CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 2CVE-2014-8874 – TYPO3 Extension ke_questionnaire 2.5.2 Information Disclosure
https://notcve.org/view.php?id=CVE-2014-8874
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request. La extensión ke_questionnaire 2.5.2 y anteriores para TYPO3 utiliza nombres previsibles para los formularios de respuestas del cuestionario, lo que facilita a atacantes remotos obtener información sensible a través de una solicitud directa. The TYPO3 extension ke_questionnaire stores answered questionnaires in a publicly reachable directory on the webserver with filenames that are easily guessable. Version 2.5.2 is affected. • http://seclists.org/fulldisclosure/2014/Dec/1 http://www.securityfocus.com/archive/1/534126/100/0/threaded https://www.redteam-pentesting.de/advisories/rt-sa-2014-009 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6293
https://notcve.org/view.php?id=CVE-2014-6293
SQL injection vulnerability in the Statistics (ke_stats) extension before 1.1.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in February 2014. Vulnerabilidad de inyección SQL en la extensión Statistics (ke_stats) anterior a 1.1.2 para TYPO3 permite a atacantes remotos inyectar comandos SQL arbitrarios a través de vectores no especificados, tal y como fue demostrado activamente en febrero 2014. • http://typo3.org/extensions/repository/view/ke_stats http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-002 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 58%CPEs: 1EXPL: 1CVE-2014-6235 – TYPO3 Extension ke DomPDF - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-6235
Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors. Vulnerabilidad no especificada en la extensión ke DomPDF anterior a 0.0.5 para TYPO3 permite a atacantes remotos ejecutar código arbitrario a través de vectores desconocidos. The TYPO3 extension ke_dompdf contains a version of the dompdf library including all files originally supplied with it. This includes an examples page, which contains different examples for HTML-entities rendered as a PDF. This page also allows users to enter their own HTML code into a text box to be rendered by the webserver using dompdf. dompdf also supports rendering of PHP files and the examples page also accepts PHP code tags, which are then executed and rendered into a PDF on the server. • https://www.exploit-db.com/exploits/35443 http://typo3.org/extensions/repository/view/ke_dompdf http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-010 http://www.securityfocus.com/bid/69563 https://exchange.xforce.ibmcloud.com/vulnerabilities/95706 •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2013-5307
https://notcve.org/view.php?id=CVE-2013-5307
Cross-site scripting (XSS) vulnerability in the Faceted Search (ke_search) extension before 1.4.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-site scripting (XSS) en la extensión Faceted Search (ke_search) anterior a v1.4.1 para TYPO3, permite a atacantes remotos inyectar web scripts arbitrarios o HTML mediante vectores desconocidos • http://osvdb.org/95960 http://secunia.com/advisories/54306 http://typo3.org/extensions/repository/view/ke_search http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-013 http://www.securityfocus.com/bid/61609 https://exchange.xforce.ibmcloud.com/vulnerabilities/86236 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-5302
https://notcve.org/view.php?id=CVE-2013-5302
SQL injection vulnerability in the Faceted Search (ke_search) extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la extensión Faceted Search (ke_search) anterior a v1.4.1 para TYPO3 permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante vectores desconocidos. • http://osvdb.org/95959 http://secunia.com/advisories/54306 http://typo3.org/extensions/repository/view/ke_search http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-013 http://www.securityfocus.com/bid/61609 https://exchange.xforce.ibmcloud.com/vulnerabilities/86235 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •