CVE-2016-7150
https://notcve.org/view.php?id=CVE-2016-7150
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. Vulnerabilidad de XSS en b2evolution 6.7.5 y versiones anteriores permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre del sitio. • http://www.openwall.com/lists/oss-security/2016/09/12/1 http://www.openwall.com/lists/oss-security/2016/09/15/4 http://www.securityfocus.com/bid/92967 https://github.com/b2evolution/b2evolution/commit/dd975fff7fce81bf12f9c59edb1a99475747c83c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-5480
https://notcve.org/view.php?id=CVE-2017-5480
Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. (dot dot) in the fm_selected array parameter. Vulnerabilidad de salto de directorio en inc/files/files.ctrl.php en b2evolution hasta la versión 6.8.3 permite a usuarios remotos autenticados leer o eliminar archivos arbitrarios aprovechando el acceso back-office para proporcionar un .. (punto punto) en el parámetro del array fm_selected. • http://www.securityfocus.com/bid/95454 https://github.com/b2evolution/b2evolution/commit/26841d9c81f27ad23b2f6e4bd5eaec7f2f58dfe0 https://github.com/b2evolution/b2evolution/issues/35 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-5494
https://notcve.org/view.php?id=CVE-2017-5494
Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. Múltiples vulnerabilidades de XSS en la tabla de tipos de archivo en b2evolution hasta la versión 6.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un archivo .swf manipulado en un (1) marco del comentario o (2) marco del avatar. • http://www.securityfocus.com/bid/95452 https://github.com/b2evolution/b2evolution/commit/261dbd5b294e707af766691e65a177a290314a6e https://github.com/b2evolution/b2evolution/issues/34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9479
https://notcve.org/view.php?id=CVE-2016-9479
The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. La funcionalidad "contraseña perdida" en b2evolution en versiones anteriores a 6.7.9 permite a atacantes remotos restablecer contraseñas de usuario arbitrarias a través de una solicitud manipulada. • http://b2evolution.net/downloads/6-7-9-stable http://www.securityfocus.com/bid/95006 http://www.securitytracker.com/id/1037393 https://github.com/b2evolution/b2evolution/issues/33 • CWE-255: Credentials Management Errors •
CVE-2014-9599
https://notcve.org/view.php?id=CVE-2014-9599
Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. Vulnerabilidad de XSS en el gestor de ficheros en b2evolution anterior a 5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro fm_filter en blogs/admin.php. • http://b2evolution.net/downloads/5-2-1-stable http://packetstormsecurity.com/files/129940/CMS-b2evolution-5.2.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jan/48 http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html http://www.securityfocus.com/bid/72052 https://exchange.xforce.ibmcloud.com/vulnerabilities/99891 https://twitter.com/SecLists/status/554937224366546944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •