CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 5CVE-2008-7036 – DevTracker Module For bcoos 1.1.11 and E-xoops 1.0.8 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-7036
Multiple cross-site scripting (XSS) vulnerabilities in index.php in DevTracker module 3.0 for bcoos 1.1.11 and earlier, and DevTracker module 0.20 for E-XooPS 1.0.8 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) direction and (2) order_by parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en index.php del módulo DevTracker v3.0 de bcoos v1.1.11 y versiones anteriores, y el módulo DevTracker v0.20 de E-XooPS v1.0.8, permiten a usuarios remotos inyectar codigo de script web o código HTML a través los parámetros (1)direction y (2) order_by. • https://www.exploit-db.com/exploits/31112 http://lostmon.blogspot.com/2008/02/bcoos-and-e-xoops-devtracker-module-two.html http://osvdb.org/44334 http://osvdb.org/44335 http://www.securityfocus.com/bid/27619 https://exchange.xforce.ibmcloud.com/vulnerabilities/40306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 3%CPEs: 5EXPL: 2CVE-2008-6381 – bcoos 1.0.13 - 'viewcat.php' SQL Injection
https://notcve.org/view.php?id=CVE-2008-6381
SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1.0.13, and possibly earlier, allows remote authenticated users with Addresses module permissions to execute arbitrary SQL commands via the cid parameter. Vulnerabilidad de inyección SQL en el archivo modules/adresses/viewcat.php en bcoos 1.0.13, y posiblemente anteriores, que permite a los usuarios remotos autenticados con permisos del modulo Addresses para ejecutar arbitrariamente comandos SQL a través del parámetro cid. • https://www.exploit-db.com/exploits/7317 http://osvdb.org/50373 http://secunia.com/advisories/32870 http://www.securityfocus.com/bid/32561 https://exchange.xforce.ibmcloud.com/vulnerabilities/46973 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 1%CPEs: 5EXPL: 3CVE-2008-2350 – bcoos 1.0.13 - 'file' Local File Inclusion
https://notcve.org/view.php?id=CVE-2008-2350
Directory traversal vulnerability in highlight.php in bcoos 1.0.9 through 1.0.13 allows remote attackers to read arbitrary files via (1) .. (dot dot) or (2) C: folder sequences in the file parameter. Vulnerabilidad de salto de directorio en highlight.php de bcoos 1.0.9 hasta 1.0.13; permite a atacantes remotos leer ficheros de su elección mediante las secuencias (1) .. (punto punto) o (2) carpeta C: en el parámetro file. • https://www.exploit-db.com/exploits/31806 http://lostmon.blogspot.com/2008/05/bcoos-highlightphp-traversal-file.html http://secunia.com/advisories/30035 http://www.securityfocus.com/bid/29275 https://exchange.xforce.ibmcloud.com/vulnerabilities/42506 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2007-6266 – bcoos 1.0.10 - 'ratephoto.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-6266
Multiple SQL injection vulnerabilities in bcoos 1.0.10 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the gid parameter to modules/arcade/index.php in a show_stats action, or the lid parameter to (2) modules/myalbum/ratephoto.php or (3) modules/mylinks/ratelink.php, different vectors than CVE-2007-5104. Múltiples vulnerabilidades de inyección SQL en bcoos 1.0.10 y versiones anteriores. Permite que atacantes remotos ejecuten comandos SQL de su elección, usando: (1) el parámetro gid pasado a modules/arcade/index.php en una acción show_stats, o el parámetro lid pasado a (2) modules/myalbum/ratephoto.php, o pasado a (3) modules/mylinks/ratelink.php. Vectores distintos al CVE-2007-5104. • https://www.exploit-db.com/exploits/30823 https://www.exploit-db.com/exploits/30824 http://lostmon.blogspot.com/2007/11/bcoops-sql-injection-and-cross-site.html http://secunia.com/advisories/26945 http://www.securityfocus.com/bid/26629 https://exchange.xforce.ibmcloud.com/vulnerabilities/36752 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2007-6274
https://notcve.org/view.php?id=CVE-2007-6274
Multiple cross-site scripting (XSS) vulnerabilities in modules/ecal/display.php in the Event Calendar in bcoos 1.0.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) day or (2) year parameter. Múltiples vulnerablidades de secuencias de comandos en sitios cruzados (XSS) en el fichero modules/ecal/display.php de Event Calendar, en bcoos 1.0.10, y versiones anteriores. Permite que atacantes remotos inyecten, a su elección, códigos web o HTML usando los parámetros (1) day o (2) year. • http://lostmon.blogspot.com/2007/11/bcoops-sql-injection-and-cross-site.html http://secunia.com/advisories/26945 http://www.securityfocus.com/bid/26629 https://exchange.xforce.ibmcloud.com/vulnerabilities/38734 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •