4 results (0.002 seconds)

CVSS: 6.0EPSS: 0%CPEs: 9EXPL: 0

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron. El módulo Simplenews Scheduler v6.x-2.x antes de v6.x-2.4 para Drupal permite a usuarios remotos autenticados con el permiso "envío de boletines programados", inyectar código PHP arbitrario en el formulario de programación, que es posteriormente ejecutado por cron. • http://drupal.org/node/1789274 http://drupal.org/node/1789284 http://www.openwall.com/lists/oss-security/2012/11/20/4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

SimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc. SimpNews 2.41.03 almacena información sensible bajo la raíz de documentos web con control de acceso insuficiente, lo cual permite a atacantes remotos descargar ficheros .inc de su elección mediante una petición directa, como ha sido demostrado por admin/includes/dbtables.inc. SimpNews version 2.41.03 suffers from a local file inclusion vulnerability. • http://forum.boesch-it.de/viewtopic.php?t=2791 http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066056.html http://osvdb.org/45479 http://securityreason.com/securityalert/3173 http://www.netvigilance.com/advisory0069 http://www.securityfocus.com/archive/1/480601/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36778 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 0

SimpNews 2.41.03 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php; or a direct request to (2) admin/dbg_infos.php, (3) admin/heading.php, or (4) evsearch.php; which reveals the path in various error messages. SimpNews 2.41.03 permite a atacantes remotos obtener información sensible mediante (1) un parámetro lang inválido a admin/index.php; o una petición directa a (2) admin/dbg_infos.php, (3) admin/heading.php, o (4) evsearch.php; lo cual revela la ruta en varios mensajes de error. • http://forum.boesch-it.de/viewtopic.php?t=2791 http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/066052.html http://osvdb.org/43540 http://osvdb.org/43541 http://osvdb.org/43542 http://osvdb.org/43543 http://securityreason.com/securityalert/3174 http://www.netvigilance.com/advisory0068 http://www.securityfocus.com/archive/1/480588/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/36779 •

CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1

SQL injection vulnerability in print.php in SimpleNews 1.0.0 FINAL allows remote attackers to execute arbitrary SQL commands via the news_id parameter. Vulnerabilidad de inyección SQL en print.php en SimpleNews 1.0.0 FINAL permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro news_id. • https://www.exploit-db.com/exploits/3886 http://osvdb.org/35910 http://secunia.com/advisories/25223 http://www.securityfocus.com/bid/23904 http://www.vupen.com/english/advisories/2007/1741 http://www.w4ck1ng.com/exploits/w4ck1ng_simplenews.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/34220 •