CVE-2023-32268 – Administrator equivalent Filr user can access proxy administrator credentials
https://notcve.org/view.php?id=CVE-2023-32268
Exposure of Proxy Administrator Credentials An authenticated administrator equivalent Filr user can access the credentials of proxy administrators. Exposición de las credenciales de administrador proxy un usuario de Filr equivalente a un administrador autenticado puede acceder a las credenciales de los administradores proxy. • https://portal.microfocus.com/s/article/KM000020081?language=en_US • CWE-522: Insufficiently Protected Credentials •
CVE-2023-5762 – Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
https://notcve.org/view.php?id=CVE-2023-5762
The Filr WordPress plugin before 1.2.3.6 is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. El complemento Filr de WordPress anterior a 1.2.3.6 es afectado por una vulnerabilidad RCE (ejecución remota de código), que permite al sistema operativo ejecutar comandos y comprometer completamente el servidor en nombre de un usuario con privilegios de nivel de autor. The Filr – Secure document library plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.2.3.5 (inclusive). This makes it possible for authenticated attackers, with author-level or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wpscan.com/vulnerability/6ad99725-eccc-4b61-bce2-668b62619deb • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-38755 – Filr Remote unauthenticated user enumeration for versions prior to 4.3.1.1
https://notcve.org/view.php?id=CVE-2022-38755
A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1. The vulnerability could be exploited to allow a remote unauthenticated attacker to enumerate valid users of the system. Remote unauthenticated user enumeration. This issue affects: Micro Focus Filr versions prior to 4.3.1.1. Se ha identificado una vulnerabilidad en Micro Focus Filr en versiones anteriores a la 4.3.1.1. • https://portal.microfocus.com/s/article/KM000011886?language=en_US •
CVE-2022-1777 – Filr - Secure Document Library < 1.2.2.1 - Subscriber+ AJAX Calls
https://notcve.org/view.php?id=CVE-2022-1777
The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones. El plugin Filr de WordPress versiones anteriores a 1.2.2.1, no presenta comprobación de autorización en dos de sus acciones AJAX, lo que permite que sean llamadas por cualquier usuario autenticado, como el suscriptor. Están protegidas con un nonce, sin embargo el nonce es filtrado en el dashboard. • https://wpscan.com/vulnerability/a50dc7f8-a9e6-41fa-a047-ad1c3bc309b4 • CWE-862: Missing Authorization •
CVE-2016-1611 – Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1611
Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands. Novell Filr 1.2 en versiones anteriores a Hot Patch 6 y 2.0 en versiones anteriores a Hot Patch 2 usa permisos de escritura universal para /etc/profile.d/vainit.sh, lo que permite a usuarios locales obtener privilegios reemplazando este contenido del archivo con comandos shell arbitrarios. Multiple Micro Focus Filr appliances suffer from cross site request forgery, cross site scripting, command injection, insecure design, missing cookie flag, authentication bypass, poor permission, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/40161 http://seclists.org/bugtraq/2016/Jul/119 http://www.securityfocus.com/bid/92113 https://www.novell.com/support/kb/doc.php?id=7017689 • CWE-264: Permissions, Privileges, and Access Controls •