4 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the file previewer plugin in Kopano WebApp versions 3.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a specially crafted previewable file. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo js/ViewerPanel.js en el plugin file previewer en Kopano WebApp versiones 3.3.0 y anteriores, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de un archivo de vista previa especialmente creado. • https://stash.kopano.io/projects/KWA/repos/filepreviewer/commits/85d2b5c2d27f461bba12e9491fcc4b0d8fde771a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 4%CPEs: 29EXPL: 1

senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files. senddocument.php en Zarafa WebApp anterior a 2.0 beta 3 y WebAccess en Zarafa Collaboration Platform (ZCP) 7.x anterior a 7.1.12 beta 1 y 7.2.x anterior a 7.2.0 beta 1 permite a atacantes remotos causar una denegación de servicio (consumo de disco /tmp) mediante la subida de un número grande de ficheros. • http://advisories.mageia.org/MGASA-2015-0049.html http://download.zarafa.com/community/beta/7.1/changelog-7.1.txt http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156112.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156228.html http://security.robert-scheck.de/cve-2014-9465-zarafa http://www.mandriva.com/security/advisories?name=MDVSA-2015:040 http://www.openwall.com/lists • CWE-399: Resource Management Errors •

CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0

Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103. Zarafa WebAccess 7.1.10 y WebApp 1.6 beta utilizan permisos (644) débiles para config.php, lo que permite a usuarios locales obtener información sensible mediante la lectura de los ficheros de las sesiones PHP. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-0103. • http://advisories.mageia.org/MGASA-2014-0380.html http://seclists.org/oss-sec/2014/q3/444 http://seclists.org/oss-sec/2014/q3/445 http://www.mandriva.com/security/advisories?name=MDVSA-2014:182 http://www.securityfocus.com/bid/69362 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in the administration of (1) polls, (2) profiles, (3) IP bans, and (4) forums in (a) web-app.org WebAPP 0.8 through 0.9.9.6; and (b) web-app.net WebAPP 0.9.9.3.3, 0.9.9.3.4, and 2007; allow remote attackers to perform deletions as administrators. Múltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en la administración de (1) sondeos, (2) perfiles, (3) prohibiciones IP y (4) foros en (a) web-app.org WebAPP versiones 0.8 hasta 0.9.9.6; y (b) web-app.net WebAPP versiones 0.9.9.3.3, 0.9.9.3.4 y 2007; permite a atacantes remotos realizar eliminaciones como administradores. • http://www.attrition.org/pipermail/vim/2007-June/001687.html http://www.web-app.org/cgi-bin/index.cgi?action=forum&board=how_to&op=display&num=9458 http://www.web-app.org/downloads/WebAPPv0.9.9.7.zip https://exchange.xforce.ibmcloud.com/vulnerabilities/35929 • CWE-352: Cross-Site Request Forgery (CSRF) •