CVSS: 9.8EPSS: 1%CPEs: 32EXPL: 2CVE-2009-3705 – Achievo 1.3.4 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-3705
16 Oct 2009 — PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter. Vulnerabilidad de subida de archivos sin restricción en debugger.php en Achievo anterior a v1.4.0 permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro config_atkroot. • https://www.exploit-db.com/exploits/9839 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 2%CPEs: 32EXPL: 4CVE-2009-2733 – Achievo 1.x - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-2733
16 Oct 2009 — Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios c... • https://www.exploit-db.com/exploits/33281 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 32EXPL: 3CVE-2009-2734 – Achievo 1.3.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2009-2734
16 Oct 2009 — SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php. Vulnerabilidad de inyección SQL en la función de get_employee en classweekreport.inc en Achievo anterior a v1.4.0 permite a atacantes remotos ejecutar comandos SQL a través del parámetro userid (alias variable user_id) en dispatch.php. • https://www.exploit-db.com/exploits/10042 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2008-6034 – Achievo 1.3.2 - 'atknodetype' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-6034
03 Feb 2009 — Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the atkaction parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en dispatch.php en Achievo v1.3.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "atkaction". N... • https://www.exploit-db.com/exploits/32409 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2008-6035
https://notcve.org/view.php?id=CVE-2008-6035
03 Feb 2009 — Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1.3.2-STABLE allows remote attackers to inject arbitrary web script or HTML via the atknodetype parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en dispatch.php en Achievo v1.3.2-STABLE, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "arknodetype". • http://packetstormsecurity.org/0809-exploits/achievo-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 5EXPL: 1CVE-2008-2742 – Achievo 1.3.2 - 'FCKeditor' Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-2742
17 Jun 2008 — Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) in Achievo 1.2.0 through 1.3.2 allows remote attackers to execute arbitrary code by uploading a file with .php followed by a safe extension, then accessing it via a direct request to the file in the Achievo root directory. NOTE: this is only a vulnerability in environments that support multiple extensions, such as Apache with the mod_mime module enabled. Vulnerabilidad de subida ... • https://www.exploit-db.com/exploits/5770 • CWE-20: Improper Input Validation •