CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 1CVE-2013-5957
https://notcve.org/view.php?id=CVE-2013-5957
Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty. Múltiples vulnerabilidades de inyección de SQL en CRM/Core/Page/AJAX/Location.php de CiviCRM anterior a la versión 4.2.12, 4.3.x anterior a 4.3.7, y 4.4.x anterior a la versión 4.4.beta4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro _value a (1) ajax/jqState o (2) ajax/jqcounty. • https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability https://github.com/civicrm/civicrm-core/pull/1708.diff https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 1%CPEs: 45EXPL: 2CVE-2013-1636 – Pretty Links Lite < 1.6.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1636
Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter. Vulnerabilidad de XSS en open-flash-chart.swf en Open Flash Chart (también conocido como Open-Flash Chart), utilizado en el plugin Pretty Link Lite anterior a 1.6.3 para WordPress, el componente 8.0.1 de JNews (com_jnews) para Joomla! y CiviCRM 3.1.0 hasta 4.2.9 y 4.3.0 hasta 4.3.3, permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro get-data. dotDefender Firewall versions 5.00.12865 and 5.13-13282 suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38324 http://archives.neohapsis.com/archives/bugtraq/2013-02/0101.html http://osvdb.org/90435 http://packetstormsecurity.com/files/120433/WordPress-Pretty-Link-1.6.3-Cross-Site-Scripting.html http://packetstormsecurity.com/files/121623/Joomla-Jnews-8.0.1-Cross-Site-Scripting.html http://wordpress.org/plugins/pretty-link/changelog https://civicrm.org/advisory/civi-sa-2013-002-openflashchart-xss https://exchange.xforce.ibmcloud.com/vulnerabilities/82242 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2011-5239
https://notcve.org/view.php?id=CVE-2011-5239
CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CiviCRM v4.0.5 y v4.1.1 no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. • http://www.unrest.ca/peerjacking • CWE-20: Improper Input Validation •