Page 43 of 301 results (0.012 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter. Vulnerabilidad de redirección abierta en wp-admin/upgrade.php en WordPress, probablemente v2.6.x, permite a atacantes remotos redirigir a los usuarios a sitios Web a su elección y llevar a cabo ataques de phishing a través de una URL en el parámetro backto. • http://archives.neohapsis.com/archives/bugtraq/2008-12/0226.html http://osvdb.org/52213 http://www.debian.org/security/2009/dsa-1871 https://exchange.xforce.ibmcloud.com/vulnerabilities/50382 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1

wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. wp-admin/upgrade.php en WordPress, probablemente v2.6.x, permite a atacantes remotos actualizar la aplicación, y posiblemente causar una denegación de servicio (caída de la aplicación), a través de una solicitud directa. wp-admin/upgrade.php in WordPress up to and including 2.6.1, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request if WordPress is not yet setup by creating an empty database, which will prevent future installations from succeeding. • http://archives.neohapsis.com/archives/bugtraq/2008-12/0226.html http://www.debian.org/security/2009/dsa-1871 https://exchange.xforce.ibmcloud.com/vulnerabilities/50384 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.2EPSS: 43%CPEs: 74EXPL: 1

Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función self_link en el RSS Feed Generator (wp-includes/feed.php) para WordPress versiones anteriores a v2.6.5 permite a atacantes remotos inyectar web script o HTML de su elección a través de una cabecera Host (variable HTTP_HOST). • http://osvdb.org/50214 http://secunia.com/advisories/32882 http://secunia.com/advisories/32966 http://securityreason.com/securityalert/4662 http://wordpress.org/development/2008/11/wordpress-265 http://www.securityfocus.com/archive/1/498652 http://www.securityfocus.com/bid/32476 https://exchange.xforce.ibmcloud.com/vulnerabilities/46882 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00000.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection. WordPress 2.6.3 se basa en el array superglobal REQUEST en algunas situaciones peligrosas, lo cual facilita a los atacantes remotos a llevar a cabo ataques de falsificación de petición en sitios cruzados tanto persistentes como retardados a través de "cookies" modificadas a mano, como lo demuestran los ataques que (1) eliminan cuentas de usuario o (2) provocan una denegación de servicio (pérdida de acceso a la aplicación). NOTA: Este problema se basa en la presencia de una vulnerabilidad independiente que permite la inyección de cookies. • http://bugs.debian.org/504771 http://openwall.com/lists/oss-security/2008/11/14/1 http://www.debian.org/security/2009/dsa-1871 https://exchange.xforce.ibmcloud.com/vulnerabilities/46698 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 0

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. La función _httpsrequest function (Snoopy/Snoopy.class.php) en Snoopy 1.2.3 y versiones anteriores, cuando es usada en (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost y posiblemente otros productos, permite a atacantes remotos ejecutar comandos arbitrarios a través de metacarácteres shell en URLs https. Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability. • http://jvn.jp/en/jp/JVN20502807/index.html http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html http://secunia.com/advisories/32361 http://sourceforge.net/forum/forum.php?forum_id=879959 http://www.debian.org/security/2008/dsa-1691 http://www.debian.org/security/2009/dsa-1871 http://www.openwall.com/lists/oss-security/2008/11/01/1 http://www.securityfocus.com/archive/1/496068/100/0/threaded http://www.securityfocus.com/bid/31887 http://www.vupen • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •