CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31361
https://notcve.org/view.php?id=CVE-2022-31361
22 Jun 2022 — Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de inyección SQL. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 6%CPEs: 1EXPL: 1CVE-2022-31362
https://notcve.org/view.php?id=CVE-2022-31362
22 Jun 2022 — Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de carga de archivos arbitraria. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 3CVE-2008-7153 – Docebo 3.5.0.3 - '/lib.regset.php/non-blind' SQL Injection
https://notcve.org/view.php?id=CVE-2008-7153
02 Sep 2009 — SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Accept-Language HTTP header. NOTE: this can be leveraged to execute arbitrary PHP code using the INTO DUMPFILE command. Vulnerabilidad de inyección SQL en la función autoDetectRegion en doceboCore/lib/lib.regset.php en Docebo v3.5.0.3 y anteriores permite a atacantes remotos ejecutar comandos SQL a su elección a través d... • https://www.exploit-db.com/exploits/4891 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 2%CPEs: 5EXPL: 2CVE-2008-7154 – Docebo 3.5.0.3 - 'lib.regset.php' Command Execution
https://notcve.org/view.php?id=CVE-2008-7154
02 Sep 2009 — Docebo 3.5.0.3 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php, or (4) menu/menu_over.php in doceboCore/; or (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php, or (8) class/class.admin_menu_cms.php in doceboCms/; which reveals the installation path in an error message. Docebo 3.5.0.3 y versiones anteriores permite a atacantes remotos o... • https://www.exploit-db.com/exploits/4879 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 2%CPEs: 3EXPL: 4CVE-2007-1240 – Docebo CMS 3.0.x - '/modules/htmlframechat/index.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-1240
03 Mar 2007 — Multiple cross-site scripting (XSS) vulnerabilities in Docebo CMS 3.0.3 through 3.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the searchkey parameter to index.php, or the (2) sn or (3) ri parameter to modules/htmlframechat/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de secuencia de comando en sitios cruzados (XSS) en Docebo CMS 3.0.3 hasta 3.0.5 permite a atacantes remot... • https://www.exploit-db.com/exploits/29662 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •