CVE-2007-5129
https://notcve.org/view.php?id=CVE-2007-5129
SimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc. SimpGB 1.46.02 almacena información sensible bajo la raíz de documentos web con control de acceso insuficiente, lo cual permite a atacantes remotos (1) obtener información sensible de la configuración mediante una petición directa a admin/cfginfo.php; y (2) descargar ficheros .inc de su elección mediante una petición directa, como ha sido demostrado por admin/includes/dbtables.inc. • http://forum.boesch-it.de/viewtopic.php?t=2790 http://osvdb.org/40612 http://osvdb.org/40613 http://secunia.com/advisories/26974 http://www.netvigilance.com/advisory0065 http://www.netvigilance.com/advisory0066 http://www.securityfocus.com/archive/1/480590/100/0/threaded http://www.securityfocus.com/archive/1/480592/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36776 https://exchange.xforce.ibmcloud.com/vulnerabilities/36777 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2007-4874 – SimpNews 2.41.3 - 'backurl' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4874
Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) l_username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en SimpNews versión 2.41.03, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del (1) parámetro l_username en el archivo admin/layout2b.php, y (2) parámetro backurl en el archivo comment.php. SimpNews version 2.41.03 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/30618 https://www.exploit-db.com/exploits/30617 http://forum.boesch-it.de/viewtopic.php?t=2791 http://secunia.com/advisories/26965 http://securityreason.com/securityalert/3166 http://www.netvigilance.com/advisory0070 http://www.securityfocus.com/archive/1/480598/100/0/threaded http://www.securityfocus.com/bid/25809 https://exchange.xforce.ibmcloud.com/vulnerabilities/36774 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-5560
https://notcve.org/view.php?id=CVE-2006-5560
Cross-site scripting (XSS) vulnerability in heading.php in Boesch ProgSys 0.151 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/index.php, and unspecified vectors related to certain other files. NOTE: some of these details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en heading.php en Boesch ProgSys 0.151 y anteriores permiten a un atacante remoto inyectar secuencias de comandos web o HTML a través de PATH_INFO a admin/index.php,y vectores no especificados a otros ciertos archivos. NOTA: algunos de estos detalles se obtuvieron de terceras fuentes de información. • http://secunia.com/advisories/22532 http://securityreason.com/securityalert/1782 http://www.securityfocus.com/archive/1/449571/100/0/threaded http://www.securityfocus.com/bid/20720 http://www.vigilon.com/advisories/vg-progsys-24-10-2006.txt http://www.vupen.com/english/advisories/2006/4194 https://exchange.xforce.ibmcloud.com/vulnerabilities/29770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-5530 – Simpnews 2.x - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5530
Multiple cross-site scripting (XSS) vulnerabilities in Boesch SimpNews before 2.34.01 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) admin/index.php, (2) admin/pwlost.php, and unspecified other files. NOTE: the provenance of this information is unknown; the details are obtained from third party information. Vulnerabilidades de cruce de sitios en scripts (XSS) en Boesch SimpNews versiones anteriores a 2.34.01 permiten a atacantes remotos inyectar scripts WEB o HTML mediante parámetros sin especificar en (1) admin/index.php, (2) admin/pwlost.php, y otros filos sin especificar. NOTA. El origen de esta información es desconocido; los detalles se han obtenido a partir de información de terceros. • https://www.exploit-db.com/exploits/28858 https://www.exploit-db.com/exploits/28859 http://secunia.com/advisories/22535 http://www.boesch-it.de/sw/php-scripts/simpnews/english/index.php http://www.securityfocus.com/bid/20714 http://www.vupen.com/english/advisories/2006/4162 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-4944 – ProgSys 0.156 - 'RR.php' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-4944
PHP remote file inclusion vulnerability in includes/pear/Net/DNS/RR.php in ProgSys 0.151 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpdns_basedir parameter. Vulnerabilidad PHP de inclusión remota de archivo en includes/pear/Net/DNS/RR.php en ProgSys 0.151 y anteriores permite a un atacante remoto ejecutar código PHP de su elección a través de una URL en el parámetro phpdns_basedir . • https://www.exploit-db.com/exploits/2411 http://www.securityfocus.com/bid/20141 https://exchange.xforce.ibmcloud.com/vulnerabilities/29078 • CWE-94: Improper Control of Generation of Code ('Code Injection') •