CVE-2012-5865 – Achievo 1.4.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-5865
SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action. Vulnerabilidad de inyección SQL en dispatch.php en Achievo 1.4.5 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro activityid en una acción stats. Achievo version 1.4.5 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/23253 http://osvdb.org/88184 http://packetstormsecurity.com/files/118673/Achievo-1.4.5-Cross-Site-Scripting-SQL-Injection.html http://www.securityfocus.com/bid/56858 https://exchange.xforce.ibmcloud.com/vulnerabilities/80570 https://www.htbridge.com/advisory/HTB23126 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2012-5866 – Achievo 1.4.5 Cross Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-5866
Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter. Vulnerabilidad de XSS en include.php en Achievo 1.4.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro field. Achievo version 1.4.5 suffers from cross site scripting and remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/118673/Achievo-1.4.5-Cross-Site-Scripting-SQL-Injection.html http://www.securityfocus.com/bid/56858 https://exchange.xforce.ibmcloud.com/vulnerabilities/80571 https://www.htbridge.com/advisory/HTB23126 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-3697
https://notcve.org/view.php?id=CVE-2011-3697
Achievo 1.4.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/graph/jpgraph/jpgraph_radar.php and certain other files. Achievo v1.4.5 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con modules/graph/jpgraph/jpgraph_radar.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/achievo-1.4.5 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-3705 – Achievo 1.3.4 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-3705
PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter. Vulnerabilidad de subida de archivos sin restricción en debugger.php en Achievo anterior a v1.4.0 permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro config_atkroot. • https://www.exploit-db.com/exploits/9839 http://packetstormsecurity.org/0909-exploits/achievo134-rfi.txt http://securitytracker.com/id?1023017 http://www.achievo.org/download/releasenotes/1_4_0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2009-2734 – Achievo 1.3.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2009-2734
SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php. Vulnerabilidad de inyección SQL en la función de get_employee en classweekreport.inc en Achievo anterior a v1.4.0 permite a atacantes remotos ejecutar comandos SQL a través del parámetro userid (alias variable user_id) en dispatch.php. Achievo versions 1.3.4 and below suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/10042 http://secunia.com/advisories/37035 http://securitytracker.com/id?1023017 http://www.achievo.org/download/releasenotes/1_4_0 http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt http://www.securityfocus.com/archive/1/507131/100/0/threaded http://www.securityfocus.com/bid/36660 https://exchange.xforce.ibmcloud.com/vulnerabilities/53743 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •