CVE-2014-10006
https://notcve.org/view.php?id=CVE-2014-10006
Multiple cross-site request forgery (CSRF) vulnerabilities in Maian Uploader 4.0 allow remote attackers to hijack the authentication of unspecified users for requests that conduct cross-site scripting (XSS) attacks via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php. Múltiples vulnerabilidades de CSRF en Maian Uploader 4.0 permiten a atacantes remotos secuestrar la autenticación de usuarios no especifcados para solicitudes que realizan ataques de XSS a través del parámetro width en (1) uploader/admin/js/load_flv.js.php o (2) uploader/js/load_flv.js.php. • http://packetstormsecurity.com/files/124918 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-10005
https://notcve.org/view.php?id=CVE-2014-10005
Maian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message. Maian Uploader 4.0 permite a atacantes remotos obtener información sensible a través de una solicitud sin el parámetro height en load_flv.js.php, lo que revela la ruta de instalación en un mensaje de error. • http://packetstormsecurity.com/files/124918 http://www.osvdb.org/102487 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-10003
https://notcve.org/view.php?id=CVE-2014-10003
Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php. Múltiples vulnerabilidades de XSS en Maian Uploader 4.0 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro width en (1) uploader/admin/js/load_flv.js.php o (2) uploader/js/load_flv.js.php. • http://osvdb.org/102489 http://packetstormsecurity.com/files/124918 https://exchange.xforce.ibmcloud.com/vulnerabilities/90716 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-10004
https://notcve.org/view.php?id=CVE-2014-10004
SQL injection vulnerability in admin/data_files/move.php in Maian Uploader 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en admin/data_files/move.php en Maian Uploader 4.0 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id. • http://osvdb.org/102488 http://packetstormsecurity.com/files/124918 https://exchange.xforce.ibmcloud.com/vulnerabilities/90715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-3321 – Maian Uploader 4.0 - Insecure Cookie Handling
https://notcve.org/view.php?id=CVE-2008-3321
admin/index.php in Maian Uploader 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary uploader_cookie cookie. admin/index.php en Maian Uploader 4.0 y versiones anteriores permite a atacantes remotos evitar la autenticación y obtener acceso administrativo enviando una cookie arbitraria uploader_cookie. • https://www.exploit-db.com/exploits/6065 http://secunia.com/advisories/31045 http://www.maianscriptworld.co.uk/free-php-scripts/maian-uploader/development/index.html http://www.maianscriptworld.co.uk/news.html http://www.securityfocus.com/bid/30210 https://exchange.xforce.ibmcloud.com/vulnerabilities/43752 • CWE-287: Improper Authentication •