5 results (0.004 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

mojoPortal through 2.6.0.0 is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of the 'Blog' page are vulnerable. NOTE: The software maintainer disputes this as a vulnerability because the fields claimed to be vulnerable to XSS are only available to administrators who are supposed to have access to add scripts ** EN DISPUTA ** mojoPortal, hasta la versión 2.6.0.0 es propenso a múltiples vulnerabilidades de Cross-Site Scripting (XSS) debido a que fracasa a la hora de sanear entradas proporcionadas por el usuario. Los campos "Title" y "Subtitle" de la página "Blog" son vulnerables. NOTA: el mantenedor de software discute esta vulnerabilidad debido a que los campos que se indican como vulnerables a Cross-Site Scripting (XSS) están disponibles solamente a los administradores que deberían tener acceso para añadir scripts • http://www.securityfocus.com/bid/103263 https://github.com/i7MEDIA/mojoportal/issues/82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal version 2.5.0.0 allows remote attackers to inject arbitrary web script or HTML via the helpkey parameter. Exploitation requires authenticated reflected cross-site scripting for user accounts assigned either the "Administrators" or "Content Administrators" role. Vulnerabilidad de Cross-Site Scripting (XSS) en Help.aspx en mojoPortal en su versión 2.5.0.0 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro helpkey. La explotación requiere de Cross-Site Scripting (XSS) reflejado autenticado para cuentas de usuario que tengan asignadas los roles de "Administrators" o "Content Administrators". • https://github.com/i7MEDIA/mojoportal/commit/5ea8129f74c80cbf1f68b9083c745cc8a685485d https://www.mojoportal.com/mojoportal-2-6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 40EXPL: 1

Cross-site scripting (XSS) vulnerability in Forums/EditPost.aspx in mojoPortal before 2.3.9.8 allows remote attackers to inject arbitrary web script or HTML via the txtSubject parameter. Vulnerabilidad de XSS en Forums/EditPost.aspx en mojoPortal anterior a 2.3.9.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro "txtSubject". • http://archives.neohapsis.com/archives/bugtraq/2013-07/0200.html http://osvdb.org/95847 http://packetstormsecurity.com/files/122608/MojoPortal-2.3.9.7-Cross-Site-Scripting.html http://secunia.com/advisories/54297 http://www.securityfocus.com/bid/61520 https://exchange.xforce.ibmcloud.com/vulnerabilities/86058 https://www.mojoportal.com/mojoportal-2398-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 4

Cross-site scripting (XSS) vulnerability in ProfileView.aspx in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to inject arbitrary web script or HTML via the User ID parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ProfileView.aspx de mojoPortal v2.3.4.3 y v2.3.5.1 permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través del parámetro "User ID". NOTA: algunos de estos detalles han sido obtenidos dde información de terceras partes. • https://www.exploit-db.com/exploits/15018 http://osvdb.org/68059 http://packetstormsecurity.org/1009-advisories/moaub16-mojoportal.pdf http://packetstormsecurity.org/1009-exploits/moaub-mojoportal.txt http://secunia.com/advisories/41481 http://www.exploit-db.com/exploits/15018 http://www.mojoportal.com/mojoportal-2352-released.aspx http://www.securityfocus.com/bid/43268 https://exchange.xforce.ibmcloud.com/vulnerabilities/61835 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 1%CPEs: 2EXPL: 4

Cross-site request forgery (CSRF) vulnerability in the file manager service (Services/FileService.ashx) in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to hijack the authentication of administrators for requests that rename arbitrary files, as demonstrated by causing the user.config file to be moved, leading to a denial of service (service stop) and possibly the exposure of sensitive information. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el servicio de gestión de ficheros (Services/FileService.ashx) de mojoPortal v2.3.4.3 y v2.3.5.1 permite a usuarios remotos secuestrar (hijack) la autenticación de administrador para peticiones que renombran ficheros de su elección, como se ha demostrado moviendo el fichero user.config, provocando una denegación de servicio (parada del servicio) y posiblemente la exposición de información confidencial. • https://www.exploit-db.com/exploits/15018 http://osvdb.org/68060 http://packetstormsecurity.org/1009-advisories/moaub16-mojoportal.pdf http://packetstormsecurity.org/1009-exploits/moaub-mojoportal.txt http://secunia.com/advisories/41481 http://www.exploit-db.com/exploits/15018 http://www.mojoportal.com/mojoportal-2352-released.aspx https://exchange.xforce.ibmcloud.com/vulnerabilities/61834 • CWE-352: Cross-Site Request Forgery (CSRF) •