CVE-2008-7036 – DevTracker Module For bcoos 1.1.11 and E-xoops 1.0.8 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-7036
Multiple cross-site scripting (XSS) vulnerabilities in index.php in DevTracker module 3.0 for bcoos 1.1.11 and earlier, and DevTracker module 0.20 for E-XooPS 1.0.8 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) direction and (2) order_by parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en index.php del módulo DevTracker v3.0 de bcoos v1.1.11 y versiones anteriores, y el módulo DevTracker v0.20 de E-XooPS v1.0.8, permiten a usuarios remotos inyectar codigo de script web o código HTML a través los parámetros (1)direction y (2) order_by. • https://www.exploit-db.com/exploits/31112 http://lostmon.blogspot.com/2008/02/bcoos-and-e-xoops-devtracker-module-two.html http://osvdb.org/44334 http://osvdb.org/44335 http://www.securityfocus.com/bid/27619 https://exchange.xforce.ibmcloud.com/vulnerabilities/40306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-6380 – E-Xoops 1.0.5/1.0.8 - '/adresses/ratefile.php?lid' SQL Injection
https://notcve.org/view.php?id=CVE-2007-6380
Multiple SQL injection vulnerabilities in e-Xoops (exoops) 1.08, and 1.05 Rev 1 through 3, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to (a) mylinks/ratelink.php, (b) adresses/ratefile.php, (c) mydownloads/ratefile.php, (d) mysections/ratefile.php, and (e) myalbum/ratephoto.php in modules/; the (2) bid parameter to (f) modules/banners/click.php; and the (3) gid parameter to (g) modules/arcade/index.php in a show_stats and play_game action, related issues to CVE-2007-5104 and CVE-2007-6266. Múltiples vulnerabilidades de inyección SQL en e-Xoops (exoops), en versiones 1.08, y 1.05 Rev 1 hasta la 3. Permite que atacantes remotos ejecuten comandos SQL a su elección, usando el (1) parámetro lid pasado a (a) mylinks/ratelink.php, (b) adresses/ratefile.php, (c) mydownloads/ratefile.php, (d) mysections/ratefile.php, y (e) myalbum/ratephoto.php, situados en modules/; y usando el (2) parámetro bid pasado a (f) modules/banners/click.php; y usando (3) el parámetro gid pasado a (g) modules/arcade/index.php en las acciones show_stats y play_game. Problemas relacionados con CVE-2007-5104 y CVE-2007-6266. • https://www.exploit-db.com/exploits/30862 https://www.exploit-db.com/exploits/30875 https://www.exploit-db.com/exploits/30874 https://www.exploit-db.com/exploits/30873 https://www.exploit-db.com/exploits/30863 https://www.exploit-db.com/exploits/30861 https://www.exploit-db.com/exploits/30864 http://lostmon.blogspot.com/2007/12/e-xoops-multiple-variablescripts-sql.html http://www.securityfocus.com/bid/26796 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2005-1031
https://notcve.org/view.php?id=CVE-2005-1031
RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), when "Allow custom avatar upload" is enabled, does not properly verify uploaded files, which allows remote attackers to upload arbitrary files. • http://marc.info/?l=bugtraq&m=111280711228450&w=2 http://secunia.com/advisories/14869 http://www.runcms.org/public/modules/news http://www.securityfocus.com/bid/13027 https://exchange.xforce.ibmcloud.com/vulnerabilities/20001 •
CVE-2005-0827
https://notcve.org/view.php?id=CVE-2005-0827
Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allow remote attackers to obtain sensitive information via an invalid parameter to the convertorderbytrans function, which reveals the path in a PHP error message. • http://marc.info/?l=bugtraq&m=111117182417422&w=2 http://marc.info/?l=bugtraq&m=111125588920928&w=2 http://secunia.com/advisories/14641 http://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/19755 •
CVE-2005-0828 – RunCMS 1.1 - Database Configuration Information Disclosure
https://notcve.org/view.php?id=CVE-2005-0828
highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allows remote attackers to read arbitrary PHP files by specifying the pathname in the file parameter, as demonstrated by reading database configuration information from mainfile.php. • https://www.exploit-db.com/exploits/25237 http://marc.info/?l=bugtraq&m=111117241923006&w=2 http://marc.info/?l=bugtraq&m=111125645312693&w=2 http://secunia.com/advisories/14641 http://secunia.com/advisories/14648 http://securitytracker.com/id?1013485 http://www.ihsteam.com/download/advisory/Exoops%20highlight%20hole.txt http://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdf http://www.osvdb.org/14890 http://www.securityfocus.com/bid/12848 https:/ •