CVSS: 2.6EPSS: 4%CPEs: 23EXPL: 3CVE-2012-3952 – phpList 2.10.18 - 'unconfirmed' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3952
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/index.php en phpList anterior a v2.10.19 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro unconfirmed para la página user. phpList version 2.10.18 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37590 http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html http://osvdb.org/84482 http://secunia.com/advisories/50150 http://www.phplist.com/?lid=579 http://www.securityfocus.com/bid/54887 https://exchange.xforce.ibmcloud.com/vulnerabilities/77526 https://www.htbridge.com/advisory/HTB23100 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 4CVE-2012-3953 – phpList 2.10.18 - 'index.php' SQL Injection
https://notcve.org/view.php?id=CVE-2012-3953
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page. Vulnerabilidad de inyección SQL en admin/index.php en phpList anterior a v2.10.19, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro delete para la página editattributes. phpList version 2.10.18 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37613 http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html http://osvdb.org/84483 http://www.phplist.com/?lid=579 https://exchange.xforce.ibmcloud.com/vulnerabilities/77527 https://www.htbridge.com/advisory/HTB23100 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 75EXPL: 1CVE-2011-1682 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1682
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. NOTE: this issue exists because of an incomplete fix for CVE-2011-0748. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpList v2.10.13 y anteriores permiten a atacantes remotos secuestras la autenticación de los adminitradores para peticiones que (1) creen una lista o (2) inserten secuencias de comandos en sitios cruzados (XSS). NOTA: esta vulnerabilidad existe por una solución incompleta de CVE-2011-0748. • https://www.exploit-db.com/exploits/18419 http://secunia.com/advisories/44041 https://exchange.xforce.ibmcloud.com/vulnerabilities/66666 https://exchange.xforce.ibmcloud.com/vulnerabilities/66816 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 74EXPL: 2CVE-2011-0748 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-0748
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpList anterior a v2.10.13, permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) añaden o (2) editan cuentas de administrador. • https://www.exploit-db.com/exploits/18419 http://int21.de/cve/CVE-2011-0748-phplist.html http://osvdb.org/78549 http://secunia.com/advisories/44041 http://securityreason.com/securityalert/8199 http://www.exploit-db.com/exploits/18419 http://www.phplist.com/?lid=516 http://www.securityfocus.com/archive/1/517400/100/0/threaded http://www.securityfocus.com/bid/51681 https://exchange.xforce.ibmcloud.com/vulnerabilities/72746 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 5%CPEs: 11EXPL: 3CVE-2008-6178 – Falt4 CMS RC4 - 'FCKeditor' Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-6178
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information. Vulnerabilidad de envío de archivo no restringido en editor/filemanager/browser/default/connectors/php/connector.php en FCKeditor v2.2 en Falt4 CMS, Nuke ET, y otros productos, lo que permite a atacantes remotos ejecutar codigo a su eleccion mediante la creacion de un fichero con secuencias PHP precedidas de un encabezado ZIP, subiendo este fichero a traves la accion FileUpload, y despues accediendo al fichero a traves de una peticion directa del fichero en UserFiles/File/, probablemente relacionado con CVE-2005-4094. NOTA: Algunos detalles fueron obtenidos de una tercera parte. • https://www.exploit-db.com/exploits/8060 https://www.exploit-db.com/exploits/6783 http://secunia.com/advisories/33973 http://www.securityfocus.com/bid/31812 http://www.vupen.com/english/advisories/2009/0447 https://exchange.xforce.ibmcloud.com/vulnerabilities/48769 • CWE-94: Improper Control of Generation of Code ('Code Injection') •