10 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 32EXPL: 4

Multiple cross-site scripting (XSS) vulnerabilities in news.php in SimpNews 2.47.03 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) layout and (2) sortorder parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en news.php en SimpNews 2.47.03, y versiones anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de los parámetros (1) layout y (2) sortorder. • https://www.exploit-db.com/exploits/34286 http://packetstormsecurity.org/1007-exploits/simpnews-xss.txt http://secunia.com/advisories/40501 http://websecurity.com.ua/4245 http://www.securityfocus.com/archive/1/512271/100/0/threaded http://www.securityfocus.com/bid/41517 https://exchange.xforce.ibmcloud.com/vulnerabilities/60244 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 32EXPL: 1

news.php in SimpNews 2.47.3 and earlier allows remote attackers to obtain sensitive information via an invalid lang parameter, which reveals the installation path in an error message. news.php en SimpNews 2.47.3, y versiones anteriores, permite a atacantes remotos obtener información sensible mediante un parámetro lang inválido, lo que revela la ruta de instalación en un mensaje de error. • http://packetstormsecurity.org/1007-exploits/simpnews-xss.txt http://www.securityfocus.com/archive/1/512271/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 4

Multiple PHP remote file inclusion vulnerabilities in FAQEngine 4.24.00 allow remote attackers to execute arbitrary PHP code via a URL in the path_faqe parameter to (1) attachs.php, (2) backup.php, (3) badwords.php, (4) categories.php, (5) changepw.php, (6) colorchooser.php, (7) colorwheel.php, (8) dbfiles.php, (9) diraccess.php, (10) faq.php, (11) index.php, (12) kb.php, and (13) stats.php. Múltiples vulnerabilidades de inclusion remota de fichero PHP en FAQEngine v4.24.00 permite a atacantes remotos ejecutar código PHP de forma arbitraria a travees de una URL en el parámetro "path_faq" a (1) attachs.php, (2) backup.php, (3) badwords.php, (4) categories.php, (5) changepw.php, (6) colorchooser.php, (7) colorwheel.php, (8) dbfiles.php, (9) diraccess.php, (10) faq.php, (11) index.php, (12) kb.php, y (13) stats.php. • https://www.exploit-db.com/exploits/11111 http://packetstormsecurity.org/1001-exploits/faqengine-rfi.txt http://www.exploit-db.com/exploits/11111 http://www.securityfocus.com/bid/37719 https://exchange.xforce.ibmcloud.com/vulnerabilities/55532 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

SimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages. SimpGB 1.46.02 permite a atacantes remotos obtener información sensible mediante (1) un parámetro lang a admin/index.php o (2) una petición directa a admin/trailer.php, lo cual revela la ruta en varios mensajes de error. • http://forum.boesch-it.de/viewtopic.php?t=2790 http://securityreason.com/securityalert/3172 http://www.netvigilance.com/advisory0064 http://www.securityfocus.com/archive/1/480593/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36775 • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0

SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows. SimpNews 2.41.03 en Windows, al utilizar PHP anterior a 5.0.0, permite a atacantes remotos obtener información sensible mediante cierto parámetro link_date a events.php, lo cual revela la ruta en un mensaje de error debido a un tipo de argumento no soportado por la función mktime en Windows. • http://forum.boesch-it.de/viewtopic.php?t=2791 http://securityreason.com/securityalert/3174 http://www.netvigilance.com/advisory0068 http://www.securityfocus.com/archive/1/480588/100/0/threaded • CWE-20: Improper Input Validation •