CVSS: 4.9EPSS: 0%CPEs: 67EXPL: 0CVE-2013-4661
https://notcve.org/view.php?id=CVE-2013-4661
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission. CiviCRM v2.0.0 hasta v4.2.9 y v4.3.0 hasta v4.3.3 no aplica correctamente los requisitos de control de acceso basado en roles (RBAC) por defecto en búsquedas personalizadas, , lo que permite a usuarios remotos autenticados con el permiso "access CiviCRM", lo cual permite a atacantes sortear restricciones de acceso, como lo demuestra el acceso a los datos de cotización personalizada sin tener el permiso "access CiviContribute". • http://civicrm.org/advisory/civi-sa-2013-003 http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions http://issues.civicrm.org/jira/browse/CRM-12747 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2013-4662
https://notcve.org/view.php?id=CVE-2013-4662
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick. Quick Search API en CiviCRM 4.2.0 hasta la versión 4.2.9 y 4.3.0 hasta 4.3.3 permite a usuarios remotos autenticados evadir la capa de validación y llevar a cabo ataques de inyecciones de SQL a través de peticiones directas hacia una "segunda capa" de la API, relacionada con contact.getquick. • http://issues.civicrm.org/jira/browse/CRM-12765 https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 1CVE-2013-5957
https://notcve.org/view.php?id=CVE-2013-5957
Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty. Múltiples vulnerabilidades de inyección de SQL en CRM/Core/Page/AJAX/Location.php de CiviCRM anterior a la versión 4.2.12, 4.3.x anterior a 4.3.7, y 4.4.x anterior a la versión 4.4.beta4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro _value a (1) ajax/jqState o (2) ajax/jqcounty. • https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability https://github.com/civicrm/civicrm-core/pull/1708.diff https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 1%CPEs: 45EXPL: 2CVE-2013-1636 – Pretty Links Lite < 1.6.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1636
Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter. Vulnerabilidad de XSS en open-flash-chart.swf en Open Flash Chart (también conocido como Open-Flash Chart), utilizado en el plugin Pretty Link Lite anterior a 1.6.3 para WordPress, el componente 8.0.1 de JNews (com_jnews) para Joomla! y CiviCRM 3.1.0 hasta 4.2.9 y 4.3.0 hasta 4.3.3, permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro get-data. dotDefender Firewall versions 5.00.12865 and 5.13-13282 suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38324 http://archives.neohapsis.com/archives/bugtraq/2013-02/0101.html http://osvdb.org/90435 http://packetstormsecurity.com/files/120433/WordPress-Pretty-Link-1.6.3-Cross-Site-Scripting.html http://packetstormsecurity.com/files/121623/Joomla-Jnews-8.0.1-Cross-Site-Scripting.html http://wordpress.org/plugins/pretty-link/changelog https://civicrm.org/advisory/civi-sa-2013-002-openflashchart-xss https://exchange.xforce.ibmcloud.com/vulnerabilities/82242 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2011-5239
https://notcve.org/view.php?id=CVE-2011-5239
CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CiviCRM v4.0.5 y v4.1.1 no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. • http://www.unrest.ca/peerjacking • CWE-20: Improper Input Validation •