CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2012-6433 – e107 1.0.1 - Arbitrary JavaScript Execution (via Cross-Site Request Forgery)
https://notcve.org/view.php?id=CVE-2012-6433
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en e107_admin/download.php en e107 v1.0.1 permite a atacantes remotos secuestrar la autenticación de los administradores de las peticiones que realizan los ataques XSS a través del parámetro news_title en una acción create. e107 version 1.0.1 suffers from a cross site request forgery vulnerability that results in arbitrary javascript execution. • https://www.exploit-db.com/exploits/23828 http://e107.org/changelog http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/newspost.php?sortdir=down&r1=12622&r2=12992&sortby=rev http://www.exploit-db.com/exploits/23828 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2012-6434 – e107 1.0.2 - SQL Injection (via Cross-Site Request Forgery)
https://notcve.org/view.php?id=CVE-2012-6434
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter. Múltiples vulnerabilidades de fasificación de peticiones en sitios cruzados (CSRF) en e107_admin/download.php en e107 v1.0.2 permite a atacantes remotos secuestrar la autenticación de los administradores de las peticiones que realizan los ataques de inyección SQL a través del parámetro (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, o (8) download_class parameter. e107 version 1.0.2 suffers from a cross site request forgery vulnerability that results in SQL injection. • https://www.exploit-db.com/exploits/23829 http://e107.org/changelog http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/download.php?sortdir=down&r1=13037&r2=13058&sortby=rev http://www.exploit-db.com/exploits/23829 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 25EXPL: 0CVE-2011-4947
https://notcve.org/view.php?id=CVE-2011-4947
Cross-site request forgery (CSRF) vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the user_include parameter. Vulnerabilidad de fasificación de peticiones en sitios cruzados (CSRF) en e107_admin/users_extended.php en e107 anteriores a v0.7.26 permite a atacantes remotos secuestrar la autenticación de los usuarios administradores en peticiones para insertar secuencias de comandos en sitios cruzados (XSS) a través del parámetro user_include. • http://e107.org/svn_changelog.php?version=0.7.26 http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/users_extended.php?r1=12225&r2=12306 http://www.openwall.com/lists/oss-security/2012/03/28/4 http://www.openwall.com/lists/oss-security/2012/03/29/3 https://exchange.xforce.ibmcloud.com/vulnerabilities/68062 https://www.htbridge.com/advisory/multiple_vulnerabilities_in_e107_1.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 24EXPL: 1CVE-2011-4946
https://notcve.org/view.php?id=CVE-2011-4946
SQL injection vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to execute arbitrary SQL commands via the user_field parameter. Vulnerabilidad de inyección SQL en e107_admin/users_extended.php en e107 anteriores a v0.7.26 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro user_field. • http://e107.org/svn_changelog.php?version=0.7.26 http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/users_extended.php?r1=12225&r2=12306 http://secunia.com/advisories/44968 http://www.openwall.com/lists/oss-security/2012/03/28/4 http://www.openwall.com/lists/oss-security/2012/03/29/3 http://www.osvdb.org/73120 https://exchange.xforce.ibmcloud.com/vulnerabilities/68061 https://www.htbridge.com/advisory/multiple_vulnerabilities_in_e107_1.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3843
https://notcve.org/view.php?id=CVE-2012-3843
Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en la página de registro en e107, probablemente v1.0.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://hauntit.blogspot.com/2012/04/en-e107-cms-reflected-xss-in.html http://packetstormsecurity.org/files/112241/e107-Cross-Site-Scripting.html http://www.securityfocus.com/bid/53271 https://exchange.xforce.ibmcloud.com/vulnerabilities/75225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •