sitio. • http://www.openwall.com/lists/oss-security/2016/09/12/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5480
https://notcve.org/view.php?id=CVE-2017-5480
15 Jan 2017 — Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. (dot dot) in the fm_selected array parameter. Vulnerabilidad de salto de directorio en inc/files/files.ctrl.php en b2evolution hasta la versión 6.8.3 permite a usuarios remotos autenticados leer o eliminar archivos arbitrarios aprovechando el acceso back-office para proporcionar un .. (punto punto) en e... • http://www.securityfocus.com/bid/95454 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-5494
https://notcve.org/view.php?id=CVE-2017-5494
15 Jan 2017 — Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. Múltiples vulnerabilidades de XSS en la tabla de tipos de archivo en b2evolution hasta la versión 6.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un archivo .swf manipulado en un (1) marco del comentario o (2)... • http://www.securityfocus.com/bid/95452 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9479
https://notcve.org/view.php?id=CVE-2016-9479
02 Dec 2016 — The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. La funcionalidad "contraseña perdida" en b2evolution en versiones anteriores a 6.7.9 permite a atacantes remotos restablecer contraseñas de usuario arbitrarias a través de una solicitud manipulada. • http://b2evolution.net/downloads/6-7-9-stable • CWE-255: Credentials Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4CVE-2014-9599
https://notcve.org/view.php?id=CVE-2014-9599
16 Jan 2015 — Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. Vulnerabilidad de XSS en el gestor de ficheros en b2evolution anterior a 5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro fm_filter en blogs/admin.php. • http://b2evolution.net/downloads/5-2-1-stable • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 3CVE-2013-7352
https://notcve.org/view.php?id=CVE-2013-7352
02 Apr 2014 — Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. Vulnerabilidad de CSRF en blogs/admin.php en b2evolution anterior a 4.1.7 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que realizan ataques de inyección SQL a través del parámetro show_statu... • http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 5CVE-2013-2945 – b2evolution 4.1.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-2945
01 May 2013 — SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands. Vulnerabilidad de inyección SQL en blogs/admin.php en b2evolution anterior a 4.1.7 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro show_statuses[]. NOTA:... • https://www.exploit-db.com/exploits/25298 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •