CVSS: 6.8EPSS: 35%CPEs: 2EXPL: 3CVE-2014-7237 – Twiki Upload Bypass
https://notcve.org/view.php?id=CVE-2014-7237
lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code. lib/TWiki/Sandbox.pm en TWiki 6.0.0 y anteriores, cuando se ejecuta en Windows, permite a atacantes remotos evadir las restricciones de acceso y subir ficheros con nombres restringidos a través un byte nulo (%00) en el nombre del fichero en bin/upload.cgi, como lo demuestra el uso de .htaccess para ejecutar código arbitrario. Twiki versions 4.x, 5.x, and 6.0.0 suffer from a file upload bypass vulnerability. • http://seclists.org/fulldisclosure/2014/Oct/45 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 http://www.securitytracker.com/id/1030982 https://exchange.xforce.ibmcloud.com/vulnerabilities/96952 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2013-1751
https://notcve.org/view.php?id=CVE-2013-1751
TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters. TWiki versiones anteriores a 5.1.4, permite a atacantes remotos ejecutar comandos de shell arbitrarios mediante el envío de un valor del parámetro "%MAKETEXT{}%" diseñado que contiene caracteres Perl backtick. • http://www.securitytracker.com/id/1028149 https://security-tracker.debian.org/tracker/CVE-2013-1751 https://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 1CVE-2012-6330 – Foswiki MAKETEXT - Remote Command Execution
https://notcve.org/view.php?id=CVE-2012-6330
The localization functionality in TWiki before 5.1.3, and Foswiki 1.0.x through 1.0.10 and 1.1.x through 1.1.6, allows remote attackers to cause a denial of service (memory consumption) via a large integer in a %MAKETEXT% macro. La funcionalidad de localización en TWiki anteriores a v5.1.3, y Foswiki v1.0.x hasta v1.0.10 y v1.1.x hasta v1.1.6, permite a atacantes remotos a provocar una denegación de servicio (consumo de memoria)a través de un entero largo en una macro %MAKETEXT%. • https://www.exploit-db.com/exploits/23580 http://sourceforge.net/mailarchive/message.php?msg_id=30219695 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 http://www.securityfocus.com/bid/56950 • CWE-189: Numeric Errors •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2012-0979
https://notcve.org/view.php?id=CVE-2012-0979
Cross-site scripting (XSS) vulnerability in TWiki allows remote attackers to inject arbitrary web script or HTML via the organization field in a profile, involving (1) registration or (2) editing of the user. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en TWiki permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo 'organización' en un perfil, con la participación de un usuario mediante su (1) registro o (2) la edición de su perfil. • http://osvdb.org/78664 http://packetstormsecurity.org/files/109246/twiki-xss.txt http://secunia.com/advisories/47784 http://st2tea.blogspot.com/2012/01/cross-site-scripting-twiki.html http://www.securityfocus.com/bid/51731 http://www.securitytracker.com/id?1026604 https://exchange.xforce.ibmcloud.com/vulnerabilities/72821 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 20EXPL: 2CVE-2011-3010 – TWiki 5.0.2 - '/bin/view/Main/Jump?newtopic' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-3010
Multiple cross-site scripting (XSS) vulnerabilities in TWiki before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the newtopic parameter in a WebCreateNewTopic action, related to the TWiki.WebCreateNewTopicTemplate topic; or (2) the query string to SlideShow.pm in the SlideShowPlugin. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en TWiki antes de v5.1.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro newtopic en una acción WebCreateNewTopic, relacionado con TWiki.WebCreateNewTopicTemplate; o (2) la cadena de consulta a SlideShow.pm en el SlideShadowPlugin. TWiki versions prior to 5.1.0 suffer from cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/36162 https://www.exploit-db.com/exploits/36163 http://archives.neohapsis.com/archives/bugtraq/2011-09/0142.html http://develop.twiki.org/trac/changeset/21920 http://secunia.com/advisories/46123 http://securitytracker.com/id?1026091 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-3010 http://www.mavitunasecurity.com/xss-vulnerability-in-twiki5 http://www.osvdb.org/75673 http://www.osvdb.org/75674 http://www.securityfocus.com&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •