CVE-2015-1603
https://notcve.org/view.php?id=CVE-2015-1603
Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CMS before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to index.php or (2) id parameter in a users_users action to asys/site/system.php. Múltiples vulnerabilidades de XSS en Adminsystems CMS anterior a 4.0.2 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro page en index.php o (2) del parámetro id en una acción users_users en asys/site/system.php. • http://packetstormsecurity.com/files/130394/Landsknecht-Adminsystems-CMS-4.0.1-CSRF-XSS-File-Upload.html http://seclists.org/fulldisclosure/2015/Feb/50 http://sroesemann.blogspot.de/2015/01/sroeadv-2015-14.html http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-14.html http://www.openwall.com/lists/oss-security/2015/02/13/11 http://www.openwall.com/lists/oss-security/2015/02/14/1 http://www.openwall.com/lists/oss-security/2015/02/14/5 http://www • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1604
https://notcve.org/view.php?id=CVE-2015-1604
Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/files/. Vulnerabilidad de la subida de ficheros sin restricciones en asys/site/files.php en Adminsystems CMS anterior a 4.0.2 permite a usuarios remotos autenticados ejecutar código arbitrario mediante la subida de un fichero con una extensión ejecutable y posteriormente accediendo a ello a través de una solicitud directa al fichero en upload/files/. • http://packetstormsecurity.com/files/130394/Landsknecht-Adminsystems-CMS-4.0.1-CSRF-XSS-File-Upload.html http://seclists.org/fulldisclosure/2015/Feb/50 http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-14.html http://www.openwall.com/lists/oss-security/2015/02/13/11 http://www.openwall.com/lists/oss-security/2015/02/14/1 http://www.openwall.com/lists/oss-security/2015/02/14/5 http://www.securityfocus.com/bid/72605 https://github.com/kneecht/admins • CWE-20: Improper Input Validation •
CVE-2015-1471 – Pragyan CMS 3.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-1471
SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI. Vulnerabilidad de inyección SQL en userprofile.lib.php en Pragyan CMS 3.0 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro user en la URI por defecto. • https://www.exploit-db.com/exploits/35991 http://pastebin.com/ip2gGYuS http://seclists.org/fulldisclosure/2015/Feb/18 http://seclists.org/oss-sec/2015/q1/402 http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html http://sroesemann.blogspot.de/2015/02/advisory-for-sroeadv-2015-11.html https://github.com/delta/pragyan/commit/c93bc100ec93fc78940fbdca9b6b009101858309 https://github.com/delta/pragyan/issues/206 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-9185 – Morfy CMS 1.05 Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-9185
Static code injection vulnerability in install.php in Morfy CMS 1.05 allows remote authenticated users to inject arbitrary PHP code into config.php via the site_url parameter. Vulnerabilidad de inyección de código estático en install.php en Morfy CMS 1.05 permite a usuarios remotos autenticados inyectar código PHP arbitrario en config.php a través del parámetro site_url. Morfy CMS version 1.05 suffers from a remote command execution vulnerability. • http://packetstormsecurity.com/files/129624/Morfy-CMS-1.05-Remote-Command-Execution.html http://seclists.org/fulldisclosure/2014/Dec/70 http://www.securityfocus.com/archive/1/534271/100/0/threaded http://www.vulnerability-lab.com/get_content.php?id=1367 https://github.com/Awilum/monstra-cms/issues/351 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-3447
https://notcve.org/view.php?id=CVE-2014-3447
BSS Continuity CMS 4.2.22640.0 has a Remote Denial Of Service vulnerability BSS Continuity CMS versión 4.2.22640.0, presenta una vulnerabilidad de Denegación de Servicio Remota. • http://seclists.org/fulldisclosure/2014/May/86 https://packetstormsecurity.com/files/126741/BSS-Continuity-CMS-4.2.22640.0-Denial-Of-Service.html • CWE-400: Uncontrolled Resource Consumption •