CVE-2012-5911
https://notcve.org/view.php?id=CVE-2012-5911
Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en blogs/blog1.php en b2evolution v4.1.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del cuerpo del mensaje. • http://b2evolution.net/news/2012/04/06/b2evolution-4-1-4-stable http://osvdb.org/80672 http://packetstormsecurity.org/files/111294/B2Evolution-CMS-4.1.3-SQL-Injection.html http://vulnerability-lab.com/get_content.php?id=482 http://www.securityfocus.com/bid/52783 https://exchange.xforce.ibmcloud.com/vulnerabilities/74458 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-5910
https://notcve.org/view.php?id=CVE-2012-5910
SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter. Vulnerabilidad de inyección SQL en blogs/htsrv/viewfile.php en b2evolution v4.1.3 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través del parámetro root. • http://b2evolution.net/news/2012/04/06/b2evolution-4-1-4-stable http://osvdb.org/80671 http://packetstormsecurity.org/files/111294/B2Evolution-CMS-4.1.3-SQL-Injection.html http://vulnerability-lab.com/get_content.php?id=482 http://www.securityfocus.com/bid/52783 https://exchange.xforce.ibmcloud.com/vulnerabilities/74457 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2011-3709
https://notcve.org/view.php?id=CVE-2011-3709
b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ru_RU/ru-RU.locale.php and certain other files. b2evolution v3.3.3 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con locales/ru_RU/ru-RU.locale.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/b2evolution-3.3.3 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-1657
https://notcve.org/view.php?id=CVE-2009-1657
Multiple SQL injection vulnerabilities in the Starrating plugin before 0.7.7 for b2evolution allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Múltiples vulnerabilidades de inyección de SQL en el plugin Starrating para b2evolution antes de v0.7.7 permiten a atacantes remotos ejecutar comandos SQL a través de vectores no especificados. • http://osvdb.org/54369 http://secunia.com/advisories/35053 http://sourceforge.net/project/shownotes.php?release_id=681352&group_id=160495 http://www.securityfocus.com/bid/34899 https://exchange.xforce.ibmcloud.com/vulnerabilities/50417 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-2681
https://notcve.org/view.php?id=CVE-2007-2681
Directory traversal vulnerability in blogs/index.php in b2evolution 1.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the core_subdir parameter. Vulnerabilidad de salto de directorio en blogs/index.php en b2evolution 1.6 permite a atacantes remotos incluir y ejecutar archivos locales de su elección a través de la secuencia ..(punto punto) en el parámetro core_subdir. • http://securityreason.com/securityalert/2697 http://www.securityfocus.com/archive/1/465733/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/33687 •