CVSS: 4.3EPSS: 0%CPEs: 27EXPL: 3CVE-2013-3514 – OpenX 2.8.10 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-3514
Multiple directory traversal vulnerabilities in OpenX before 2.8.10 revision 82710 allow remote administrators to read arbitrary files via a .. (dot dot) in the group parameter to (1) plugin-preferences.php or (2) plugin-settings.php in www/admin, a different vulnerability than CVE-2013-7376. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to read arbitrary files. Múltiples vulnerabilidades de salto de directorio en OpenX anterior a 2.8.10 revisión 82710 permite a administradores remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro group hacia (1) plugin-preferences.php o (2) plugin-settings.php en www/admin, una vulnerabilidad diferente a CVE-2013-7376. • https://www.exploit-db.com/exploits/26624 http://osvdb.org/94778 http://seclists.org/bugtraq/2013/Jul/27 https://www.htbridge.com/advisory/HTB23155 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 23EXPL: 4CVE-2013-3515 – OpenX 2.8.10 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-3515
Multiple cross-site scripting (XSS) vulnerabilities in OpenX Source 2.8.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) package parameter to www/admin/plugin-index.php or the (2) group parameter to www/admin/plugin-settings.php. Múltiples vulnerabilidades XSS en OpenX Source 2.8.10 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de lso parámetros (1) package a www/admin/plugin-index.php o (2) group a www/admin/plugin-settings.php. OpenX version 2.8.10 suffers from cross site scripting and local file inclusion vulnerabilities. • https://www.exploit-db.com/exploits/26624 http://osvdb.org/94774 http://osvdb.org/94775 http://seclists.org/bugtraq/2013/Jul/27 http://www.exploit-db.com/exploits/26624 https://exchange.xforce.ibmcloud.com/vulnerabilities/85411 https://svn.openx.org/openx/trunk/www/admin/plugin-index.php https://svn.openx.org/openx/trunk/www/admin/plugin-settings.php https://www.htbridge.com/advisory/HTB23155 https://www.htbridge.com/advisory/HTB23155-openx-changeset-82710.diff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 5%CPEs: 1EXPL: 4CVE-2012-4989 – OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4989
Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in OpenX 2.8.10 before revision 81823 allows remote attackers to inject arbitrary web script or HTML via the parent parameter in an info action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/plugin-index.php en OpenX v2.8.10 antes de la revisión 81823, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro parent en una acción info. OpenX version 2.8.10 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37938 http://archives.neohapsis.com/archives/bugtraq/2012-10/0065.html http://osvdb.org/86092 http://secunia.com/advisories/50877 http://www.securityfocus.com/bid/55860 https://exchange.xforce.ibmcloud.com/vulnerabilities/79196 https://svn.openx.org/openx/trunk/lib/templates/admin/plugin-group-view.html https://www.htbridge.com/advisory/HTB23116 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2012-4990 – OpenX 2.8.10 Cross Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-4990
SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action. Vulnerabilidad de inyección SQL en admin/campaign-zone-link.php en OpenX v2.8.10 antes de la revision 81823, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro ids[] en una acción link. OpenX version 2.8.10 suffers from cross site scripting and remote SQL injection vulnerabilities. • http://archives.neohapsis.com/archives/bugtraq/2012-10/0065.html http://osvdb.org/86093 http://secunia.com/advisories/50877 http://www.securityfocus.com/bid/55860 https://exchange.xforce.ibmcloud.com/vulnerabilities/79199 https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php https://www.htbridge.com/advisory/HTB23116 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2009-4830
https://notcve.org/view.php?id=CVE-2009-4830
Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attackers to bypass authentication and obtain access to an Administrator account via unknown vectors, possibly related to www/admin/install.php, www/admin/install-plugins.php, and other www/admin/ files. Vulnerabilidad no especificada en OpenX 2.8.1 y 2.8.2 permite a atacantes remotos evitar la autenticación y obtener acceso a una cuenta de Administrador mediante vectores desconocidos, posiblemente relacionados con www/admin/install.php, www/admin/install-plugins.php y otros ficheros www/admin/ . • http://blog.openx.org/12/security-matters-2 http://forum.openx.org/index.php?showtopic=503454011 http://osvdb.org/61300 http://secunia.com/advisories/37914 http://www.securityfocus.com/bid/37457 • CWE-287: Improper Authentication •