CVE-2018-5214 – Add Link to Facebook <= 2.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5214
The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php. El plugin Add Link to Facebook hasta la versión 2.3 para WordPress tiene Cross-Site Scripting (XSS) mediante el parámetro al2fb_facebook_id en wp-admin/profile.php. The Add Link to Facebook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘al2fb_facebook_id’ parameter in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/d4wner/Vulnerabilities-Report/blob/master/Add-Link-to-Facebook.md https://wordpress.org/support/topic/stored-xss-bug-at-the-latest-version-of-add-link-to-facebook • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-17615 – Facebook Clone Script 1.0 - 'id' / 'send' SQL Injection
https://notcve.org/view.php?id=CVE-2017-17615
Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter. Facebook Clone Script 1.0 tiene una inyección SQL mediante el parámetro id en friend-profile.php. • https://www.exploit-db.com/exploits/43280 https://packetstormsecurity.com/files/145320/Facebook-Clone-Script-1.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-3390
https://notcve.org/view.php?id=CVE-2015-3390
Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher module for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el módulo Facebook Album Fetcher para Drupal permite a usuarios remotos autenticados con el permiso 'acceder a las páginas de administración' inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2015/02/05/16 http://www.securityfocus.com/bid/72570 https://exchange.xforce.ibmcloud.com/vulnerabilities/100655 https://www.drupal.org/node/2420161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9524 – Easy Social Like Box – Popup – Sidebar Widget < 2.8.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9524
Multiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, or (6) frm_height parameter in the slug_for_fb_like_box page to wp-admin/admin.php. Múltiples vulnerabilidades de CSRF en el plugin Facebook Like Box (cardoza-facebook-like-box) anterior a 2.8.3 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) cambian las configuraciones de plugins a través de vectores no especificados o realizan ataques de XSS a través del parámetro (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, o (6) frm_height en la página slug_for_fb_like_box en wp-admin/admin.php. • http://packetstormsecurity.com/files/129506/WordPress-Facebook-Like-Box-2.8.2-CSRF-XSS.html http://secunia.com/advisories/61557 https://wordpress.org/plugins/cardoza-facebook-like-box/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-7376
https://notcve.org/view.php?id=CVE-2014-7376
The Facebook Profits on Steroids (aka com.wFacebookProfitsonSteroids) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación para Facebook Profits on Steroids (también conocida como com.wFacebookProfitsonSteroids ) 0.1 no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información sensible a través de un certificado manipulado. • http://www.kb.cert.org/vuls/id/383529 http://www.kb.cert.org/vuls/id/582497 https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing • CWE-310: Cryptographic Issues •