Page 5 of 26 results (0.003 seconds)

CVSS: 4.6EPSS: 0%CPEs: 47EXPL: 0

Multiple SQL injection vulnerabilities in the admin section in e107 0.7.5 allow remote authenticated administrative users to execute arbitrary SQL commands via the (1) linkopentype, (2) linkrender, (3) link_class, and (4) link_id parameters in (a) links.php; the (5) searchquery parameter in (b) users.php; and the (6) download_category_class parameter in (c) download.php. NOTE: an e107 developer has disputed the significance of the vulnerability, stating that "If your admins are injecting you, you might want to reconsider their access." Múltiples vulnerabilidades de inyección SQL en la sección admin de e107 0.7.5 permite a los usuarios remotos validados ejecutar comandos SQL de su elección a través de los parámetros (1) linkopentype, (2) linkrender, (3) link_class, y (4) link_id en (a) links.php; el parámetro searchquery(5) en (b) users.php; y el parámetro (6) download_category_class en (c) download.php. NOTA: el desarrollador e107 ha discutido sobre el significado de la vulnerabilidad, indicando que “si tus administradores te están inyectando, tú deberías de reconsiderar su acceso". • http://e107.org/e107_plugins/bugtrack/bugtrack.php?id=3195&action=show http://securityreason.com/securityalert/1569 http://www.securityfocus.com/archive/1/445005/100/100/threaded •

CVSS: 4.3EPSS: 1%CPEs: 47EXPL: 4

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) ep parameter to search.php and the (2) subject parameter in comment.php (aka the Subject field when posting a comment). Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en e107 v0.7.5, permiten a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección a través de (1) el parámetro ep en search.php y (2) el parámetro subject de comment.php (también conocido como el campo Subject cuando se añade un comentario). • https://www.exploit-db.com/exploits/28063 https://www.exploit-db.com/exploits/28078 http://secunia.com/advisories/20727 http://securityreason.com/securityalert/1151 http://www.securityfocus.com/archive/1/437649/100/0/threaded http://www.securityfocus.com/bid/18508 http://www.securityfocus.com/bid/18560 http://www.vupen.com/english/advisories/2006/2460 https://exchange.xforce.ibmcloud.com/vulnerabilities/27240 https://exchange.xforce.ibmcloud.com/vulnerabilities/27242 •

CVSS: 5.1EPSS: 2%CPEs: 18EXPL: 0

SQL injection vulnerability in class2.php in e107 0.7.2 and earlier allows remote attackers to execute arbitrary SQL commands via a cookie as defined in $pref['cookie_name']. • http://secunia.com/advisories/20089 http://securityreason.com/securityalert/905 http://www.osvdb.org/25521 http://www.securityfocus.com/archive/1/433938/100/0/threaded http://www.securityfocus.com/bid/17966 http://www.vupen.com/english/advisories/2006/1802 https://exchange.xforce.ibmcloud.com/vulnerabilities/26434 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 45EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system in e107 before 0.7.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://e107.org/comment.php?comment.news.776 http://secunia.com/advisories/18816 http://www.securityfocus.com/bid/16614 http://www.vupen.com/english/advisories/2006/0540 https://exchange.xforce.ibmcloud.com/vulnerabilities/24625 •

CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 2

ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php. • https://www.exploit-db.com/exploits/704 http://e107.org/comment.php?comment.news.672 http://secunia.com/advisories/13657 http://securitytracker.com/id?1012657 http://www.osvdb.org/12586 http://www.securityfocus.com/bid/12111 https://exchange.xforce.ibmcloud.com/vulnerabilities/18670 • CWE-434: Unrestricted Upload of File with Dangerous Type •