CVSS: 9.8EPSS: 3%CPEs: 16EXPL: 2CVE-2010-4867 – W-Agora 4.2.1 - 'search.php3?bn' Traversal Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-4867
05 Oct 2011 — Directory traversal vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the bn parameter. Vulnerabilidad de salto de directorio en search.php3 (search.php) de W-Agora 4.2.1 y versiones anteriores. Permite a atacantes remotos incluir y ejecutar archivos locales arbitrarios a través de .. (punto punto) en el parámetro bn. • https://www.exploit-db.com/exploits/34905 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 2%CPEs: 16EXPL: 3CVE-2010-4868 – W-Agora 4.2.1 - 'search.php?bn' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4868
05 Oct 2011 — Cross-site scripting (XSS) vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the bn parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en search.php3 (search.php) de W-Agora 4.2.1 y versiones anteriores. Permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través del parámetro bn. • https://www.exploit-db.com/exploits/34906 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2007-6647 – w-Agora 4.2.1 - 'cat' SQL Injection
https://notcve.org/view.php?id=CVE-2007-6647
04 Jan 2008 — SQL injection vulnerability in index.php in w-Agora 4.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. Vulnerabilidad de inyección SQL en index.php de w-Agora 4.2.1 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cat. • https://www.exploit-db.com/exploits/4817 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2004-1562 – W-Agora 4.1.6 - 'a redir_url.php?key' SQL Injection
https://notcve.org/view.php?id=CVE-2004-1562
31 Dec 2004 — SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows remote attackers to execute arbitrary SQL commands via the key parameter. • https://www.exploit-db.com/exploits/24648 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 5CVE-2004-1563 – W-Agora 4.1.6 - 'a download_thread.php?thread' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2004-1563
31 Dec 2004 — Multiple cross-site scripting (XSS) vulnerabilities in w-Agora 4.1.6a allow remote attackers to execute arbitrary web script or HTML via the (1) thread parameter to download_thread.php, (2) loginuser parameter to login.php, or (3) userid parameter to forgot_password.php. • https://www.exploit-db.com/exploits/24650 •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 3CVE-2004-1564 – W-Agora 4.1.6a - 'subscribe_thread.php' HTTP Response Splitting
https://notcve.org/view.php?id=CVE-2004-1564
31 Dec 2004 — CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the thread parameter. • https://www.exploit-db.com/exploits/24651 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2004-1565
https://notcve.org/view.php?id=CVE-2004-1565
31 Dec 2004 — list.php in w-Agora 4.1.6a allows remote attackers to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter. • http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/027040.html •