CVSS: 9.1EPSS: 93%CPEs: 7EXPL: 3CVE-2014-7236 – TWiki Debugenableplugins - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-7236
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. Una vulnerabilidad de inyección Eval en la biblioteca lib/TWiki/Plugins.pm en TWiki versiones anteriores a 6.0.1, permite a atacantes remotos ejecutar código de Perl arbitrario por medio del parámetro debugenableplugins en el archivo do/view/Main/WebHome. TWiki versions 4.0.x through 6.0.0 contain a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution. • https://www.exploit-db.com/exploits/36438 http://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.html http://seclists.org/fulldisclosure/2014/Oct/44 http://www.securityfocus.com/bid/70372 http://www.securitytracker.com/id/1030981 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.8EPSS: 35%CPEs: 2EXPL: 3CVE-2014-7237 – Twiki Upload Bypass
https://notcve.org/view.php?id=CVE-2014-7237
lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code. lib/TWiki/Sandbox.pm en TWiki 6.0.0 y anteriores, cuando se ejecuta en Windows, permite a atacantes remotos evadir las restricciones de acceso y subir ficheros con nombres restringidos a través un byte nulo (%00) en el nombre del fichero en bin/upload.cgi, como lo demuestra el uso de .htaccess para ejecutar código arbitrario. Twiki versions 4.x, 5.x, and 6.0.0 suffer from a file upload bypass vulnerability. • http://seclists.org/fulldisclosure/2014/Oct/45 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 http://www.securitytracker.com/id/1030982 https://exchange.xforce.ibmcloud.com/vulnerabilities/96952 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2013-1751
https://notcve.org/view.php?id=CVE-2013-1751
TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters. TWiki versiones anteriores a 5.1.4, permite a atacantes remotos ejecutar comandos de shell arbitrarios mediante el envío de un valor del parámetro "%MAKETEXT{}%" diseñado que contiene caracteres Perl backtick. • http://www.securitytracker.com/id/1028149 https://security-tracker.debian.org/tracker/CVE-2013-1751 https://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 1CVE-2012-6330 – Foswiki MAKETEXT - Remote Command Execution
https://notcve.org/view.php?id=CVE-2012-6330
The localization functionality in TWiki before 5.1.3, and Foswiki 1.0.x through 1.0.10 and 1.1.x through 1.1.6, allows remote attackers to cause a denial of service (memory consumption) via a large integer in a %MAKETEXT% macro. La funcionalidad de localización en TWiki anteriores a v5.1.3, y Foswiki v1.0.x hasta v1.0.10 y v1.1.x hasta v1.1.6, permite a atacantes remotos a provocar una denegación de servicio (consumo de memoria)a través de un entero largo en una macro %MAKETEXT%. • https://www.exploit-db.com/exploits/23580 http://sourceforge.net/mailarchive/message.php?msg_id=30219695 http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 http://www.securityfocus.com/bid/56950 • CWE-189: Numeric Errors •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2012-0979
https://notcve.org/view.php?id=CVE-2012-0979
Cross-site scripting (XSS) vulnerability in TWiki allows remote attackers to inject arbitrary web script or HTML via the organization field in a profile, involving (1) registration or (2) editing of the user. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en TWiki permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo 'organización' en un perfil, con la participación de un usuario mediante su (1) registro o (2) la edición de su perfil. • http://osvdb.org/78664 http://packetstormsecurity.org/files/109246/twiki-xss.txt http://secunia.com/advisories/47784 http://st2tea.blogspot.com/2012/01/cross-site-scripting-twiki.html http://www.securityfocus.com/bid/51731 http://www.securitytracker.com/id?1026604 https://exchange.xforce.ibmcloud.com/vulnerabilities/72821 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •