CVE-2014-4734 – e107 2.0 alpha2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-4734
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter. Vulnerabilidad de XSS en e107_admin/db.php en e107 2.0 alpha2 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro type. e107 version 2.0 alpha2 suffers from a reflective cross site scripting vulnerability. • http://packetstormsecurity.com/files/127499/e107-2.0-alpha2-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/532801/100/0/threaded http://www.securityfocus.com/bid/68674 https://github.com/e107inc/e107/commit/f80e417bb3e7ab5c1a89ea9ddd2cd060f54464e1 https://www.htbridge.com/advisory/HTB23220 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-7305
https://notcve.org/view.php?id=CVE-2013-7305
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user. fpw.php en e107 hasta la versión 1.0.4 no comprueba el campo user_ban, lo que hace más fácil para atacantes remotos restablecer contraseñas mediante el envío de una petición pwsubmit y aprovechando el acceso a la cuenta de email de un usuario baneado. • http://sourceforge.net/p/e107/svn/13114 • CWE-255: Credentials Management Errors •
CVE-2013-2750 – e107 - 'content_preset.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2750
Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string. Vulnerabilidad de XSS en e107_plugins/content/handlers/content_preset.php de e107 anterior a la versión 1.0.3 permite a atacantes remotos inyectar script Web o HTML arbitrario a través de una cadena de consulta. e107 CMS version 1.0.2 suffers from a reflective cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38416 http://sourceforge.net/p/e107/svn/13079 http://www.securityfocus.com/archive/1/526168 https://www.secuvera.de/advisories/TC-SA-2013-01.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-6433 – e107 1.0.1 - Arbitrary JavaScript Execution (via Cross-Site Request Forgery)
https://notcve.org/view.php?id=CVE-2012-6433
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en e107_admin/download.php en e107 v1.0.1 permite a atacantes remotos secuestrar la autenticación de los administradores de las peticiones que realizan los ataques XSS a través del parámetro news_title en una acción create. e107 version 1.0.1 suffers from a cross site request forgery vulnerability that results in arbitrary javascript execution. • https://www.exploit-db.com/exploits/23828 http://e107.org/changelog http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/newspost.php?sortdir=down&r1=12622&r2=12992&sortby=rev http://www.exploit-db.com/exploits/23828 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-6434 – e107 1.0.2 - SQL Injection (via Cross-Site Request Forgery)
https://notcve.org/view.php?id=CVE-2012-6434
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter. Múltiples vulnerabilidades de fasificación de peticiones en sitios cruzados (CSRF) en e107_admin/download.php en e107 v1.0.2 permite a atacantes remotos secuestrar la autenticación de los administradores de las peticiones que realizan los ataques de inyección SQL a través del parámetro (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, o (8) download_class parameter. e107 version 1.0.2 suffers from a cross site request forgery vulnerability that results in SQL injection. • https://www.exploit-db.com/exploits/23829 http://e107.org/changelog http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/download.php?sortdir=down&r1=13037&r2=13058&sortby=rev http://www.exploit-db.com/exploits/23829 • CWE-352: Cross-Site Request Forgery (CSRF) •