CVE-2012-3843
https://notcve.org/view.php?id=CVE-2012-3843
Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en la página de registro en e107, probablemente v1.0.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://hauntit.blogspot.com/2012/04/en-e107-cms-reflected-xss-in.html http://packetstormsecurity.org/files/112241/e107-Cross-Site-Scripting.html http://www.securityfocus.com/bid/53271 https://exchange.xforce.ibmcloud.com/vulnerabilities/75225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0996
https://notcve.org/view.php?id=CVE-2010-0996
Unrestricted file upload vulnerability in e107 before 0.7.20 allows remote authenticated users to execute arbitrary code by uploading a .php.filetypesphp file. NOTE: the vendor disputes the significance of this issue, noting that "an odd set of preferences and a missing file" are required. Vulnerabilidad de subida de fichero sin restricciones en e107 en versiones anteriores a la v0.7.20. Permite a usuarios remotos autenticados ejecutar comandos de su elección subiendo un fichero .php.filetypesphp. NOTA: el fabricante cuestiona la importancia de esta vulnerabilidad, arguyendo que se necesita "un conjunto poco común de preferencias y un fichero perdido". • http://e107.org/comment.php?comment.news.864 http://e107.org/svn_changelog.php?version=0.7.20 http://secunia.com/advisories/39013 http://secunia.com/secunia_research/2010-44 http://www.securityfocus.com/archive/1/510805/100/0/threaded http://www.securityfocus.com/bid/39540 http://www.vupen.com/english/advisories/2010/0919 https://exchange.xforce.ibmcloud.com/vulnerabilities/57932 •
CVE-2009-1409 – e107 < 0.7.15 - 'extended_user_fields' Blind SQL Injection
https://notcve.org/view.php?id=CVE-2009-1409
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320. Una vulnerabilidad de inyección de SQL en usersettings.php en e107 v0.7.15 y anteriores, cuando la opción "Campos de usuario extendidos" está activado y magic_quotes_gpc está desactivado, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro Hide. Se trata de un vector diferente al de CVE-2005-4224 y CVE-2008-5320. • https://www.exploit-db.com/exploits/8495 http://osvdb.org/53812 http://secunia.com/advisories/34823 http://www.securityfocus.com/bid/34614 https://exchange.xforce.ibmcloud.com/vulnerabilities/49981 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-5320 – e107 < 0.7.13 - 'usersettings.php' Blind SQL Injection
https://notcve.org/view.php?id=CVE-2008-5320
SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter. Vulnerabilidad de inyección SQL en el archivo usersettings.php en e107 0.7.13 y versiones anteriores, permite a los usuarios remotos autentificados ejecutar arbitrariamente comandos SQL a través del parámetro ue[]. • https://www.exploit-db.com/exploits/6791 http://secunia.com/advisories/32322 http://securityreason.com/securityalert/4683 http://www.securityfocus.com/bid/31821 http://www.vupen.com/english/advisories/2008/2860 https://exchange.xforce.ibmcloud.com/vulnerabilities/45967 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2006-0682
https://notcve.org/view.php?id=CVE-2006-0682
Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system in e107 before 0.7.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://e107.org/comment.php?comment.news.776 http://secunia.com/advisories/18816 http://www.securityfocus.com/bid/16614 http://www.vupen.com/english/advisories/2006/0540 https://exchange.xforce.ibmcloud.com/vulnerabilities/24625 •