CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2014-5107
https://notcve.org/view.php?id=CVE-2014-5107
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/. concrete5 anterior a 5.6.3 permite a atacantes remotos obtener la ruta de instalación a través de una solicitud directa en (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php o (16) files/search.php en single_pages/dashboard/. • http://osvdb.org/show/osvdb/109269 http://packetstormsecurity.com/files/127493/Concrete-5.6.2.1-REFERER-Cross-Site-Scripting.html http://www.securityfocus.com/bid/68685 https://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 15EXPL: 0CVE-2014-5108
https://notcve.org/view.php?id=CVE-2014-5108
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file. Vulnerabilidad de XSS en single_pages\download_file.php en concrete5 anterior a 5.6.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cabecera HTTP Referer en index.php/download_file. • http://osvdb.org/show/osvdb/109273 http://packetstormsecurity.com/files/127493/Concrete-5.6.2.1-REFERER-Cross-Site-Scripting.html http://www.securityfocus.com/bid/68685 https://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2012-5181
https://notcve.org/view.php?id=CVE-2012-5181
Cross-site scripting (XSS) vulnerability in concrete5 Japanese 5.5.1 through 5.5.2.1 and concrete5 English 5.5.0 through 5.6.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en concrete5 Japanese v5.5.1 hasta la v5.5.2.1 y concrete5 English v5.5.0 hasta la v5.6.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://concrete5-japan.org/news/concrete5602ja-release http://jvn.jp/en/jp/JVN65458431/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •