CVE-2021-27885 – e107 CMS 2.3.0 - CSRF
https://notcve.org/view.php?id=CVE-2021-27885
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. El archivo usersettings.php en e107 hasta la versión 2.3.0, carece de cierto mecanismo de protección e_TOKEN e107 CMS version 2.3.0 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/49614 http://packetstormsecurity.com/files/161651/e107-CMS-2.3.0-Cross-Site-Request-Forgery.html https://github.com/e107inc/e107/commit/d9efdb9b5f424b4996c276e754a380a5e251f472 https://github.com/e107inc/e107/releases • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-4734 – e107 2.0 alpha2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-4734
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter. Vulnerabilidad de XSS en e107_admin/db.php en e107 2.0 alpha2 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro type. e107 version 2.0 alpha2 suffers from a reflective cross site scripting vulnerability. • http://packetstormsecurity.com/files/127499/e107-2.0-alpha2-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/532801/100/0/threaded http://www.securityfocus.com/bid/68674 https://github.com/e107inc/e107/commit/f80e417bb3e7ab5c1a89ea9ddd2cd060f54464e1 https://www.htbridge.com/advisory/HTB23220 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-7305
https://notcve.org/view.php?id=CVE-2013-7305
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user. fpw.php en e107 hasta la versión 1.0.4 no comprueba el campo user_ban, lo que hace más fácil para atacantes remotos restablecer contraseñas mediante el envío de una petición pwsubmit y aprovechando el acceso a la cuenta de email de un usuario baneado. • http://sourceforge.net/p/e107/svn/13114 • CWE-255: Credentials Management Errors •
CVE-2013-2750 – e107 - 'content_preset.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2750
Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string. Vulnerabilidad de XSS en e107_plugins/content/handlers/content_preset.php de e107 anterior a la versión 1.0.3 permite a atacantes remotos inyectar script Web o HTML arbitrario a través de una cadena de consulta. e107 CMS version 1.0.2 suffers from a reflective cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38416 http://sourceforge.net/p/e107/svn/13079 http://www.securityfocus.com/archive/1/526168 https://www.secuvera.de/advisories/TC-SA-2013-01.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4947
https://notcve.org/view.php?id=CVE-2011-4947
Cross-site request forgery (CSRF) vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the user_include parameter. Vulnerabilidad de fasificación de peticiones en sitios cruzados (CSRF) en e107_admin/users_extended.php en e107 anteriores a v0.7.26 permite a atacantes remotos secuestrar la autenticación de los usuarios administradores en peticiones para insertar secuencias de comandos en sitios cruzados (XSS) a través del parámetro user_include. • http://e107.org/svn_changelog.php?version=0.7.26 http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/e107_admin/users_extended.php?r1=12225&r2=12306 http://www.openwall.com/lists/oss-security/2012/03/28/4 http://www.openwall.com/lists/oss-security/2012/03/29/3 https://exchange.xforce.ibmcloud.com/vulnerabilities/68062 https://www.htbridge.com/advisory/multiple_vulnerabilities_in_e107_1.html • CWE-352: Cross-Site Request Forgery (CSRF) •