CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 4CVE-2010-2259 – Joomla! Component com_bfsurvey - Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-2259
Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. Vulnerabilidad de salto de directorio en componente BF Survey (com_bfsurvey) de Jommla! permite a atacantes remotos añadir y ejecutar a su elección archivos locales a través de .. • https://www.exploit-db.com/exploits/10946 http://osvdb.org/61438 http://packetstormsecurity.org/1001-exploits/joomlabfsurvey-lfi.txt http://secunia.com/advisories/37866 http://www.exploit-db.com/exploits/10946 http://www.securityfocus.com/bid/37584 http://www.tamlyncreative.com.au/software/forum/index.php?topic=641.0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 4CVE-2010-2255 – Joomla! Component com_bfsurvey_basic - SQL Injection
https://notcve.org/view.php?id=CVE-2010-2255
SQL injection vulnerability in the BF Survey Pro (com_bfsurvey_pro) component before 1.3.1, BF Survey Pro Free (com_bfsurvey_profree) component 1.2.6, and BF Survey Basic component before 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en el componente BF Survey Pro (com_bfsurvey_pro) anterior v1.3.1, componente BF Survey Pro Free (com_bfsurvey_profree) v1.2.6, y componente BF Survey Basic anterior v1.2 para Joomla! permit a atacantes remotos ejecutar comandos SQL a través del parámetro catid en index.php. • https://www.exploit-db.com/exploits/10944 http://osvdb.org/61456 http://packetstormsecurity.org/1001-exploits/joomlabfsurveypro-sql.txt http://secunia.com/advisories/37868 http://www.securityfocus.com/bid/37585 http://www.tamlyncreative.com.au/software/forum/index.php?topic=641.0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •