CVSS: 7.5EPSS: 5%CPEs: 11EXPL: 3CVE-2008-6178 – Falt4 CMS RC4 - 'FCKeditor' Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-6178
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information. Vulnerabilidad de envío de archivo no restringido en editor/filemanager/browser/default/connectors/php/connector.php en FCKeditor v2.2 en Falt4 CMS, Nuke ET, y otros productos, lo que permite a atacantes remotos ejecutar codigo a su eleccion mediante la creacion de un fichero con secuencias PHP precedidas de un encabezado ZIP, subiendo este fichero a traves la accion FileUpload, y despues accediendo al fichero a traves de una peticion directa del fichero en UserFiles/File/, probablemente relacionado con CVE-2005-4094. NOTA: Algunos detalles fueron obtenidos de una tercera parte. • https://www.exploit-db.com/exploits/8060 https://www.exploit-db.com/exploits/6783 http://secunia.com/advisories/33973 http://www.securityfocus.com/bid/31812 http://www.vupen.com/english/advisories/2009/0447 https://exchange.xforce.ibmcloud.com/vulnerabilities/48769 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 70EXPL: 2CVE-2009-0422 – phpList 2.10.8 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-0422
Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php. Vulnerabilidad de evaluación de variable dinámica en lists/admin.php en phpList v2.10.8 y versiones anteriores, cuando register_globals no está activa, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través de secuencias de salto de directorio en el parámetro "_SERVER[ConfigFile]" de admin/index.php. • https://www.exploit-db.com/exploits/7778 http://secunia.com/advisories/33533 http://www.bugreport.ir/index_60.htm http://www.securityfocus.com/archive/1/500057/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/47945 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 0%CPEs: 69EXPL: 0CVE-2008-5887
https://notcve.org/view.php?id=CVE-2008-5887
phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability." phplist anterior a v2.10.8 permite a atacantes remotos incluir ficheros a través de vectores desconocidos, relacionada a una "vulnerabilidad de inclusión de un fichero local." • http://secunia.com/advisories/33186 http://securityreason.com/securityalert/4901 http://www.phplist.com/?lid=273 http://www.securityfocus.com/archive/1/499218/100/0/threaded http://www.securityfocus.com/bid/32841 https://exchange.xforce.ibmcloud.com/vulnerabilities/47395 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 5%CPEs: 1EXPL: 4CVE-2006-5524 – phpList 2.10.2 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5524
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321. Vulnerabilidad de cruce de sitios en scripts (XSS) en index.php de phplist 2.10.2 permite a atacantes remotos inyectar scripts WEB o HTML de su elección mediante el parámetro p. NOTA: Esta vulnerabilidad podría sobreponerse con CVE-2006-5321. • https://www.exploit-db.com/exploits/28824 http://secunia.com/advisories/22431 http://securityreason.com/securityalert/1779 http://securitytracker.com/alerts/2006/Oct/1017102.html http://www.securityfocus.com/archive/1/448923/100/100/threaded http://www.securityfocus.com/bid/20577/info http://www.vupen.com/english/advisories/2006/4084 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2006-5322
https://notcve.org/view.php?id=CVE-2006-5322
Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Múltiples vulnerabilidades de inyección SQL en phplist anterior a 2.10.3 permite a atacantes remotos ejecutar comandos SQL de su elección mediante vectores no especificados. • http://tincan.co.uk/?lid=1821 http://www.phplist.com/news https://exchange.xforce.ibmcloud.com/vulnerabilities/29637 •