CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2014-2737
https://notcve.org/view.php?id=CVE-2014-2737
SQL injection vulnerability in the get_active_session function in the KTAPI_UserSession class in webservice/clienttools/services/mdownload.php in KnowledgeTree 3.7.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the u parameter, related to the getFileName function. Vulnerabilidad de inyección SQL en la función get_active_session en la clase KTAPI_UserSession en webservice/clienttools/services/mdownload.php en KnowledgeTree 3.7.0.2 y anteriores permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro u, relacionado con la función getFileName. • http://www.securityfocus.com/archive/1/531886/100/0/threaded http://www.securityfocus.com/bid/66988 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2006-2443
https://notcve.org/view.php?id=CVE-2006-2443
The Debian package of knowledgetree 2.0.7 creates environment.php with world-readable permissions, which allows local users to obtain sensitive information such as the username and password for the KnowledgeTree database. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348306 •