CVE-2010-1427
https://notcve.org/view.php?id=CVE-2010-1427
Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin in MODx Evolution before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to AjaxSearch. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el plugin SearchHighlight en MODx Evolution anterior v1.0.3 permite a atacantes remotos inyectar código web o HTML de su elección a través de vectores desconocidos relacionados con AjaxSearch. • http://jvn.jp/en/jp/JVN46669729/index.html http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000013.html http://modxcms.com/forums/index.php/topic%2C47759.msg280304.html#msg280304 http://secunia.com/advisories/39298 https://exchange.xforce.ibmcloud.com/vulnerabilities/57635 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-1631
https://notcve.org/view.php?id=CVE-2009-1631
The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files. El componente Mailer en Evolution v2.26.1 y versiones anteriores utiliza permisos de lectura para todos para el directorio .evolution, y determinados directorios y ficheros bajo .evolution/ relacionados con el correo local, lo cual permite a usuarios locales obtener información sensible a través de la lectura de esos ficheros. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409 http://bugzilla.gnome.org/show_bug.cgi?id=581604 http://www.openwall.com/lists/oss-security/2009/05/12/6 http://www.securityfocus.com/bid/34921 https://bugzilla.redhat.com/show_bug.cgi?id=498648 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0547 – evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
https://notcve.org/view.php?id=CVE-2009-0547
Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077. Evolution v2.22.3.1, comprueba las firmas S/MIME contra una copia del texto del correo electrónico con un campo de datos firmados, la copia del texto del correo no se muestra al usuario, esto permite a atacantes remotos falsificar la firma modificando la copia posterior. Se trata de una vulnerabilidad diferente de CVE-2008-5077. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479 http://bugzilla.gnome.org/show_bug.cgi?id=564465 http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html http://openwall.com/lists/oss-security/2009/02/10/7 http://secunia.com/advisories/33848 http://secunia.com/advisories/34338 http://secunia.com/advisories • CWE-310: Cryptographic Issues •
CVE-2008-1108 – evolution: iCalendar buffer overflow via large timezone specification
https://notcve.org/view.php?id=CVE-2008-1108
Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment. Desbordamiento de búfer en Evolution 2.22.1, cuando el plugin ITip Formates está desactivado, permite a atacantes remotos ejecutar código arbitrario a través de una cadena "timezone" larga en un adjunto iCalendar. • http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00003.html http://secunia.com/advisories/30298 http://secunia.com/advisories/30527 http://secunia.com/advisories/30536 http://secunia.com/advisories/30564 http://secunia.com/advisories/30571 http://secunia.com/advisories/30702 http://secunia.com/advisories/30716 http://secunia.com/secunia_research/2008-22/advisory http://security.gentoo.org/glsa/glsa-200806-06.xml http://www.mandriva.com/security/advisories?name=MDVSA& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2008-1109 – evolution: iCalendar buffer overflow via large description parameter
https://notcve.org/view.php?id=CVE-2008-1109
Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window). Desbordamiento de Búfer basado en montículo en Evolution 2.22.1 permite a atacantes remotos asistidos por el usuario, ejecutar código arbitrariamente mediante una propiedad DESCRIPTION larga en un adjunto iCalendar, que no es gestionado correctamente durante una respuesta en la vista de calendario (también conocida como ventana de Calendarios). • http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00003.html http://secunia.com/advisories/30298 http://secunia.com/advisories/30527 http://secunia.com/advisories/30564 http://secunia.com/advisories/30571 http://secunia.com/advisories/30702 http://secunia.com/advisories/30716 http://secunia.com/secunia_research/2008-23/advisory http://security.gentoo.org/glsa/glsa-200806-06.xml http://www.mandriva.com/security/advisories?name=MDVSA-2008:111 http://www.redhat.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •