Page 4 of 43 results (0.013 seconds)

CVSS: 6.8EPSS: 1%CPEs: 14EXPL: 0

Gallery 1.5.x before 1.5.10 and 1.6 before 1.6-RC3, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative via unspecified cookies. NOTE: some of these details are obtained from third party information. Gallery 1.5.x antes de la versión 1.5.10 y 1.6 antes de 1.6 RC3, permite a atacantes remotos eludir el proceso de autenticación y obtener permisos de administración, cuando register_globals esté activado, a través de "cookies" no especificadas. NOTA: Algunos de estos detalles se obtienen a partir de información de terceros. • http://gallery.menalto.com/last_official_G1_releases http://osvdb.org/50089 http://secunia.com/advisories/32817 http://www.securityfocus.com/bid/32440 https://exchange.xforce.ibmcloud.com/vulnerabilities/46804 • CWE-287: Improper Authentication •

CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 2

Directory traversal vulnerability in index.php in Crux Gallery 1.32 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter. Vulnerabilidad de salto de directorio en el archivo index.php en Crux Gallery 1.32 y versiones anteiores, cuando magic_quotes_gpc es deshabiitado, permite a los atacantes remotos incluir y ejecutar arbitrariamente archivos locales a través de .. (punto punto) en el parámetro theme. • https://www.exploit-db.com/exploits/6645 http://secunia.com/advisories/32058 http://securityreason.com/securityalert/4366 http://www.securityfocus.com/bid/31516 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.8EPSS: 6%CPEs: 7EXPL: 1

main.php in Crux Gallery 1.32 and earlier allows remote attackers to gain administrative access by setting the name parameter to "users," as demonstrated via index.php. main.php en Crux Gallery 1.32 y versiones anteriores, supone que el usuario es un administrador, si el nombre del parámetro no es "users", el cual permite a los atacantes remotos obtener acceso como administrador, estableciendo el nombre del parámetro a "users", como se demuestra a través de index.php. • https://www.exploit-db.com/exploits/6586 http://secunia.com/advisories/32058 http://securityreason.com/securityalert/4365 http://www.attrition.org/pipermail/vim/2008-October/002083.html http://www.securityfocus.com/archive/1/496763/100/0/threaded http://www.securityfocus.com/bid/31430 https://exchange.xforce.ibmcloud.com/vulnerabilities/45443 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.0EPSS: 0%CPEs: 7EXPL: 0

Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality. Gallery, versiones anteriores a 1.5.9, y 2.x y versiones anteriores a 2.2.6, no trata adecuadamente archivos ZIP que contienen enlaces simbólicos, el cual permite a los usuarios remotos autentificados manejar los ataques de salto de directorio y leer archivos arbitrariamente a través de vectores relativos a el fichero cargado funcionalmente (alias zip cargado). • http://gallery.menalto.com/gallery_1.5.9_released http://gallery.menalto.com/gallery_2.2.6_released http://secunia.com/advisories/31912 http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/bid/31231 https://exchange.xforce.ibmcloud.com/vulnerabilities/45228 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html https://www.redhat.com/archives/fedora-package& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page." Vulnerabilidad de secuencias de comandos en sitios cruzados - XSS en Gallery 2.x y versiones anteriores a 2.2.6 que permite a los atacantes remotos inyectar una secuencia de comandos web o HTML arbitrarios a través de una animación Flash manitulada, en relación a la habilidad de la animación a "interactuar con la página incrustada" • http://gallery.menalto.com/gallery_2.2.6_released http://secunia.com/advisories/31858 http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/bid/31231 https://exchange.xforce.ibmcloud.com/vulnerabilities/45227 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •