CVE-2014-0814
https://notcve.org/view.php?id=CVE-2014-0814
Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en phpMyFAQ anterior a 2.8.6 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN30050348/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000015 http://osvdb.org/102940 http://secunia.com/advisories/56006 http://www.phpmyfaq.de/advisory_2014-02-04.php http://www.securityfocus.com/bid/65368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0813
https://notcve.org/view.php?id=CVE-2014-0813
Cross-site request forgery (CSRF) vulnerability in phpMyFAQ before 2.8.6 allows remote attackers to hijack the authentication of arbitrary users for requests that modify settings. Vulnerabilidad de CSRF en phpMyFAQ anterior a 2.8.6 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que modifiquen configuraciones. • http://jvn.jp/en/jp/JVN50943964/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000016 http://osvdb.org/102939 http://secunia.com/advisories/56006 http://www.phpmyfaq.de/advisory_2014-02-04.php http://www.securityfocus.com/bid/65368 https://exchange.xforce.ibmcloud.com/vulnerabilities/90963 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-4825 – aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution
https://notcve.org/view.php?id=CVE-2011-4825
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters. Vulnerabilidad de inyección de código estático en inc/function.base.php de Ajax File y Image Manager en versiones anteriores a 1.1, tal como se usa en tinymce en versiones anteriores a 1.4.2, phpMyFAQ 2.6 anteriores a 2.6.19 y 2.7 anteriores a 2.7.1, y posiblemente otros productos, permite a atacantes remotos inyectar código arbitrario PHP en data.php a través de parámetros modificados. • https://www.exploit-db.com/exploits/18085 https://www.exploit-db.com/exploits/18075 https://www.exploit-db.com/exploits/18151 https://www.exploit-db.com/exploits/18975 https://www.exploit-db.com/exploits/18084 https://www.exploit-db.com/exploits/18083 http://www.exploit-db.com/exploits/18075 http://www.phpletter.com/en/DOWNLOAD/1 http://www.phpmyfaq.de/advisory_2011-10-25.php http://www.securityfocus.com/bid/50523 http://www.zenphoto.org/trac/ticket/2005& • CWE-94: Improper Control of Generation of Code ('Code Injection') •