CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 1CVE-2008-6591
https://notcve.org/view.php?id=CVE-2008-6591
LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allows remote attackers to create arbitrary files via the page parameter to (1) index.php and (2) LightNEasy.php. LightNEasy "no database" (también conocido flat) v1.2.2, y posiblemente SQLite v1.2.2, permite a atacantes remotos crear ficheros a su elección a través del parámetro "page" a (1) index.php y (2) LightNEasy.php. • http://osvdb.org/44678 http://osvdb.org/44679 http://secunia.com/advisories/29833 http://www.securityfocus.com/archive/1/491064/100/0/threaded http://www.securityfocus.com/bid/28839 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 2CVE-2008-6592 – LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-6592
thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte). thumbsup.php en Thumbs-Up v1.12, cuando se utiliza en LightNEasy "no database" (también conocido como flat) y SQLite v1.2.2 permite a atacantes remotos copiar, renombrar, y leer ficheros de modo arbitrario a través de secuencias de salto de directorio en el parámetro "image" con un parámetro modificado cache_dir conteniendo un %00 (byte codificado nulo). • https://www.exploit-db.com/exploits/5452 http://secunia.com/advisories/29833 http://www.osvdb.org/44674 http://www.securityfocus.com/archive/1/491064/100/0/threaded http://www.securityfocus.com/bid/28801 https://exchange.xforce.ibmcloud.com/vulnerabilities/49851 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 3%CPEs: 1EXPL: 1CVE-2008-6537 – LightNEasy 1.2 - no database Remote Hash Retrieve
https://notcve.org/view.php?id=CVE-2008-6537
LightNEasy/lightneasy.php in LightNEasy No database version 1.2 allows remote attackers to obtain the hash of the administrator password via the setup "do" action to LightNEasy.php, which is cleared from $_GET but later accessed using $_REQUEST. LightNEasy/lightneasy.php en LightNEasy No database v1.2 permite a atacantes remotos conseguir el hash del password del administrador a través de la acción de configuración "do" a LightNEasy.php, que es eliminada desde $_GET pero posteriormente accedida usando $_REQUEST. • https://www.exploit-db.com/exploits/5425 http://osvdb.org/44397 http://secunia.com/advisories/29757 https://exchange.xforce.ibmcloud.com/vulnerabilities/41768 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •