Page 38 of 274 results (0.025 seconds)

CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0

The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. El formulario de subida de contenido multimedia del complemento Video Embed & Thumbnail Generator anteriores a la versión 2.0 para WordPress permite a atacantes remotos obtener la ruta de instalación a través de vectores sin especificar. • http://plugins.trac.wordpress.org/changeset?old_path=%2Fvideo-embed-thumbnail-generator&old=507924&new_path=%2Fvideo-embed-thumbnail-generator&new=507924 http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/changelog http://www.securityfocus.com/bid/52652 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to execute arbitrary commands via unspecified vectors. kg_callffmpeg.php en el complemento de Wordpress "Video Embed & Thumbnail Generator" antes de v2.0 permite a atacantes remotos ejecutar comandos de su elección a través de vectores no especificados. The Videopack (formerly Video Embed & Thumbnail Generator) plugin for WordPress is vulnerable to remote code execution in versions up to 2.0 due to insufficient input validation on data supplied to the runCom() function that executes code. This makes it possible for attackers to run arbitrary code on the system. • http://plugins.trac.wordpress.org/changeset?old_path=%2Fvideo-embed-thumbnail-generator&old=507924&new_path=%2Fvideo-embed-thumbnail-generator&new=507924 http://secunia.com/advisories/48087 http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/changelog http://www.securityfocus.com/bid/52180 https://exchange.xforce.ibmcloud.com/vulnerabilities/73508 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.0EPSS: 0%CPEs: 73EXPL: 3

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time ** CUESTIONADA ** wp-admin/setup-config.php en la instalación del componente en WordPress v3.3.1 y versiones anteriores. No limita el número de peticiones MySQL enviados a servidores externos de la base de datos MySQL, lo que permite que atacantes remotos que usan WordPress como proxy para ataques de fuerza-bruta o denegación de servicio ataquen a través del parámetro 'dbhost', una vulnerabilidad diferente que CVE-2011-4898. NOTA: El vendedor ha puesto en duda la importancia de este informe porque una instalación incompleta de WordPress debería presentarse en la red por un periodo de corto de tiempo. • https://www.exploit-db.com/exploits/18417 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt •

CVSS: 4.3EPSS: 0%CPEs: 73EXPL: 4

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance ** CUESTIONADA ** Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en wp-admin/setup-config.php en la instalación de componente en WordPress 3.3.1 y anteriores apermite a atacantes remotos inyectar código HTML o script web a través del parámetro (1)dbhost, (2) dbname, o (3) uname. NOTA: el desarrollador ha disputado la importancia de este vulnerabilidad; no está claro que el escenario XSS específico tenga relevancia de seguridad. WordPress versions 3.3.1 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/18417 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 3%CPEs: 73EXPL: 4

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments ** CONTROVERTIDO ** wp-admin/setup-config.php en el componente de instalación de WordPress v3.3.1 y versiones anteriores no garantiza que el servicio de base de datos MySQL especificado sea el apropiado, lo que permite configurar una base de datos de su elección a atacantes remotos a través de los parámetros dbhost y dbname y, posteriormente, realizar una inyección de código estático y ataques de ejecución de comandos en sitios cruzados (XSS) a través de (1) una solicitud HTTP o (2) una consulta MySQL. NOTA: el vendedor se opone a la importancia de esta cuestión, sin embargo, la ejecución de código remoto hace que el problema sea importante en muchos entornos reales. WordPress versions 3.3.1 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/18417 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt •