CVSS: 8.8EPSS: 9%CPEs: 16EXPL: 0CVE-2011-5051 – WP Symposium < 11.12.24 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2011-5051
Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2) uploadify/upload_profile_avatar.php, then accessing it via a direct request to the file in an unspecified directory inside the webroot. Múltiples vulnerabilidades de subida de ficheros sin restricción en el complemento WP Symposium antes de v11.12.24 para WordPress, permite a atacantes remotos ejecutar código de su elección subiendo un fichero con una extensión ejecutable usando (1) uploadify/upload_admin_avatar.php o (2) uploadify/upload_profile_avatar.php, y accediendo posteriormente a él a través de una petición directa al fichero en un directorio no especificado dentro del webroot. • http://osvdb.org/78041 http://osvdb.org/78042 http://secunia.com/advisories/46097 http://secunia.com/secunia_research/2011-91 https://exchange.xforce.ibmcloud.com/vulnerabilities/72012 https://wpsymposium-trac.sourcerepo.com/wpsymposium_trac/ticket/265 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3841 – WP Symposium <= 11.11.26 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-3841
Cross-site scripting (XSS) vulnerability in uploadify/get_profile_avatar.php in the WP Symposium plugin before 11.12.08 for WordPress allows remote attackers to inject arbitrary web script or HTML via the uid parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en uploadify/get_profile_avatar.php del componente WP Symposium en versiones anteriores a la 11.12.08 para WordPress. Permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro uid. • http://secunia.com/advisories/47243 http://secunia.com/secunia_research/2011-82 http://www.securityfocus.com/bid/51017 http://www.wpsymposium.com/2011/12/v11-12-08 https://exchange.xforce.ibmcloud.com/vulnerabilities/71748 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •