5 results (0.011 seconds)

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1

Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Quixplorer versiones anteriores a 2.4.1, es susceptible a una vulnerabilidad de tipo cross-site scripting (XSS) reflejado causado por una comprobación inapropiada de la entrada suministrada por el usuario.&#xa0;Un atacante remoto podría explotar esta vulnerabilidad usando una URL especialmente diseñada para ejecutar un script en el navegador Web de la víctima dentro del contexto de seguridad del sitio Web de hosting, una vez que la URL es cliqueada. • https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in QuiXplorer before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) dir, (2) item, (3) order, (4) searchitem, (5) selitems[], or (6) srt parameter to index.php or (7) the QUERY_STRING to index.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en QuiXplorer versiones anteriores a la versión 2.5.5, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro (1) dir, (2) item, (3) order, (4) searchitem, (5) selitems[], o (6) srt en el archivo index.php o (7) del parámetro QUERY_STRING en el archivo index.php. • https://exchange.xforce.ibmcloud.com/vulnerabilities/89056 https://github.com/realtimeprojects/quixplorer https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-030.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 9%CPEs: 1EXPL: 2

Directory traversal vulnerability in the zip download functionality in QuiXplorer before 2.5.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the selitems[] parameter in a download_selected action to index.php. Vulnerabilidad de salto de directorio en la funcionalidad de descarga de zip en QuiXplorer anterior a 2.5.5 permite a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro selitems[] en una acción download_selected en index.php. • http://secunia.com/advisories/55725 https://exchange.xforce.ibmcloud.com/vulnerabilities/89059 https://github.com/realtimeprojects/quixplorer https://github.com/realtimeprojects/quixplorer/blob/v2.5.5/doc/RELEASES.md https://github.com/realtimeprojects/quixplorer/commit/7ac119cebd3b6bfe16a30fd1d5290127310a4436 https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-030.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 2%CPEs: 20EXPL: 2

Unrestricted file upload vulnerability in QuiXplorer 2.3 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension using the upload action to index.php, then accessing it via a direct request to the file in an unspecified directory. Vulnerabilidad de subida no restringida de ficheros en QuiXplorer v2.3 y anteriores permite a atacantes remotos ejecutar código de su elección al subir un fichero con una extensión ejecutable usando la opción de subir en index.php, accediendo posteriormente mediante una petición directa del fichero en un directorio no especificado • https://www.exploit-db.com/exploits/18118 http://www.exploit-db.com/exploits/18118 https://exchange.xforce.ibmcloud.com/vulnerabilities/71323 •

CVSS: 6.8EPSS: 81%CPEs: 69EXPL: 2

Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to admin/index.php. Vulnerabilidad de salto de directorio en .include/init.php (también conocido como admin/_include/init.php) en QuiXplorer v2.3.2 y anteriores, utilizado en TinyWebGallery v1.7.6 y anteriores, permite a los atacantes remotos, incluir y ejecutar arbitrariamente archivos locales a través de ..(punto punto) en el parámetro "lang" para admin/index.php. • https://www.exploit-db.com/exploits/8649 http://secunia.com/advisories/35020 http://secunia.com/advisories/35060 http://www.securityfocus.com/archive/1/503396/100/0/threaded http://www.securityfocus.com/bid/34892 http://www.tinywebgallery.com/forum/viewtopic.php?t=1653 https://exchange.xforce.ibmcloud.com/vulnerabilities/50408 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •