Page 7 of 45 results (0.029 seconds)

CVSS: 5.0EPSS: 1%CPEs: 12EXPL: 0

The deleteinstallfiles function in control/ContentController.php in SilverStripe 2.3.x before 2.3.7 does not require ADMIN permissions, which allows remote attackers to delete index.php and "disrupt mod_rewrite-less URL routing." La función deleteinstallfiles en control/ContentController.php en SilverStripe v2.3.x anterior a v2.3.7 no requiere permisos de adminstrador (ADMIN), lo cual permite a atacantes remotos borrar el fichero index.php e interrumpir el enrutado URL enmod_rewrite-less (disrupt mod_rewrite-less URL routing). • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.7 http://open.silverstripe.org/changeset/101227 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.silverstripe.org/security-releases • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0

SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1, when running on servers with certain configurations, allows remote attackers to obtain sensitive information via a direct request to PHP files in the (1) sapphire, (2) cms, or (3) mysite folders, which reveals the installation path in an error message. SilverStripe v2.3.x anterior a v2.3.8 y v2.4.x anterior a v2.4.1, cuando está en ejecución el servidores con ciertas configuraciones, permite a atacantes remotos obtener información sensible a través de una petición directa a ficheros PHP en el (1) sapphire, (2) cms, o (3) carpetas mysite, lo que revela la ruta de instalación en un mensaje de error. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.8 http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.4.1 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 1%CPEs: 12EXPL: 1

Member_ProfileForm in security/Member.php in SilverStripe 2.3.x before 2.3.7 allows remote attackers to hijack user accounts by saving data using the email address (ID) of another user. Member_ProfileForm en security/Member.php en SilverStripe v2.3.x anterior a v2.3.7 permite a atacantes remotos secuestrar cuentas de usuarios a través del guardado de datos usando la dirección de correo electrónico (ID) de otro usuario. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.7 http://open.silverstripe.org/changeset/100744 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.silverstripe.org/security-releases • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 1%CPEs: 11EXPL: 2

SilverStripe 2.3.x before 2.3.6 allows remote attackers to obtain sensitive information via the (1) debug_memory parameter to core/control/Director.php or (2) debug_profile parameter to main.php. SilverStripe v2.3.x anterior a v2.3.6 permite a atacantes remotos obtener información sensible a través de (1) el parámetro debug_memory a core/control/Director.php o (2) el parámetro debug_profile a main.php. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.6 http://groups.google.com/group/silverstripe-announce/browse_thread/thread/c75fbd7926ed2725?tvc=2&fwc=1 http://open.silverstripe.org/changeset/98229 http://open.silverstripe.org/changeset/98230 http://secunia.com/advisories/38697 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.osvdb.org/62541 http://www.securityfocus.com/bid/38394 https://exchange.xforce.ibmcloud.com/vulnerabilities/56546 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0

Cross-site scripting (XSS) vulnerability in SilverStripe 2.3.x before 2.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to DataObjectSet pagination. Vulnerabilidad de ejecución de código en sitios cruzados (XSS) en SilverStripe v2.3.x anterior a v2.3.6 permite a atacantes remotos inyectar código web o HTML arbitrario a través de vectores relacionados con la paginación DataObjectSet. • http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.6 http://groups.google.com/group/silverstripe-announce/browse_thread/thread/c75fbd7926ed2725?tvc=2&fwc=1 http://secunia.com/advisories/38697 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.osvdb.org/62541 http://www.securityfocus.com/bid/38394 http://www.silverstripe. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •