12 results (0.011 seconds)

CVSS: 9.1EPSS: 92%CPEs: 7EXPL: 3

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. Una vulnerabilidad de inyección Eval en la biblioteca lib/TWiki/Plugins.pm en TWiki versiones anteriores a 6.0.1, permite a atacantes remotos ejecutar código de Perl arbitrario por medio del parámetro debugenableplugins en el archivo do/view/Main/WebHome. TWiki versions 4.0.x through 6.0.0 contain a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution. • https://www.exploit-db.com/exploits/36438 http://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.html http://seclists.org/fulldisclosure/2014/Oct/44 http://www.securityfocus.com/bid/70372 http://www.securitytracker.com/id/1030981 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.8EPSS: 35%CPEs: 2EXPL: 3

lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code. lib/TWiki/Sandbox.pm en TWiki 6.0.0 y anteriores, cuando se ejecuta en Windows, permite a atacantes remotos evadir las restricciones de acceso y subir ficheros con nombres restringidos a través un byte nulo (%00) en el nombre del fichero en bin/upload.cgi, como lo demuestra el uso de .htaccess para ejecutar código arbitrario. Twiki versions 4.x, 5.x, and 6.0.0 suffer from a file upload bypass vulnerability. • http://seclists.org/fulldisclosure/2014/Oct/45 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 http://www.securitytracker.com/id/1030982 https://exchange.xforce.ibmcloud.com/vulnerabilities/96952 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0

TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters. TWiki versiones anteriores a 5.1.4, permite a atacantes remotos ejecutar comandos de shell arbitrarios mediante el envío de un valor del parámetro "%MAKETEXT{}%" diseñado que contiene caracteres Perl backtick. • http://www.securitytracker.com/id/1028149 https://security-tracker.debian.org/tracker/CVE-2013-1751 https://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 1

The localization functionality in TWiki before 5.1.3, and Foswiki 1.0.x through 1.0.10 and 1.1.x through 1.1.6, allows remote attackers to cause a denial of service (memory consumption) via a large integer in a %MAKETEXT% macro. La funcionalidad de localización en TWiki anteriores a v5.1.3, y Foswiki v1.0.x hasta v1.0.10 y v1.1.x hasta v1.1.6, permite a atacantes remotos a provocar una denegación de servicio (consumo de memoria)a través de un entero largo en una macro %MAKETEXT%. • https://www.exploit-db.com/exploits/23580 http://sourceforge.net/mailarchive/message.php?msg_id=30219695 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 http://www.securityfocus.com/bid/56950 • CWE-189: Numeric Errors •

CVSS: 4.3EPSS: 1%CPEs: 20EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in TWiki before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the newtopic parameter in a WebCreateNewTopic action, related to the TWiki.WebCreateNewTopicTemplate topic; or (2) the query string to SlideShow.pm in the SlideShowPlugin. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en TWiki antes de v5.1.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro newtopic en una acción WebCreateNewTopic, relacionado con TWiki.WebCreateNewTopicTemplate; o (2) la cadena de consulta a SlideShow.pm en el SlideShadowPlugin. TWiki versions prior to 5.1.0 suffer from cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/36162 https://www.exploit-db.com/exploits/36163 http://archives.neohapsis.com/archives/bugtraq/2011-09/0142.html http://develop.twiki.org/trac/changeset/21920 http://secunia.com/advisories/46123 http://securitytracker.com/id?1026091 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-3010 http://www.mavitunasecurity.com/xss-vulnerability-in-twiki5 http://www.osvdb.org/75673 http://www.osvdb.org/75674 http://www.securityfocus.com&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •