Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 4 декабря 2011 г.
Опубликовано:5 декабря 2011 г.
Источник:
SecurityVulns ID:12064
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:ROUNDCUBE : RoundCube 0.6
 ARIADNECMS : Ariadne 2.7
 PHPWARES : PHP Inventory 1.3
 WIKKA : WikkaWiki 1.3
 SUGARCRM : SugarCRM 6.3
 ORANGEGRM : OrangeHRM 2.6
 CLEARSILVER : clearsilver 0.10
 JCRYPTON : jCryption 1.2
 ELLISLAB : ExpressionEngine 2.2
 ELLISLAB : CodeIgniter 2.0
CVE:CVE-2011-4448 (SQL injection vulnerability in actions/usersettings/usersettings.php in WikkaWiki 1.3.1 and 1.3.2 allows remote attackers to execute arbitrary SQL commands via the default_comment_display parameter in an update action.)
 CVE-2011-4357 (Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.)
 CVE-2011-4025
 CVE-2009-4597 (Multiple SQL injection vulnerabilities in index.php in PHP Inventory 1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a users details action, and allow remote attackers to execute arbitrary SQL commands via the (2) user (username) and (3) pass (password) parameters. NOTE: some of these details are obtained from third party information.)
 CVE-2009-4596 (Cross-site scripting (XSS) vulnerability in index.php in PHP Inventory 1.2 allows remote attackers to inject arbitrary web script or HTML via the sup_id parameter in a suppliers details action.)
 CVE-2009-4595 (SQL injection vulnerability in index.php in PHP Inventory 1.2 allows remote authenticated users to execute arbitrary SQL commands via the sup_id parameter in a suppliers details action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
Оригинальный текстdocumentmarian.ventuneac_(at)_gmail.com, MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter (05.12.2011)
 documentNick Freeman, Security-Assessment.com Release: Hacking Hollywood Slides, Advisories and Exploits (05.12.2011)
 documentDaniel Roethlisberger, Insecure RSA Encryption in jCryption, PEAR Crypt_RSA and Crypt_RSA2 (05.12.2011)
 documentDEBIAN, [SECURITY] [DSA 2355-1] clearsilver security update (05.12.2011)
 documentAmir_(at)_irist.ir, Wordpress skysa-official plugin Cross-Site Scripting Vulnerabilities (04.12.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OrangeHRM (04.12.2011)
 documentHigh-Tech Bridge Security Research, Sql injection in SugarCRM (04.12.2011)
 documentn0b0d13s_(at)_gmail.com, WikkaWiki <= 1.3.2 Multiple Security Vulnerabilities (04.12.2011)
 documentAmir_(at)_irist.ir, Wordpress 1-jquery-photo-gallery-slideshow-flash plugin Cross-Site Scripting Vulnerabilities (04.12.2011)
 documentAmir_(at)_irist.ir, Wordpress flash-album-gallery plugin Cross-Site Scripting Vulnerabilities (04.12.2011)
 documentsecurity_(at)_infoserve.de, PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability (04.12.2011)
 documentsschurtz_(at)_t-online.de, Ariadne 2.7.6 Multiple XSS vulnerabilities (04.12.2011)
 documentnoreply_(at)_ptsecurity.ru, [PT-2011-43] Database information disclosure in Kayako Fusion (04.12.2011)
 documentMustLive, Multiple vulnerabilities in RoundCube (04.12.2011)
 documentMustLive, Уязвимости в Zeema CMS (04.12.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород