Page 2 of 24 results (0.007 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en CMS de Sitecore versión 9.0.1 y anteriores, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de (1) #300583 - Módulo List Manager Dashboard, (2) #307638 - Módulo Campaign Creator, (3) #316994 - Campo Attributes, (4) I#316995 - Módulo Icon Selection, (5) #317000 - Campo Latitude, (6) #317000 - Campo Longitude, (7) #317017 - Módulo UploadPackage2.aspx, ( 8) #317072 - Menú Context, o (9) I#317073 - Insertar desde el cuadro de diálogo Template. • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes https://outpost24.com/blog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. • https://dev.sitecore.net/Downloads.aspx https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf • CWE-502: Deserialization of Untrusted Data •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos de estos detalles se obtienen de información de terceras partes. • http://osvdb.org/102660 http://secunia.com/advisories/56705 http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html http://www.securityfocus.com/archive/1/530901/100/0/threaded http://www.securityfocus.com/bid/65254 https://exchange.xforce.ibmcloud.com/vulnerabilities/90833 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit Article module, or (5) hava_post.php in the postAuthor module; (6) postId parameter to hava_post.php; (7) userId parameter to hava_user.php; or (8) linkId parameter to hava_link.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados en Havalite v1.0.4 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los camposo (1) find o (2) replace a havalite/findReplace.php; el parámetro (3) username a havalite/hava_login.php, el módulo (4) Edit Article, o (5) hava_post.php en el módulo postAuthor; el parámetro (6) postId a hava_post.php; el parámetro (7) userId a hava_user.php; o el parámetro (8) linkId a hava_link.php. • https://www.exploit-db.com/exploits/18772 http://osvdb.org/81324 http://osvdb.org/81325 http://packetstormsecurity.org/files/112089/Havalite-CMS-1.0.4-Cross-Site-Scripting.html http://secunia.com/advisories/48646 http://www.vulnerability-lab.com/get_content.php?id=520 https://exchange.xforce.ibmcloud.com/vulnerabilities/75082 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter. Vulnerabilidad de inyección SQL en hava_post.php en Havalite CMS v1.1.0 y anteriores permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro postid. • https://www.exploit-db.com/exploits/18772 http://osvdb.org/80769 http://packetstormsecurity.org/files/111358/Havalite-CMS-Shell-Upload-SQL-Injection-Disclosure.html http://secunia.com/advisories/48646 https://exchange.xforce.ibmcloud.com/vulnerabilities/74487 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •