5 results (0.003 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de inyección SQL. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html https://www.swascan.com/security-advisory-docebo-community-edition • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Se ha detectado que Docebo Community Edition versiones v4.0.5 y anteriores, contiene una vulnerabilidad de carga de archivos arbitraria. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados por el mantenedor • https://blog.formalms.org/about/blog/20-life-after-docebo-the-forma-project-begins.html https://www.swascan.com/security-advisory-docebo-community-edition • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 2

Docebo 3.5.0.3 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php, or (4) menu/menu_over.php in doceboCore/; or (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php, or (8) class/class.admin_menu_cms.php in doceboCms/; which reveals the installation path in an error message. Docebo 3.5.0.3 y versiones anteriores permite a atacantes remotos obtener información sensible mediante una petición directa a (1) class/class.conf_fw.php, (2) class.module/class.event_manager.php, (3) lib/lib.domxml5.php o (4) menu/menu_over.php en doceboCore/; o (5) class/class.conf_cms.php, (6) lib/lib.compose.php, (7) modules/chat/teleskill.php o (8) class/class.admin_menu_cms.php en doceboCms/; lo que revela la ruta de instalación en un mensaje de error. • https://www.exploit-db.com/exploits/4879 http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.html http://www.securityfocus.com/bid/27211 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 3

SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Accept-Language HTTP header. NOTE: this can be leveraged to execute arbitrary PHP code using the INTO DUMPFILE command. Vulnerabilidad de inyección SQL en la función autoDetectRegion en doceboCore/lib/lib.regset.php en Docebo v3.5.0.3 y anteriores permite a atacantes remotos ejecutar comandos SQL a su elección a través de la cabecera Accept-Language HTTP. NOTA: esto también puede ser aprovechado para ejecutar código PHP a su elección usando el comando INTO DUMPFILE. • https://www.exploit-db.com/exploits/4891 https://www.exploit-db.com/exploits/4879 http://osvdb.org/40138 http://secunia.com/advisories/28378 http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.html http://www.securityfocus.com/bid/27211 https://exchange.xforce.ibmcloud.com/vulnerabilities/39589 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 4

Multiple cross-site scripting (XSS) vulnerabilities in Docebo CMS 3.0.3 through 3.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the searchkey parameter to index.php, or the (2) sn or (3) ri parameter to modules/htmlframechat/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de secuencia de comando en sitios cruzados (XSS) en Docebo CMS 3.0.3 hasta 3.0.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) searchkey en index.php, o el parámetro (2)sn o (3)ri en modules/htmlframechat/index.php. NOTA: la procedencia de esta información es desconocida; los detalles han sido obtenidos a partir de la información de terceros. • https://www.exploit-db.com/exploits/29662 https://www.exploit-db.com/exploits/29661 http://downloads.securityfocus.com/vulnerabilities/exploits/22719.html http://osvdb.org/35995 http://osvdb.org/35996 http://www.securityfocus.com/bid/22719 https://exchange.xforce.ibmcloud.com/vulnerabilities/32842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •