CVSS: 5.8EPSS: 0%CPEs: 11EXPL: 3CVE-2014-2230 – OpenX 2.8.10 Open Redirect
https://notcve.org/view.php?id=CVE-2014-2230
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php. Vulnerabilidad de redirección abierta en la función header en adclick.php en OpenX 2.8.10 y anteriores permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de una URL en (1) el parámetro dest en adclick.php o (2) el parámetro _maxdest en ck.php. OpenX version 2.8.10 suffers from multiple open redirection vulnerabilities. • http://packetstormsecurity.com/files/128718/OpenX-2.8.10-Open-Redirect.html http://seclists.org/fulldisclosure/2014/Oct/72 http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/97621 •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2013-7376 – OpenX 2.8.10 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-7376
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.10, possibly before revision 82710, allow remote attackers to hijack the authentication of administrators, as demonstrated by requests that conduct directory traversal attacks via the group parameter to (1) plugin-preferences.php or (2) plugin-settings.php in www/admin, a different vulnerability than CVE-2013-3514. Múltiples vulnerabilidades de CSRF en OpenX 2.8.10, posiblemente anterior a revisión 82710, permiten a atacantes remotos secuestrar la autenticación de administradores, como fue demostrado por solicitudes que realizan ataques de salto de directorio a través del parámetro group hacia (1) plugin-preferences.php o (2) plugin-settings.php en www/admin, una vulnerabilidad diferente a CVE-2013-3514. • https://www.exploit-db.com/exploits/26624 http://osvdb.org/94778 http://seclists.org/bugtraq/2013/Jul/27 https://www.htbridge.com/advisory/HTB23155 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 1%CPEs: 13EXPL: 4CVE-2013-5954 – OpenX 2.8.x - Multiple Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-5954
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack the authentication of administrators for requests that delete (1) users via admin/agency-user-unlink.php, (2) advertisers via admin/advertiser-delete.php, (3) banners via admin/banner-delete.php, (4) campaigns via admin/campaign-delete.php, (5) channels via admin/channel-delete.php, (6) affiliate websites via admin/affiliate-delete.php, or (7) zones via admin/zone-delete.php. Múltiples vulnerabilidades de CSRF en OpenX 2.8.11 y anteriores permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que eliminan (1) usuarios a través de admin/agency-user-unlink.php, (2) anunciantes a través de admin/advertiser-delete.php, (3) banners a través de admin/banner-delete.php, (4) campañas a través de admin/campaign-delete.php, (5) canales a través de admin/channel-delete.php, (6) sitios web afiliados a través de admin/affiliate-delete.php o (7) zonas a través de admin/zone-delete.php. OpenX version 2.8.11 suffers from multiple cross site request forgery vulnerabilities. • https://www.exploit-db.com/exploits/39117 http://packetstormsecurity.com/files/125735 http://seclists.org/fulldisclosure/2014/Mar/270 http://seclists.org/fulldisclosure/2014/May/68 http://www.revive-adserver.com/security/revive-sa-2014-001 http://www.securityfocus.com/archive/1/532108/100/0/threaded http://www.securityfocus.com/bid/66251 https://exchange.xforce.ibmcloud.com/vulnerabilities/91889 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-7149
https://notcve.org/view.php?id=CVE-2013-7149
SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method. Vulnerabilidad de inyección SQL en www / entrega / axmlrpc.php (también conocido como el XML-RPC invocación de entrega de script) en Revive Adserver antes de 3.0.2, y OpenX Fuente 2.8.11 y anteriores, permite a atacantes remotos ejecutar comandos SQL a través del parámetro de lo que a un método de XML-RPC. • http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1 http://www.revive-adserver.com/security/REVIVE-SA-2013-001 http://www.securityfocus.com/archive/1/530471/30/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 3CVE-2013-4211 – OpenX - Backdoor PHP Code Execution
https://notcve.org/view.php?id=CVE-2013-4211
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code Se presenta una Vulnerabilidad de Ejecución de Código en OpenX Ad Server versión 2.8.10, debido a un backdoor en la biblioteca flowplayer-3.1.1.min.js, lo que podría permitir a un usuario malicioso remoto ejecutar código PHP arbitrario. • https://www.exploit-db.com/exploits/27529 http://www.exploit-db.com/exploits/27529 http://www.openwall.com/lists/oss-security/2013/08/07/2 http://www.securityfocus.com/bid/61650 https://exchange.xforce.ibmcloud.com/vulnerabilities/86259 https://packetstormsecurity.com/files/cve/CVE-2013-4211 • CWE-94: Improper Control of Generation of Code ('Code Injection') •