CVSS: 6.8EPSS: 0%CPEs: 145EXPL: 0CVE-2014-0813
https://notcve.org/view.php?id=CVE-2014-0813
Cross-site request forgery (CSRF) vulnerability in phpMyFAQ before 2.8.6 allows remote attackers to hijack the authentication of arbitrary users for requests that modify settings. Vulnerabilidad de CSRF en phpMyFAQ anterior a 2.8.6 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que modifiquen configuraciones. • http://jvn.jp/en/jp/JVN50943964/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000016 http://osvdb.org/102939 http://secunia.com/advisories/56006 http://www.phpmyfaq.de/advisory_2014-02-04.php http://www.securityfocus.com/bid/65368 https://exchange.xforce.ibmcloud.com/vulnerabilities/90963 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 145EXPL: 0CVE-2014-0814
https://notcve.org/view.php?id=CVE-2014-0814
Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en phpMyFAQ anterior a 2.8.6 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN30050348/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000015 http://osvdb.org/102940 http://secunia.com/advisories/56006 http://www.phpmyfaq.de/advisory_2014-02-04.php http://www.securityfocus.com/bid/65368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 92%CPEs: 41EXPL: 9CVE-2011-4825 – aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution
https://notcve.org/view.php?id=CVE-2011-4825
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters. Vulnerabilidad de inyección de código estático en inc/function.base.php de Ajax File y Image Manager en versiones anteriores a 1.1, tal como se usa en tinymce en versiones anteriores a 1.4.2, phpMyFAQ 2.6 anteriores a 2.6.19 y 2.7 anteriores a 2.7.1, y posiblemente otros productos, permite a atacantes remotos inyectar código arbitrario PHP en data.php a través de parámetros modificados. • https://www.exploit-db.com/exploits/18085 https://www.exploit-db.com/exploits/18075 https://www.exploit-db.com/exploits/18151 https://www.exploit-db.com/exploits/18975 https://www.exploit-db.com/exploits/18084 https://www.exploit-db.com/exploits/18083 http://www.exploit-db.com/exploits/18075 http://www.phpletter.com/en/DOWNLOAD/1 http://www.phpmyfaq.de/advisory_2011-10-25.php http://www.securityfocus.com/bid/50523 http://www.zenphoto.org/trac/ticket/2005& • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3783
https://notcve.org/view.php?id=CVE-2011-3783
phpMyFAQ 2.6.13 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lang/language_uk.php and certain other files. phpMyFAQ v2.6.13 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como lo demuestra el producto lang/language_uk.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/phpmyfaq-2.6.13 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2010-4558
https://notcve.org/view.php?id=CVE-2010-4558
phpMyFAQ 2.6.11 and 2.6.12, as distributed between December 4th and December 15th 2010, contains an externally introduced modification (Trojan Horse) in the getTopTen method in inc/Faq.php, which allows remote attackers to execute arbitrary PHP code. phpMyFAQ v2.6.11 y v2.6.12, como los distribuidos entre el 4 y el 15 de diciembre de 2010, contiene una modificación introducida externamente (Troyano) en el método getTopTen en inc/faq.php, que permite a atacantes remotos ejecutar código PHP de su elección. • http://secunia.com/advisories/42622 http://www.phpmyfaq.de/advisory_2010-12-15.php http://www.securityfocus.com/bid/45442 http://www.vupen.com/english/advisories/2010/3254 • CWE-94: Improper Control of Generation of Code ('Code Injection') •