CVE-2012-4902 – Template CMS 2.1.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-4902
Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php. Múltiples vulnerabilidades de CSRF en Template CMS 2.1.1 y anteriores permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) crean un usuario de administración a través de una acción de añadir en admin/index.php o (2) realizan ataques de inyección de código PHP estáticos a través del parámetro themes_editor en una acción edit_template en admin/index.php. Template CMS version 2.1.1 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/21742 http://osvdb.org/85896 http://www.securityfocus.com/bid/55766 https://www.htbridge.com/advisory/HTB23115 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-1834 – CMS Tree Page View < 0.8.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-1834
Cross-site scripting (XSS) vulnerability in the cms_tpv_admin_head function in functions.php in the CMS Tree Page View plugin before 0.8.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cms_tpv_view parameter to wp-admin/options-general.php. Vulnerabilidad de XSS en la función cms_tpv_admin_head en functions.php en el plugin CMS Tree Page View anterior a 0.8.9 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro cms_tpv_view hacia wp-admin/options-general.php. • http://plugins.trac.wordpress.org/changeset/523576/cms-tree-page-view http://secunia.com/advisories/48510 http://wordpress.org/extend/plugins/cms-tree-page-view/changelog http://www.osvdb.org/80573 http://www.securityfocus.com/bid/52708 https://exchange.xforce.ibmcloud.com/vulnerabilities/74337 https://www.htbridge.com/advisory/HTB23083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-3597 – Digitaldesign CMS 0.1 - Remote Database Disclosure
https://notcve.org/view.php?id=CVE-2009-3597
Digitaldesign CMS 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for autoconfig.dd. Digitaldesign CMS v0.1 guarda información sensible en el directorio web raíz con insuficiente control de acceso, lo que permite a los atacantes remotos descargar el fichero de la base de datos a través de una petición directa a autoconfig.dd. • https://www.exploit-db.com/exploits/9115 http://www.exploit-db.com/exploits/9115 https://exchange.xforce.ibmcloud.com/vulnerabilities/51676 • CWE-552: Files or Directories Accessible to External Parties •
CVE-2009-1480 – Pragyan CMS 2.6.4 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2009-1480
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors. Vulnerabilidad de inyección SQL en index.php en Pragyan CMS v2.6.4 permite a atacantes remotos ejecutar comandos SQL a través del parámetro fileget en una acción de vista y otros vectores no especificados. • https://www.exploit-db.com/exploits/8533 http://www.securityfocus.com/archive/1/502933/100/0/threaded http://www.securityfocus.com/bid/34707 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-0141 – WebPortal CMS 0.6-beta - Remote Password Change
https://notcve.org/view.php?id=CVE-2008-0141
actions.php in WebPortal CMS 0.6-beta generates predictable passwords containing only the time of day, which makes it easier for remote attackers to obtain access to any account via a lostpass action. actions.php de WebPortal CMS 0.6-beta genera contraseñas predecibles conteniendo sólo la hora del día, lo cual facilita a atacantes remotos obtener acceso a cualquier cuenta mediante una acción lostpass. • https://www.exploit-db.com/exploits/4835 http://www.securityfocus.com/bid/27145 https://exchange.xforce.ibmcloud.com/vulnerabilities/39486 • CWE-330: Use of Insufficiently Random Values •