CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31361
https://notcve.org/view.php?id=CVE-2022-31361
Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de inyección SQL. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html https://www.swascan.com/security-advisory-docebo-community-edition • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31362
https://notcve.org/view.php?id=CVE-2022-31362
Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de carga de archivos arbitraria. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html https://www.swascan.com/security-advisory-docebo-community-edition • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2009-4742 – Docebo 3.6.0.3 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2009-4742
Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the word parameter in a play help action to the faq module, reachable through index.php; (2) the word parameter in a play keyw action to the link module, reachable through index.php; (3) the id_certificate parameter in an elemmetacertificate action to the meta_certificate module, reachable through index.php; or (4) the id_certificate parameter in an elemcertificate action to the certificate module, reachable through index.php. Multiples vulnerabilidades de inyección SQL en Docebo v3.6.0.3, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) word en una acción help sobre el módulo faq, accesible desde index.php; (2) word parameter en una acción play keyw sobre el módulo link, accesible a través de index.php; (3) id_certificate en una acción elemmetacertificate sobre el módulo meta_certificate, accesible desde index.php; o (4) id_certificate en una acción elemcertificate sobre el módulo certificate, accesible desde index.php. • https://www.exploit-db.com/exploits/10003 http://www.securityfocus.com/archive/1/507072/100/0/threaded http://www.securityfocus.com/bid/36654 https://exchange.xforce.ibmcloud.com/vulnerabilities/53701 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 2CVE-2008-7154 – Docebo 3.5.0.3 - 'lib.regset.php' Command Execution
https://notcve.org/view.php?id=CVE-2008-7154
Docebo 3.5.0.3 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php, or (4) menu/menu_over.php in doceboCore/; or (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php, or (8) class/class.admin_menu_cms.php in doceboCms/; which reveals the installation path in an error message. Docebo 3.5.0.3 y versiones anteriores permite a atacantes remotos obtener información sensible mediante una petición directa a (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php o (4) menu/menu_over.php en doceboCore/; o (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php o (8) class/class.admin_menu_cms.php en doceboCms/; lo que revela la ruta de instalación en un mensaje de error. • https://www.exploit-db.com/exploits/4879 http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.html http://www.securityfocus.com/bid/27211 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 3CVE-2008-7153 – Docebo 3.5.0.3 - '/lib.regset.php/non-blind' SQL Injection
https://notcve.org/view.php?id=CVE-2008-7153
SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Accept-Language HTTP header. NOTE: this can be leveraged to execute arbitrary PHP code using the INTO DUMPFILE command. Vulnerabilidad de inyección SQL en la función autoDetectRegion en doceboCore/lib/lib.regset.php en Docebo v3.5.0.3 y anteriores permite a atacantes remotos ejecutar comandos SQL a su elección a través de la cabecera Accept-Language HTTP. NOTA: esto también puede ser aprovechado para ejecutar código PHP a su elección usando el comando INTO DUMPFILE. • https://www.exploit-db.com/exploits/4891 https://www.exploit-db.com/exploits/4879 http://osvdb.org/40138 http://secunia.com/advisories/28378 http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.html http://www.securityfocus.com/bid/27211 https://exchange.xforce.ibmcloud.com/vulnerabilities/39589 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •