Page 8 of 63 results (0.006 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-6458

https://notcve.org/view.php?id=CVE-2012-6458

Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. Múltiples vulnerabilidades de cross-site scripting (XSS) en el módulo SilverStripe e-commerce v3.0 para SilverStripe CMS, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) FirstName, (2) Surname, o (3) Email en code/forms/OrderFormAddress.php; o los parámetros (4) FirstName o (5) Surname en code/forms/ShopAccountForm.php. • http://archives.neohapsis.com/archives/bugtraq/2013-07/0090.html https://code.google.com/p/silverstripe-ecommerce/source/detail?r=3739 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

CVE-2010-5078

https://notcve.org/view.php?id=CVE-2010-5078

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4 almacena información sensible bajo la raíz web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de la versión a través de una petición directa a (1) apphire/silverstripe_version ó (2) cms/silverstripe_version. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/ticket/5031 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.os • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

CVE-2010-5079

https://notcve.org/view.php?id=CVE-2010-5079

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) "forgot password" functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors. SilverStripe 2.3.x antes de 2.3.10 y 2.4.x antes de 2.4.4 utiliza una entropía débil para la generación de fichas para (1) el mecanismo de protección CSRF, (2) el inicio de sesión automático (autologin), (3) la funcionalidad "Olvidó su contraseña" y (4) los "password salts", lo que hace que sea más fácil para los atacantes remotos evitar las restricciones de acceso a través de vectores no especificados. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/114497 http://open.silverstripe.org/changeset/114498 http://open.silverstripe.org/changeset/114503 http://open.silverstripe.org/changeset/114504 http://open.silverstripe.org/changeset/114505 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 • CWE-310: Cryptographic Issues •

CVSS: 6.8EPSS: 4%CPEs: 6EXPL: 1

CVE-2011-4962

https://notcve.org/view.php?id=CVE-2011-4962

code/sitefeatures/PageCommentInterface.php in SilverStripe 2.4.x before 2.4.6 might allow remote attackers to execute arbitrary code via a crafted cookie in a user comment submission, which is not properly handled when it is deserialized. code/sitefeatures/PageCommentInterface.php en SilverStripe v2.4.x antes de v2.4.6 podría permitir a atacantes remotos ejecutar código de su elección a través de una cookie hecha a mano en el envío de comentarios de usuario, que no son correctamente gestionados cuando se deserializa. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/silverstripe-cms/commit/d15e850 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 1

CVE-2012-4968

https://notcve.org/view.php?id=CVE-2012-4968

Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2.3.x before 2.3.13 and 2.4.x before 2.4.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted string to the AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) LimitWordCount, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NoHTML, (15) Summary, (16) Upper, (17) UpperCase, or (18) URL method in a template, different vectors than CVE-2012-0976. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en SilverStripe v2.3.x antes de v2.3.13 y v2.4.x antes de v2.4.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de una cadena modificada a los métodos (1) AbsoluteLinks, (2) BigSummary, (3) ContextSummary, (4) EscapeXML, (5) FirstParagraph, (6) FirstSentence, (7) Initial, (8) LimitCharacters, (9) LimitSentences, (10) Word Count Limit, (11) LimitWordCountXML, (12) Lower, (13) LowerCase, (14) NOHTML, (15) Summary, (16) Upper, (17) UpperCase, o (18) URL en una plantilla. Se trata de vectores diferentes a los de CVE-2012-0976a. • http://doc.silverstripe.org/framework/en/trunk/changelogs/2.3.13 http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.7 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 https://github.com/silverstripe/sapphire/commit/0085876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •