CVE-2011-0748 – phpList 2.10.9 - Cross-Site Request Forgery / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-0748
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en phpList anterior a v2.10.13, permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) añaden o (2) editan cuentas de administrador. • https://www.exploit-db.com/exploits/18419 http://int21.de/cve/CVE-2011-0748-phplist.html http://osvdb.org/78549 http://secunia.com/advisories/44041 http://securityreason.com/securityalert/8199 http://www.exploit-db.com/exploits/18419 http://www.phplist.com/?lid=516 http://www.securityfocus.com/archive/1/517400/100/0/threaded http://www.securityfocus.com/bid/51681 https://exchange.xforce.ibmcloud.com/vulnerabilities/72746 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-6178 – Falt4 CMS RC4 - 'FCKeditor' Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-6178
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information. Vulnerabilidad de envío de archivo no restringido en editor/filemanager/browser/default/connectors/php/connector.php en FCKeditor v2.2 en Falt4 CMS, Nuke ET, y otros productos, lo que permite a atacantes remotos ejecutar codigo a su eleccion mediante la creacion de un fichero con secuencias PHP precedidas de un encabezado ZIP, subiendo este fichero a traves la accion FileUpload, y despues accediendo al fichero a traves de una peticion directa del fichero en UserFiles/File/, probablemente relacionado con CVE-2005-4094. NOTA: Algunos detalles fueron obtenidos de una tercera parte. • https://www.exploit-db.com/exploits/8060 https://www.exploit-db.com/exploits/6783 http://secunia.com/advisories/33973 http://www.securityfocus.com/bid/31812 http://www.vupen.com/english/advisories/2009/0447 https://exchange.xforce.ibmcloud.com/vulnerabilities/48769 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2009-0422 – phpList 2.10.8 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-0422
Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php. Vulnerabilidad de evaluación de variable dinámica en lists/admin.php en phpList v2.10.8 y versiones anteriores, cuando register_globals no está activa, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través de secuencias de salto de directorio en el parámetro "_SERVER[ConfigFile]" de admin/index.php. • https://www.exploit-db.com/exploits/7778 http://secunia.com/advisories/33533 http://www.bugreport.ir/index_60.htm http://www.securityfocus.com/archive/1/500057/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/47945 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-5887
https://notcve.org/view.php?id=CVE-2008-5887
phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability." phplist anterior a v2.10.8 permite a atacantes remotos incluir ficheros a través de vectores desconocidos, relacionada a una "vulnerabilidad de inclusión de un fichero local." • http://secunia.com/advisories/33186 http://securityreason.com/securityalert/4901 http://www.phplist.com/?lid=273 http://www.securityfocus.com/archive/1/499218/100/0/threaded http://www.securityfocus.com/bid/32841 https://exchange.xforce.ibmcloud.com/vulnerabilities/47395 • CWE-20: Improper Input Validation •
CVE-2006-5524 – phpList 2.10.2 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5524
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: This issue might overlap CVE-2006-5321. Vulnerabilidad de cruce de sitios en scripts (XSS) en index.php de phplist 2.10.2 permite a atacantes remotos inyectar scripts WEB o HTML de su elección mediante el parámetro p. NOTA: Esta vulnerabilidad podría sobreponerse con CVE-2006-5321. • https://www.exploit-db.com/exploits/28824 http://secunia.com/advisories/22431 http://securityreason.com/securityalert/1779 http://securitytracker.com/alerts/2006/Oct/1017102.html http://www.securityfocus.com/archive/1/448923/100/100/threaded http://www.securityfocus.com/bid/20577/info http://www.vupen.com/english/advisories/2006/4084 •