CVE-2018-17874
https://notcve.org/view.php?id=CVE-2018-17874
ExpressionEngine before 4.3.5 has reflected XSS. ExpressionEngine en versiones anteriores a la 4.3.5 tiene Cross-Site Scripting (XSS) reflejado. • https://docs.expressionengine.com/latest/about/changelog.html#version-4-3-5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-0897
https://notcve.org/view.php?id=CVE-2017-0897
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. ExpressionEngine, en versiones 2.x anteriores a la 2.11.8 y en versiones 3.x anteriores a la 3.5.5, crea un token de firma de objeto con una entropía débil. Si se adivina el token correctamente, puede conducir a la ejecución remota de código. • http://www.securityfocus.com/bid/99242 https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5 https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8 https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released https://hackerone.com/reports/215890 • CWE-330: Use of Insufficiently Random Values CWE-331: Insufficient Entropy •