4 results (0.004 seconds)

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2012-6691

https://notcve.org/view.php?id=CVE-2012-6691

Multiple cross-site request forgery (CSRF) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) status parameter to admin/stats_monthly_sales.php or (2) country parameter in a process action to admin/create_account_process.php. Múltiples vulnerabilidades de CSRF en el panel de administración en osCMax anterior a 2.5.1 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que realizan ataques de inyección SQL a través del parámetro (1) status en admin/stats_monthly_sales.php o (2) country en una acción de procesos en admin/create_account_process.php. • http://archives.neohapsis.com/archives/bugtraq/2012-04/0021.html http://www.oscmax.com/blog/michael_s/oscmax_v251_has_been_released_security_update http://www.securityfocus.com/bid/74753 https://www.htbridge.com/advisory/HTB23081 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 5%CPEs: 1EXPL: 10

CVE-2012-1664 – osCMax 2.5 - '/admin/geo_zones.php?zID' Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2012-1664

Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in a process action to admin/login.php; (2) pageTitle, (3) current_product_id, or (4) cPath parameter to admin/new_attributes_include.php; (5) sb_id, (6) sb_key, (7) gc_id, (8) gc_key, or (9) path parameter to admin/htaccess.php; (10) title parameter to admin/information_form.php; (11) search parameter to admin/xsell.php; (12) gross or (13) max parameter to admin/stats_products_purchased.php; (14) status parameter to admin/stats_monthly_sales.php; (15) sorted parameter to admin/stats_customers.php; (16) information_id parameter to /admin/information_manager.php; or (17) zID parameter to /admin/geo_zones.php. Múltiples vulnerabilidades de XSS en el panel de administración en osCMax anterior a 2.5.1 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro username en una acción de procesos en admin/login.php; del parámetro (2) pageTitle, (3) current_product_id, o (4) cPath en admin/new_attributes_include.php; del parámetro (5) sb_id, (6) sb_key, (7) gc_id, (8) gc_key, o (9) path en admin/htaccess.php; (10) del parámetro title en admin/information_form.php; (11) del parámetro search parameter en admin/xsell.php; del parámetro (12) gross o (13) max en admin/stats_products_purchased.php; (14) del parámetro status en admin/stats_monthly_sales.php; (15) del parámetro sorted en admin/stats_customers.php; (16) del parámetro information_id en /admin/information_manager.php; o (17) del parámetro zID en /admin/geo_zones.php. osCmax version 2.5.0 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37045 https://www.exploit-db.com/exploits/37039 https://www.exploit-db.com/exploits/37044 https://www.exploit-db.com/exploits/37038 https://www.exploit-db.com/exploits/37046 https://www.exploit-db.com/exploits/37043 https://www.exploit-db.com/exploits/37042 https://www.exploit-db.com/exploits/37041 https://www.exploit-db.com/exploits/37040 http://archives.neohapsis.com/archives/bugtraq/2012-04/0021.html http://bugtrack.oscmax • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3

CVE-2012-1665 – osCMax 2.5 - '/admin/login.php?Username' SQL Injection

https://notcve.org/view.php?id=CVE-2012-1665

Multiple SQL injection vulnerabilities in the admin panel in osCMax before 2.5.1 allow (1) remote attackers to execute arbitrary SQL commands via the username parameter in a process action to admin/login.php or (2) remote administrators to execute arbitrary SQL commands via the status parameter to admin/stats_monthly_sales.php or (3) country parameter in a process action to admin/create_account_process.php. Múltiples vulnerabilidades de inyección SQL en el panel de administración en osCMax anterior a 2.5.1 permiten a (1) atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro username en una acción de procesos en admin/login.php o (2) administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro status en admin/stats_monthly_sales.php o (3) del parámetro country en una acción de procesos en admin/create_account_process.php. osCmax version 2.5.0 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/37047 https://www.exploit-db.com/exploits/37048 http://archives.neohapsis.com/archives/bugtraq/2012-04/0021.html http://bugtrack.oscmax.com/view.php?id=1165 http://www.oscmax.com/blog/michael_s/oscmax_v251_has_been_released_security_update http://www.osvdb.org/80900 http://www.osvdb.org/80901 http://www.osvdb.org/80902 https://www.htbridge.com/advisory/HTB23081 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2007-4959

https://notcve.org/view.php?id=CVE-2007-4959

Cross-site scripting (XSS) vulnerability in catalog_products_with_images.php in osCMax 2.0.0-RC3-0-1 allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en catalog_products_with_images.php de osCMax 2.0.0-RC3-0-1 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el URI. NOTA: la procedencia de esta información es desconocida; los detalles se han obtenido de información de terceros. • http://osvdb.org/37094 http://secunia.com/advisories/26833 http://www.securityfocus.com/bid/25684 http://www.vupen.com/english/advisories/2007/3187 https://exchange.xforce.ibmcloud.com/vulnerabilities/36642 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •