CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2019-13343
https://notcve.org/view.php?id=CVE-2019-13343
Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl? • https://bitbucket.org/account/user/butor-team/projects/PROJ https://bitbucket.org/butor-team/portal/commits/all https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2019-7551
https://notcve.org/view.php?id=CVE-2019-7551
Cantemo Portal before 3.2.13, 3.3.x before 3.3.8, and 3.4.x before 3.4.9 has XSS. Leveraging this vulnerability would enable performing actions as users, including administrative users. This could enable account creation and deletion as well as deletion of information contained within the app. Cantemo Portal versión anterior a 3.2.13,versión 3.3.x anterior a 3.3.8 y versión 3.4.x anterior a 3.4.9 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) que al atacar esta vulnerabilidad permitiría realizar acciones como usuarios, incluidos los usuarios administrativos. Esto podría permitir la creación y eliminación de cuentas, así como la eliminación de la información contenida en la aplicación. • https://blog-posts--cantemo.netlify.com/news/2019/03/cantemo-portal-xss-vulnerabilities https://doc.cantemo.com/latest/ReleaseNotes/intro.html#version-3-4-9 https://www.bishopfox.com/blog/news-category/advisories https://www.bishopfox.com/news/2019/03/cantemo-portal-version-3-8-4-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8268
https://notcve.org/view.php?id=CVE-2014-8268
QPR Portal before 2012.2.1 allows remote attackers to modify or delete notes via a direct request. QPR Portal anterior a 2012.2.1 permite a atacantes remotos modificar o eliminar notas a través de una solicitud directa. • http://www.kb.cert.org/vuls/id/546340 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8267
https://notcve.org/view.php?id=CVE-2014-8267
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter. Vulnerabilidad de XSS en QPR Portal 2014.1.1 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro RID. • http://www.kb.cert.org/vuls/id/546340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8266
https://notcve.org/view.php?id=CVE-2014-8266
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field. Múltiples vulnerabilidades de XSS en la página de la creación de notas en QPR Portal 2014.1.1 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) title o (2) body. • http://www.kb.cert.org/vuls/id/546340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •