CVE-2016-7149
https://notcve.org/view.php?id=CVE-2016-7149
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. Vulnerabilidad de XSS en b2evolution 6.7.5 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con la función autolink. • http://www.openwall.com/lists/oss-security/2016/09/12/1 http://www.openwall.com/lists/oss-security/2016/09/15/4 http://www.securityfocus.com/bid/92967 https://github.com/b2evolution/b2evolution/commit/9a4ab85439d1b838ee7b8eeebbf59174bb787811 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-7150
https://notcve.org/view.php?id=CVE-2016-7150
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. Vulnerabilidad de XSS en b2evolution 6.7.5 y versiones anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre del sitio. • http://www.openwall.com/lists/oss-security/2016/09/12/1 http://www.openwall.com/lists/oss-security/2016/09/15/4 http://www.securityfocus.com/bid/92967 https://github.com/b2evolution/b2evolution/commit/dd975fff7fce81bf12f9c59edb1a99475747c83c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-5480
https://notcve.org/view.php?id=CVE-2017-5480
Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. (dot dot) in the fm_selected array parameter. Vulnerabilidad de salto de directorio en inc/files/files.ctrl.php en b2evolution hasta la versión 6.8.3 permite a usuarios remotos autenticados leer o eliminar archivos arbitrarios aprovechando el acceso back-office para proporcionar un .. (punto punto) en el parámetro del array fm_selected. • http://www.securityfocus.com/bid/95454 https://github.com/b2evolution/b2evolution/commit/26841d9c81f27ad23b2f6e4bd5eaec7f2f58dfe0 https://github.com/b2evolution/b2evolution/issues/35 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-5494
https://notcve.org/view.php?id=CVE-2017-5494
Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. Múltiples vulnerabilidades de XSS en la tabla de tipos de archivo en b2evolution hasta la versión 6.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un archivo .swf manipulado en un (1) marco del comentario o (2) marco del avatar. • http://www.securityfocus.com/bid/95452 https://github.com/b2evolution/b2evolution/commit/261dbd5b294e707af766691e65a177a290314a6e https://github.com/b2evolution/b2evolution/issues/34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9479
https://notcve.org/view.php?id=CVE-2016-9479
The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. La funcionalidad "contraseña perdida" en b2evolution en versiones anteriores a 6.7.9 permite a atacantes remotos restablecer contraseñas de usuario arbitrarias a través de una solicitud manipulada. • http://b2evolution.net/downloads/6-7-9-stable http://www.securityfocus.com/bid/95006 http://www.securitytracker.com/id/1037393 https://github.com/b2evolution/b2evolution/issues/33 • CWE-255: Credentials Management Errors •