CVE-2013-2622 – Uebimiau 2.7.11 Cross Site Scripting / Open Redirection
https://notcve.org/view.php?id=CVE-2013-2622
Cross-site Scripting (XSS) in UebiMiau 2.7.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the "selected_theme" parameter in error.php. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en UebiMiau versión 2.7.11 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro "selected_theme" en el archivo error.php. Uebimiau versions 2.7.11 and below suffer from open redirect and cross site scripting vulnerabilities. • https://exchange.xforce.ibmcloud.com/vulnerabilities/87807 https://packetstormsecurity.com/files/123557/Uebimiau-2.7.11-Cross-Site-Scripting-Open-Redirection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-3199 – Uebimiau Webmail 3.2.0-2.0 - Arbitrary Database Disclosure
https://notcve.org/view.php?id=CVE-2009-3199
Uebimiau Webmail 3.2.0-2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database with usernames and password hashes via a direct request for system_admin/admin.ucf. Uebimiau Webmail v3.2.0-2.0 almacena información sensible bajo la raíz del directorio web con control de acceso insuficiente, lo que permite a atacantes remotos descargar una base de datos con nombres de usuarios y hashes de contraseñas a través de un petición directa a system_admin/admin.ucf. • https://www.exploit-db.com/exploits/9493 http://www.exploit-db.com/exploits/9493 https://exchange.xforce.ibmcloud.com/vulnerabilities/52724 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-0210 – Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure
https://notcve.org/view.php?id=CVE-2008-0210
Uebimiau Webmail 2.7.10 and 2.7.2 does not protect authentication state variables from being set through HTTP requests, which allows remote attackers to bypass authentication via a sess[auth]=1 parameter settting. NOTE: this can be leveraged to conduct directory traversal attacks without authentication by using CVE-2008-0140. Uebimiau Webmail 2.7.10 y 2.7.2 no protege variables de estado de autenticación de ser establecidas mediante peticiones HTTP, lo cual permite a atacantes remotos evitar la autenticación mediante el parámetro de configuración sess[auth]=1. NOTA: esto podría ser aprovechado para llevar a cabo ataques de salto de directorio sin autenticación utilizando CVE-2008-0140. • https://www.exploit-db.com/exploits/4846 http://www.securityfocus.com/bid/27154 • CWE-287: Improper Authentication •
CVE-2008-0140 – Uebimiau Web-Mail 2.7.10/2.7.2 - Remote File Disclosure
https://notcve.org/view.php?id=CVE-2008-0140
Directory traversal vulnerability in error.php in Uebimiau Webmail 2.7.10 and 2.7.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the selected_theme parameter, a different vector than CVE-2007-3172. Vulnerabilidad de salto de directorio en error.php de Uebimiau Webmail 2.7.10 y 2.7.2 permite a usuarios autenticados remotamente leer archivos de su elección mediante un .. (punto punto) en el parámetro selected_theme, un vector diferente de CVE-2007-3172. • https://www.exploit-db.com/exploits/4846 http://www.attrition.org/pipermail/vim/2008-January/001867.html http://www.securityfocus.com/bid/27154 https://exchange.xforce.ibmcloud.com/vulnerabilities/39460 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2007-5235 – Uebimiau Webmail 2.7.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-5235
Cross-site scripting (XSS) vulnerability in index.php in Uebimiau 2.7.2 through 2.7.10 allows remote attackers to inject arbitrary web script or HTML via the f_email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en index.php en Uebimiau 2.7.2 hasta la 2.7.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro f_email. NOTA: la procedencia de esta información es desconocida; los detalles han sido obtenidos a partir de la información de terceros. • https://www.exploit-db.com/exploits/11906 https://www.exploit-db.com/exploits/30633 http://osvdb.org/39898 http://www.securityfocus.com/bid/25912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •