Page 8 of 64 results (0.010 seconds)

CVSS: 5.8EPSS: 2%CPEs: 1EXPL: 2

CVE-2013-2653 – SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

https://notcve.org/view.php?id=CVE-2013-2653

security/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim. security/MemberLoginForm.php en SilverStripe 3.0.3 ofrece soporte al inicio de sesión mediante el uso de una petición GET, lo que hace más sencillo para atacantes remotos llevar a cabo ataques de phishing sin detección por parte de la víctima. SilverStripe CMS version 3.0.3 suffers from an information exposure issue through query strings in GET requests. • https://www.exploit-db.com/exploits/38689 http://seclists.org/bugtraq/2013/Aug/12 https://github.com/chillu/silverstripe-framework/commit/3e88c98ca513880e2b43ed7f27ade17fef5d9170 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-6458

https://notcve.org/view.php?id=CVE-2012-6458

Multiple cross-site scripting (XSS) vulnerabilities in the SilverStripe e-commerce module 3.0 for SilverStripe CMS allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName, (2) Surname, or (3) Email parameter to code/forms/OrderFormAddress.php; or the (4) FirstName or (5) Surname parameter to code/forms/ShopAccountForm.php. Múltiples vulnerabilidades de cross-site scripting (XSS) en el módulo SilverStripe e-commerce v3.0 para SilverStripe CMS, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) FirstName, (2) Surname, o (3) Email en code/forms/OrderFormAddress.php; o los parámetros (4) FirstName o (5) Surname en code/forms/ShopAccountForm.php. • http://archives.neohapsis.com/archives/bugtraq/2013-07/0090.html https://code.google.com/p/silverstripe-ecommerce/source/detail?r=3739 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 14EXPL: 2

CVE-2010-4824

https://notcve.org/view.php?id=CVE-2010-4824

SQL injection vulnerability in the augmentSQL method in core/model/Translatable.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when the Translatable extension is enabled, allows remote attackers to execute arbitrary SQL commands via the locale parameter. Una vulnerabilidad de inyección SQL en el método augmentSQL en el core/model/Translatable.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando la extensión 'Translatable' está activada, permite a atacantes remotos ejecutar comandos SQL a través del parámetro 'locale'. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/114515 http://open.silverstripe.org/changeset/114517 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 0

CVE-2010-5078

https://notcve.org/view.php?id=CVE-2010-5078

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain version information via a direct request to (1) apphire/silverstripe_version or (2) cms/silverstripe_version. SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4 almacena información sensible bajo la raíz web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de la versión a través de una petición directa a (1) apphire/silverstripe_version ó (2) cms/silverstripe_version. • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10 http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/ticket/5031 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.os • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 2

CVE-2010-4823

https://notcve.org/view.php?id=CVE-2010-4823

Cross-site scripting (XSS) vulnerability in the httpError method in sapphire/core/control/RequestHandler.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when custom error handling is not used, allows remote attackers to inject arbitrary web script or HTML via "missing URL actions." Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el método httpError en spphire/core/control/RequestHandler.php en SilverStripe v2.3.x antes de v2.3.10 y v2.4.x antes de v2.4.4, cuando el control de errores personalizado no se utiliza, permite inyectar secuencias de comandos web o HTML a atacantes remotos a través de "acciones con URL que faltan". • http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4 http://open.silverstripe.org/changeset/114444 http://secunia.com/advisories/42346 http://www.openwall.com/lists/oss-security/2011/01/03/12 http://www.openwall.com/lists/oss-security/2012/04/30/1 http://www.openwall.com/lists/oss-security/2012/04/30/3 http://www.openwall.com/lists/oss-security/2012/05/01/3 http://www.osvdb.org/69886 http://www.securityfocus.com/bid/45367 https://e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •