10 results (0.008 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

A flaw was found in WebSVN 2.3.2. Without prior authentication, if the 'allowDownload' option is enabled in config.php, an attacker can invoke the dl.php script and pass a well formed 'path' argument to execute arbitrary commands against the underlying operating system. Se ha encontrado un fallo en WebSVN versión 2.3.2. Sin autenticación previa, si la opción "allowDownload" está habilitada en el archivo config.php, un atacante puede invocar el script dl.php y pasar un argumento "path" bien formado para ejecutar comandos arbitrarios contra el sistema operativo subyacente • https://seclists.org/bugtraq/2011/Jun/34 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 95%CPEs: 1EXPL: 3

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter. WebSVN versiones anteriores a 2.6.1, permite a atacantes remotos ejecutar comandos arbitrarios por medio de metacaracteres shell en el parámetro search Websvn version 2.6.0 suffers from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/50042 https://github.com/FredBrave/CVE-2021-32305-websvn-2.6.0 http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html https://github.com/websvnphp/websvn/pull/142 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 2

Cross-site scripting (XSS) vulnerability in WebSVN 2.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the path parameter to log.php. Vulnerabilidad de XXS en WebSVN 2.3.3 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro path a log.php. WebSVN version 2.3.3 suffers from a cross site scripting vulnerability. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179168.html http://packetstormsecurity.com/files/135886/WebSVN-2.3.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2016/Feb/99 http://www.debian.org/security/2016/dsa-3490 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0

WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit. WebSVN 2.3.3 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un ataque symlink en un commit • http://secunia.com/advisories/62233 http://www.debian.org/security/2015/dsa-3137 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1

Cross-site scripting (XSS) vulnerability in the getLog function in svnlook.php in WebSVN before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to (1) comp.php, (2) diff.php, or (3) revision.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función getLog en svnlook.php en WebSVN anteriores a v2.3.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro path sobre (1) comp.php, (2) diff.php, o (3) revision.php. • http://osvdb.org/77941 http://osvdb.org/77942 http://osvdb.org/77943 http://secunia.com/advisories/47288 http://st2tea.blogspot.com/2011/12/websvn-cross-site-scripting.html http://websvn.tigris.org/issues/show_bug.cgi?id=275 http://www.securityfocus.com/bid/51109 http://www.securitytracker.com/id?1026438 https://exchange.xforce.ibmcloud.com/vulnerabilities/71888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •