CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11198
https://notcve.org/view.php?id=CVE-2019-11198
05 Aug 2019 — Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidad... • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 15%CPEs: 1EXPL: 1CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2019-9875
31 May 2019 — Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. Sitecore CMS and Experience Platform (XP) contain a deserializatio... • https://dev.sitecore.net/Downloads.aspx • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 23%CPEs: 2EXPL: 1CVE-2019-9874 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2019-9874
31 May 2019 — Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. La deserialización de datos no seguros en el módulo Sitecore.Security.AntiCSRF (conocido como CSRF) en Sitecore CMS versión 7.0 hasta 7.2 y Sitecore XP verisón 7.5 hasta 8.2, permite a un atacante no identificado ejecutar código a... • https://dev.sitecore.net/Downloads.aspx • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-11439
https://notcve.org/view.php?id=CVE-2017-11439
19 Jul 2017 — In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter. En Sitecore versión 8.2, se presenta un problema de tipo XSS reflejado del parámetro Program del archivo shell/Applications/Tools/Run. • https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 2CVE-2017-11440
https://notcve.org/view.php?id=CVE-2017-11440
19 Jul 2017 — In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. En Sitecore versión 8.2, se presenta un salto de ruta (path) de acceso absoluto por medio del parámetro fi del archivo shell/Applications/Layouts/IDE.aspx y el parámetro Reference del archivo admin/LinqScratchPad.aspx. • https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-100004
https://notcve.org/view.php?id=CVE-2014-100004
13 Jan 2015 — Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos d... • http://osvdb.org/102660 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 2CVE-2012-5919 – Havalite CMS 1.0.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-5919
19 Nov 2012 — Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit Article module, or (5) hava_post.php in the postAuthor module; (6) postId parameter to hava_post.php; (7) userId parameter to hava_user.php; or (8) linkId parameter to hava_link.php. Múltiples vulnerabilidades de ejecución de secuencias... • https://www.exploit-db.com/exploits/18772 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2012-5892
https://notcve.org/view.php?id=CVE-2012-5892
17 Nov 2012 — Havalite CMS 1.1.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the configuration database via a direct request for data/havalite.db3. Havalite CMS v1.1.0 y anteriores almacena la información sensible bajo la raíz web con un control de acceso insuficiente, lo que permite a atacantes remotos descargar la base de datos de configuración a través de una petición directa a data/havalite.db3. • http://osvdb.org/80770 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2012-5893
https://notcve.org/view.php?id=CVE-2012-5893
17 Nov 2012 — Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary code by uploading a file with a .php;.gif extension, then accessing it via a direct request to the file in tmp/files/. Una vulnerabilidad de subida de archivos sin restricciones en hava_upload.php en Havalite CMS v1.1.0 y anteriores permite a atacantes remotos ejecutar código de su elección mediante la carga de un archivo con una extensión php, o gif, para luego acceder al... • http://osvdb.org/80768 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2012-5894 – Havalite CMS 1.0.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-5894
17 Nov 2012 — SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter. Vulnerabilidad de inyección SQL en hava_post.php en Havalite CMS v1.1.0 y anteriores permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro postid. • https://www.exploit-db.com/exploits/18772 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •