CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18200
https://notcve.org/view.php?id=CVE-2018-18200
09 Oct 2018 — There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. Hay una inyección SQL en Benutzerverwaltung en REDAXO en versiones anteriores a la 5.6.4. • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18199
https://notcve.org/view.php?id=CVE-2018-18199
09 Oct 2018 — Mediamanager in REDAXO before 5.6.4 has XSS. Mediamanager en REDAXO en versiones anteriores a la 5.6.4 tiene Cross-Site Scripting (XSS). • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18198
https://notcve.org/view.php?id=CVE-2018-18198
09 Oct 2018 — The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page. The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=[XSS] request. La variable $opener_input_field en addons/mediapool/pages/index.php en REDAXO 5.6.3 no está filtrada de forma efectiva y se envía directamente a la página. El atacante puede insertar cargas útiles XSS mediante una petición index.php? • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17830
https://notcve.org/view.php?id=CVE-2018-17830
01 Oct 2018 — The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 is not effectively filtered, because names are not restricted (only values are restricted). The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=&args[ substring. La variable $args en addons/mediapool/pages/index.php en REDAXO 5.6.2 no está filtrada de forma efectiva, dado que los nombres no están restringidos (solo están restringidos los valores). El atacante puede insertar cargas útiles XSS medi... • https://github.com/redaxo/redaxo4/issues/421 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17831
https://notcve.org/view.php?id=CVE-2018-17831
01 Oct 2018 — In REDAXO before 5.6.3, a critical SQL injection vulnerability has been discovered in the rex_list class because of the prepareQuery function in core/lib/list.php, via the index.php?page=users/users sort parameter. Endangered was the backend and the frontend only if rex_list were used. En REDAXO en versiones anteriores a la 5.6.3, se ha descubierto una vulnerabilidad crítica de inyección SQL en la clase rex_list debido a la función prepareQuery en core/lib/list.php, mediante el parámetro sort en index.php?p... • https://github.com/redaxo/redaxo/issues/2043 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 3CVE-2012-3869
https://notcve.org/view.php?id=CVE-2012-3869
13 Aug 2012 — Cross-site scripting (XSS) vulnerability in include/classes/class.rex_list.inc.php in REDAXO 4.3.x and 4.4 allows remote attackers to inject arbitrary web script or HTML via the subpage parameter to index.php. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en include/classes/class.rex_list.inc.php en REDAXO v4.3.x y v4.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'subpage' a index.php. • http://archives.neohapsis.com/archives/bugtraq/2012-07/0142.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2006-2843 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2843
06 Jun 2006 — PHP remote file inclusion vulnerability in Redaxo 2.7.4 allows remote attackers to execute arbitrary PHP code via a URL in the (1) REX[INCLUDE_PATH] parameter in (a) addons/import_export/pages/index.inc.php and (b) pages/community.inc.php. • https://www.exploit-db.com/exploits/1861 •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1CVE-2006-2845 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2845
06 Jun 2006 — PHP remote file inclusion vulnerability in Redaxo 3.0 up to 3.2 allows remote attackers to execute arbitrary PHP code via a URL in the REX[INCLUDE_PATH] parameter to image_resize/pages/index.inc.php. • https://www.exploit-db.com/exploits/1861 •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2006-2844 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2844
06 Jun 2006 — Multiple PHP remote file inclusion vulnerabilities in Redaxo 3.0 allow remote attackers to execute arbitrary PHP code via a URL in the REX[INCLUDE_PATH] parameter to (1) simple_user/pages/index.inc.php and (2) stats/pages/index.inc.php. • https://www.exploit-db.com/exploits/1861 •