Page 6 of 46 results (0.012 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2

Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en tiki-featured_link.php en Tikiwiki 1.9.5 permite a un atacante remoto inyectar secuencias de comandos web o HTML a través de un parámetro url que eluden el filtro, como se demostró por el valor del parámetro que contiene información mal formada, elementos de secuencias de comandos anidadas • https://www.exploit-db.com/exploits/2701 http://secunia.com/advisories/22678 http://secunia.com/advisories/23039 http://security.gentoo.org/glsa/glsa-200611-11.xml http://securityreason.com/securityalert/1816 http://www.securityfocus.com/archive/1/450268/100/0/threaded http://www.securityfocus.com/bid/20858 http://www.vupen.com/english/advisories/2006/4316 https://exchange.xforce.ibmcloud.com/vulnerabilities/29958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 2

Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-forums.php, (10) tiki-view_forum.php, (11) tiki-friends.php, (12) tiki-list_blogs.php, (13) tiki-list_faqs.php, (14) tiki-list_trackers.php, (15) tiki-list_users.php, (16) tiki-my_tiki.php, (17) tiki-notepad_list.php, (18) tiki-orphan_pages.php, (19) tiki-shoutbox.php, (20) tiki-usermenu.php, and (21) tiki-webmail_contacts.php, which reveal the information in certain database error messages. Tikiwiki 1.9.5 permite a un atacante remoto obtener información sensible (nombre de usuario de MySQL y contraseña) a través de un parámetro vacío sort_mode en (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-forums.php, (10) tiki-view_forum.php, (11) tiki-friends.php, (12) tiki-list_blogs.php, (13) tiki-list_faqs.php, (14) tiki-list_trackers.php, (15) tiki-list_users.php, (16) tiki-my_tiki.php, (17) tiki-notepad_list.php, (18) tiki-orphan_pages.php, (19) tiki-shoutbox.php, (20) tiki-usermenu.php, y (21) tiki-webmail_contacts.php,lo cual revela la información en ciertos mensajes de error de la base de datos. • https://www.exploit-db.com/exploits/2701 http://secunia.com/advisories/22678 http://secunia.com/advisories/23039 http://security.gentoo.org/glsa/glsa-200611-11.xml http://securityreason.com/securityalert/1816 http://www.securityfocus.com/archive/1/450268/100/0/threaded http://www.securityfocus.com/bid/20858 http://www.vupen.com/english/advisories/2006/4316 https://exchange.xforce.ibmcloud.com/vulnerabilities/29960 https://web.archive.org/web/20080211225557/http://secunia.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote attackers to execute arbitrary SQL commands via the (1) pid and (2) where parameters. Múltiples vulnerabilidades de inyección SQL en tiki-g-admin_processes.php en Tikiwiki 1.9.4 permiten a atacantes remotos ejecutar comandos SQL de su elección mediante los parámetros (1) pid y (2) where. • http://securityreason.com/securityalert/1544 http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-g-admin_processes.php?view=log http://www.hackers.ir/advisories/tikiwiki.html http://www.securityfocus.com/archive/1/445790/100/0/threaded http://www.securityfocus.com/bid/19947 https://exchange.xforce.ibmcloud.com/vulnerabilities/28869 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 96%CPEs: 1EXPL: 3

Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory. Vulnerabilidad de actualización de fichero no restringida en jhot.php en TikiWiki 1.9.4 Sirius y anteriores, permite a un atacante remoto ejecutar código PHP de su elección a través del parámetro filepath que contiene un nombre de fichero con una extensión .php, lo cual es actualizado en el directorio img/wiki/. TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. • https://www.exploit-db.com/exploits/2288 https://www.exploit-db.com/exploits/16885 http://isc.sans.org/diary.php?storyid=1672 http://secunia.com/advisories/21733 http://secunia.com/advisories/22100 http://security.gentoo.org/glsa/glsa-200609-16.xml http://tikiwiki.org/tiki-read_article.php?articleId=136 http://www.osvdb.org/28456 http://www.securityfocus.com/bid/19819 http://www.vupen.com/english/advisories/2006/3450 http://web.archive.org/web/20061013183145/http& •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in tiki-searchindex.php in TikiWiki 1.9.4 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en tiki-searchindex.php en TikiWiki 1.9.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro highlight. NOTA: los detalles se han obtenido de información de terceros. • http://secunia.com/advisories/21536 http://secunia.com/advisories/22100 http://security.gentoo.org/glsa/glsa-200609-16.xml http://www.osvdb.org/28071 http://www.securityfocus.com/bid/19654 http://www.vupen.com/english/advisories/2006/3351 https://exchange.xforce.ibmcloud.com/vulnerabilities/28498 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •