CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47397
https://notcve.org/view.php?id=CVE-2023-47397
08 Nov 2023 — WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. WeBid en versiones <= 1.2.2 es vulnerable a la inyección de código a través de admin/categoriestrans.php. • https://liotree.github.io/2023/webid.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41477
https://notcve.org/view.php?id=CVE-2022-41477
14 Oct 2022 — A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories. Se ha detectado un problema de seguridad en WeBid versiones anteriores a 1.2.2 incluyéndola. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el archivo admin/theme.php permite a atacantes remotos inyectar cargas útiles por medio de parámetros del tema para leer archiv... • https://github.com/zer0yu/CVE_Request/blob/master/Webid/WeBid_Path_Traversal.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000882
https://notcve.org/view.php?id=CVE-2018-1000882
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a Directory Traversal vulnerability in getthumb.php that can result in Arbitrary Image File Read. This attack appear to be exploitable via HTTP GET Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad de salto de directorio en getthumb.php que puede resultar en la lectura de archivos de imagen arbitrarios. Este ataque parece ser expl... • http://bugs.webidsupport.com/view.php?id=646 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000867
https://notcve.org/view.php?id=CVE-2018-1000867
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad de inyección SQL en los 5 scripts yourauctions*.php que puede resultar en la lectura de la base de datos media... • http://bugs.webidsupport.com/view.php?id=647 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000868
https://notcve.org/view.php?id=CVE-2018-1000868
20 Dec 2018 — WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, register.php that can result in Javascript execution in the user's browser, injection of malicious markup into the page. This attack appear to be exploitable via The victim user must click a malicous link. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. WeBid, hasta la actual versión 1.2.2, contiene una vulnerabilidad Cross-Site Scripting (X... • http://bugs.webidsupport.com/view.php?id=648 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3815
https://notcve.org/view.php?id=CVE-2011-3815
24 Sep 2011 — WeBid 1.0.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by js/calendar.php and certain other files. WeBid v1.0.0 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con js/calendar.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •