CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 2CVE-2010-4867 – W-Agora 4.2.1 - 'search.php3?bn' Traversal Local File Inclusion
https://notcve.org/view.php?id=CVE-2010-4867
Directory traversal vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the bn parameter. Vulnerabilidad de salto de directorio en search.php3 (search.php) de W-Agora 4.2.1 y versiones anteriores. Permite a atacantes remotos incluir y ejecutar archivos locales arbitrarios a través de .. (punto punto) en el parámetro bn. • https://www.exploit-db.com/exploits/34905 http://securityreason.com/securityalert/8426 http://www.securityfocus.com/archive/1/514420/100/0/threaded http://www.securityfocus.com/bid/44370 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 3CVE-2010-4868 – W-Agora 4.2.1 - 'search.php?bn' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4868
Cross-site scripting (XSS) vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the bn parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en search.php3 (search.php) de W-Agora 4.2.1 y versiones anteriores. Permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través del parámetro bn. • https://www.exploit-db.com/exploits/34906 http://packetstormsecurity.org/1010-exploits/wagora-lfixss.txt http://securityreason.com/securityalert/8426 http://www.securityfocus.com/archive/1/514420/100/0/threaded http://www.securityfocus.com/bid/44370 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2007-6647 – w-Agora 4.2.1 - 'cat' SQL Injection
https://notcve.org/view.php?id=CVE-2007-6647
SQL injection vulnerability in index.php in w-Agora 4.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. Vulnerabilidad de inyección SQL en index.php de w-Agora 4.2.1 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cat. • https://www.exploit-db.com/exploits/4817 http://osvdb.org/39883 http://www.securityfocus.com/bid/27070 https://exchange.xforce.ibmcloud.com/vulnerabilities/39308 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 2CVE-2007-1604 – W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-1604
Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg. Múltiples vulnerabilidades de promoción de ficheros no restringida en w-Agora (Web-Agora) permiten a atacantes remotos promocionar y ejecutar código PHP de su elección (1) mediante un mensaje de foro con un fichero adjunto, que se almacena bajo forums/hello/hello/notes/ ó (2) usando browse_avatar.php para promocionar un fichero con doble extensión, como se demuestra con .php.jpg. • https://www.exploit-db.com/exploits/29763 http://osvdb.org/34383 http://osvdb.org/34384 http://secunia.com/advisories/24605 http://securityreason.com/securityalert/2462 http://www.securityfocus.com/archive/1/463286/100/0/threaded http://www.securityfocus.com/bid/23055 https://exchange.xforce.ibmcloud.com/vulnerabilities/33173 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2007-1606 – W-Agora 4.2.1 - 'change_password.php?userid' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1606
Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en w-Agora (Web-Agora) permiten a atacantes remotos inyectar scripts web o HTML de su elección mediante (1) el parámetro showuser en profile.php (2) el parámetro search_forum ó (3) el parámetro search_user en search.php, ó (4) el parámetro userid en change_password.php. • https://www.exploit-db.com/exploits/29766 https://www.exploit-db.com/exploits/29764 https://www.exploit-db.com/exploits/29765 http://osvdb.org/34377 http://osvdb.org/34378 http://osvdb.org/34379 http://secunia.com/advisories/24605 http://securityreason.com/securityalert/2462 http://www.securityfocus.com/archive/1/463286/100/0/threaded http://www.securityfocus.com/bid/23057 https://exchange.xforce.ibmcloud.com/vulnerabilities/33175 •