Page 4 of 29 results (0.015 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. Múltiples vulnerabilidades de XSS en la tabla de tipos de archivo en b2evolution hasta la versión 6.8.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un archivo .swf manipulado en un (1) marco del comentario o (2) marco del avatar. • http://www.securityfocus.com/bid/95452 https://github.com/b2evolution/b2evolution/commit/261dbd5b294e707af766691e65a177a290314a6e https://github.com/b2evolution/b2evolution/issues/34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. La funcionalidad "contraseña perdida" en b2evolution en versiones anteriores a 6.7.9 permite a atacantes remotos restablecer contraseñas de usuario arbitrarias a través de una solicitud manipulada. • http://b2evolution.net/downloads/6-7-9-stable http://www.securityfocus.com/bid/95006 http://www.securitytracker.com/id/1037393 https://github.com/b2evolution/b2evolution/issues/33 • CWE-255: Credentials Management Errors •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4

Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. Vulnerabilidad de XSS en el gestor de ficheros en b2evolution anterior a 5.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro fm_filter en blogs/admin.php. • http://b2evolution.net/downloads/5-2-1-stable http://packetstormsecurity.com/files/129940/CMS-b2evolution-5.2.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jan/48 http://sroesemann.blogspot.de/2014/12/sroeadv-2014-09.html http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-09.html http://www.securityfocus.com/bid/72052 https://exchange.xforce.ibmcloud.com/vulnerabilities/99891 https://twitter.com/SecLists/status/554937224366546944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 3

Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. Vulnerabilidad de CSRF en blogs/admin.php en b2evolution anterior a 4.1.7 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que realizan ataques de inyección SQL a través del parámetro show_statuses[], relacionado con CVE-2013-2945. • http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3 http://osvdb.org/show/osvdb/92906 http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html https://www.htbridge.com/advisory/HTB23152 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 5

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands. Vulnerabilidad de inyección SQL en blogs/admin.php en b2evolution anterior a 4.1.7 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro show_statuses[]. NOTA: esto puede ser aprovechado utilizando CSRF para permitir a atacantes no autenticados ejecutar comandos SQL arbitrarios. b2evolution version 4.1.6 suffers from remote SQL injection and cross site request forgery vulnerabilities. • https://www.exploit-db.com/exploits/25298 http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3 http://osvdb.org/92905 http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html http://www.securityfocus.com/bid/59599 https://exchange.xforce.ibmcloud.com/vulnerabilities/83950 https://www.htbridge.com/advisory/HTB23152 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •