Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:24 октября 2011 г.
Источник:
SecurityVulns ID:11995
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:SITEATSCHOOL : [email protected] 2.4
 OPENENGINE : openEngine 2.0
 TINE20 : Tine 2.0
 OCSINVENTORYNG : OCS Inventory NG 2.0
 YETANOTHERCMS : Yet Another CMS 1.0
 DOLPHIN : Dolphin 7.0
 WORDPRESS : BackWPUp 2.1
 BUGFREE : BugFree 2.1
 WORDPRESS : Pretty Link 1.4
 LEDGERSMB : LedgerSMB 1.3
 ZOHO : ADSelfService Plus 4.5
 JOOMLA : JCE 2.0
 KAIBB : KaiBB 2.0
 CONTAO : Contao 2.10
 ACTIVEDEV : Active CMS 1.2
 SIMPLEPRESS : Simple:Press Forum 4.4
CVE:CVE-2011-4024 (Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2011-1364 (Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.)
 CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.)
Оригинальный текстdocumentMustLive, Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress (24.10.2011)
 documentBHG Security Center, Joomla Component (com_sgicatalog) <= SQL Injection Vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, Active CMS 1.2.0 'mod' Cross-site Scripting Vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, Contao 2.10.1 Cross-site scripting vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, openEngine 2.0 'key' Blind SQL Injection vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, KaiBB 2.0.1 XSS and SQL Injection vulnerabilities (24.10.2011)
 documentadmin_(at)_bugreport.ir, msgid:[email protected][email protected]&[email protected]&folder=\\3APA3A\Bugtraq&subject=Related%20POC%20for%20JCE%20Joomla%20Extension%20<%3D2 (24.10.2011)
 documentroberto.paleari_(at)_emaze.net, ZOHO ManageEngine ADSelfService Plus Administrative Access (24.10.2011)
 documentAdi Sharabani, Google App Enging SDK Code Execution Vulnerability (CVE 2011-1364) (24.10.2011)
 documentChris Travers, LedgerSMB 1.3.0 released, includes anti-XSRF framework (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in BugFree (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Pretty Link WordPress Plugin (24.10.2011)
 documentDrew Calcott, Security-Assessment.com Advisory: Destination Search Admin Console Access Control Bypass (24.10.2011)
 documentlists_(at)_senseofsecurity.com, WordPress Plugin BackWPUp 2.1.4 - Security Advisory - SOS-11-012 (24.10.2011)
 documentnoreply_(at)_ptsecurity.ru, [PT-2011-14] SQL injection vulnerability in BoonEx Dolphin (24.10.2011)
 documentsschurtz_(at)_t-online.de, [email protected] 2.4.10 SQL Injection & XSS vulnerabilities (24.10.2011)
 documentn0b0d13s_(at)_gmail.com, Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection (24.10.2011)
 documentsschurtz_(at)_t-online.de, Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Tine 2.0 (24.10.2011)
 documentNicolas DEROUET, OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024) (24.10.2011)
 documentsschurtz_(at)_t-online.de, Metasploit 4.1.0 Web UI stored XSS vulnerability (24.10.2011)
 documentmd.r00t.defacer_(at)_gmail.com, inCommand Technologies, Inc. Cross-site Scripting Vulnerability (24.10.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород