CVE-2016-10378
https://notcve.org/view.php?id=CVE-2016-10378
e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function. e107 2.1.1 permite la inyección SQL por administradores remotos autenticados a través del parámetro pagelist a e107_admin/menus.php, relacionado con la función menuSaveVisibility. • http://code610.blogspot.com/2016/09/sql-injection-in-latest-e107-cms.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-8098
https://notcve.org/view.php?id=CVE-2017-8098
e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. e107 2.1.4 es vulnerable a CSRF en la instalación de plugins, el meta cambio y el cambio de configuración. Una página web maliciosa puede utilizar solicitudes falsificadas para hacer una descarga e107 e instalar un plug-in proporcionado por el atacante. • http://seclists.org/fulldisclosure/2017/Apr/40 https://github.com/e107inc/e107/commit/7a3e3d9fc7e05ce6941b9af1c14010bf2141f1a5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-1057 – e107 2 Bootstrap CMS - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-1057
Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value. Vulnerabilidad de XSS en usersettings.php en e107 2.0.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del valor 'Real Name'. • https://www.exploit-db.com/exploits/35679 http://osvdb.org/show/osvdb/116692 http://www.exploit-db.com/exploits/35679 https://exchange.xforce.ibmcloud.com/vulnerabilities/99627 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1041
https://notcve.org/view.php?id=CVE-2015-1041
Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING. Vulnerabilidad de XSS en e107_admin/filemanager.php en e107 1.0.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la ruta de ficheros e107_files/ en QUERY_STRING. • http://packetstormsecurity.com/files/129872/CMS-e107-1.0.4-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jan/18 http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html http://www.openwall.com/lists/oss-security/2015/01/11/6 http://www.securityfocus.com/bid/71977 https://exchange.xforce.ibmcloud.com/vulnerabilities/99898 https://github.com/e107inc/e107v1/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9459
https://notcve.org/view.php?id=CVE-2014-9459
Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action. Vulnerabilidad de CSRF en la función AdminObserver en e107_admin/users.php en e107 2.0 alpha2 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que añaden usuarios al grupo de administración a través del parámetro id en una acción admin. • http://packetstormsecurity.com/files/129751/e107-2.0-Alpha2-Cross-Site-Request-Forgery.html http://seclists.org/fulldisclosure/2014/Dec/124 http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080 • CWE-352: Cross-Site Request Forgery (CSRF) •