CVE-2024-36119 – Password confirmation stored in plain text via registration form in statamic/cms
https://notcve.org/view.php?id=CVE-2024-36119
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the following conditions: 1. Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week), 2. • https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5 https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository https://github.com/statamic/cms/commit/0b804306c96c99b81755d5bd02df87ddf392853e https://github.com/statamic/cms/security/advisories/GHSA-qvpj-w7xj-r6w9 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2019-11198
https://notcve.org/view.php?id=CVE-2019-11198
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en CMS de Sitecore versión 9.0.1 y anteriores, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de (1) #300583 - Módulo List Manager Dashboard, (2) #307638 - Módulo Campaign Creator, (3) #316994 - Campo Attributes, (4) I#316995 - Módulo Icon Selection, (5) #317000 - Campo Latitude, (6) #317000 - Campo Longitude, (7) #317017 - Módulo UploadPackage2.aspx, ( 8) #317072 - Menú Context, o (9) I#317073 - Insertar desde el cuadro de diálogo Template. • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes https://outpost24.com/blog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-9875
https://notcve.org/view.php?id=CVE-2019-9875
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. • https://dev.sitecore.net/Downloads.aspx https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2014-100004
https://notcve.org/view.php?id=CVE-2014-100004
Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos de estos detalles se obtienen de información de terceras partes. • http://osvdb.org/102660 http://secunia.com/advisories/56705 http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html http://www.securityfocus.com/archive/1/530901/100/0/threaded http://www.securityfocus.com/bid/65254 https://exchange.xforce.ibmcloud.com/vulnerabilities/90833 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-2163 – Sitecore CMS 6.0.0 rev. 090120 - 'default.aspx' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2163
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Sitecore CMS versiones anteriores a v6.0.2 Update-1 090507 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el parámetro "sc_error". • https://www.exploit-db.com/exploits/34930 http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html http://secunia.com/advisories/35353 http://www.securityfocus.com/archive/1/504093/100/0/threaded http://www.securityfocus.com/archive/1/504132/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •