CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2013-4891
https://notcve.org/view.php?id=CVE-2013-4891
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag. La función xss_clean en CodeIgniter, en versiones anteriores a la 2.1.4, podría permitir que atacantes remotos omitan un mecanismo de protección planeado y lleven a cabo ataques de Cross-Site Scripting (XSS) mediante unaetiqueta HTML no cerrada. • https://github.com/bcit-ci/CodeIgniter/issues/4020 https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass https://www.codeigniter.com/userguide2/changelog.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000247
https://notcve.org/view.php?id=CVE-2017-1000247
British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws. British Columbia Institute of Technology CodeIgniter 3.1.3 es vulnerable a la inyección de cabeceras HTTP en la función común set_status_header() en Apache, provocando errores de inyección de cabeceras HTTP. • https://www.codeigniter.com/userguide3/changelog.html#version-3-1-4 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2016-10131
https://notcve.org/view.php?id=CVE-2016-10131
system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments. system/libraries/Email.php en CodeIgniter en versiones anteriores 3.1.3 permite a atacantes remotos ejecutar código arbitrario aprovechando el control sobre el campo email->from para insertar argumentos de linea de comando sendmail. • http://www.securityfocus.com/bid/96851 https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36 https://github.com/bcit-ci/CodeIgniter/issues/4963 https://github.com/bcit-ci/CodeIgniter/pull/4966 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2014-8684 – Seagate Business NAS - Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes. CodeIgniter antes de la versión 3.0 y Kohana 3.2.3 y anteriores y en versiones 3.3.x hasta la 3.3.2 facilita que los atacantes remotos suplanten cookies de sesión y lleven a cabo ataques de inyección de objetos PHP. Esto se realizaría por medio de operadores estándar de comparación de strings para comparar hashes criptográficos. • https://www.exploit-db.com/exploits/36264 http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html http://seclists.org/fulldisclosure/2014/May/54 https://github.com/kohana/core/pull/492 https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas https://beyondbinary.io/advisory/seagate-nas-rce • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-8686 – Seagate Business NAS - Remote Command Execution
https://notcve.org/view.php?id=CVE-2014-8686
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available. CodeIgniter en versiones anteriores a la 2.2.0 facilita que los atacantes descodifiquen cookies de sesión aprovechando un fallback a una combinación de cifrado personalizada basada en XOR cuando la extensión Mcrypt para PHP no está disponible. • https://www.exploit-db.com/exploits/36264 http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html https://beyondbinary.io/articles/seagate-nas-rce https://codeigniter.com/userguide2/changelog.html https://www.dionach.com/blog/codeigniter-session-decoding-vulnerability http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas https://beyondbinary.io/advisory/seagate-nas-rce • CWE-310: Cryptographic Issues •