Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:9 января 2012 г.
Источник:
SecurityVulns ID:12133
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CACTI : cacti 0.8
 SQLITEMANAGER : SQLiteManager 1.2
 BIGACE : BigACE 2.7
 IMPRESSPAGES : ImpressPages CMS 1.0
 WORDPRESS : Register Plus Redux 3.7
 VERTIGO : VertrigoServ 2.25
 GGB : Ggb Guestbook 0.3
 APACHE : Struts 2.3
 ORCHARD : Orchard 1.3
 TEXTPATTERN : Textpattern 4.4
 OPENEMR : OpenEMR 4.1
 BUGZILLA : Bugzilla 4.1
 MAVILIGUESTBOOK : mavili guestbook 200711
 OPENKM : OpenKM 5.1
 WINN : Winn Guestbook 2.4
CVE:CVE-2011-5026 (Cross-site scripting (XSS) vulnerability in Winn GuestBook before 2.4.8d allows remote attackers to inject arbitrary web script or HTML via the name parameter.)
 CVE-2011-5019 (Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.)
 CVE-2011-4824 (SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter.)
 CVE-2011-3657 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart.)
 CVE-2010-2545 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via (1) the name element in an XML template to templates_import.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via vectors related to (2) cdef.php, (3) data_input.php, (4) data_queries.php, (5) data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8) graph.php, (9) graphs_new.php, (10) graphs.php, (11) graph_templates_inputs.php, (12) graph_templates_items.php, (13) graph_templates.php, (14) graph_view.php, (15) host.php, (16) host_templates.php, (17) lib/functions.php, (18) lib/html_form.php, (19) lib/html_form_template.php, (20) lib/html.php, (21) lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and (25) user_admin.php.)
 CVE-2010-2543 (Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-4032.2.b.)
 CVE-2010-1645 (Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template.)
 CVE-2010-1644 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2384-1] cacti security update (09.01.2012)
 documentMustLive, XSS and IAA vulnerabilities in Register Plus Redux for WordPress (09.01.2012)
 documentMustLive, Multiple new vulnerabilities in Register Plus Redux for WordPress (09.01.2012)
 documentMustLive, Vulnerabilities in plugins for MODx CMS, XOOPS, uCoz, Magento and DSP CMS (09.01.2012)
 documenttom, Winn Guestbook v2.4.8c Stored XSS (09.01.2012)
 documentLpSolit_(at)_gmail.com, Security advisory for Bugzilla 4.2rc1, 4.0.3, 3.6.7 and 3.4.13 (09.01.2012)
 documentCyrill Brunschwiler, OpenKM 5.1.7 Privilege Escalation (09.01.2012)
 documentCyrill Brunschwiler, OpenKM 5.1.7 OS Command Execution (XSRF based) (09.01.2012)
 documenttom, Tinyguestbook XSS (09.01.2012)
 documentRedTeam Pentesting, [RT-SA-2012-001] Bugzilla: Cross-Site Scripting in Chart Generator (09.01.2012)
 documentTrustwave Advisories, SQL Injection Vulnerability in OpenEMR 4.1.0 (09.01.2012)
 documentTrustwave Advisories, TWSL2012-001: Cross-Site Scripting Vulnerability in Textpattern Content Management System (09.01.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in ImpressCMS (09.01.2012)
 documentNetsparker Advisories, Open Redirection Vulnerability in Orchard 1.3.9 (09.01.2012)
 documentSEC Consult Vulnerability Lab, NGS00109 Technical Advisory: Remote Code Execution in ImpressPages CMS (09.01.2012)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2 (09.01.2012)
 documentdemonalex_(at)_163.com, Ggb Guestbook - XSS Vulnerabilities (09.01.2012)
 documentsecurity_(at)_infoserve.de, VertrigoServ 2.25 Cross-Site-Scripting vulnerability (09.01.2012)
 documentsecurity_(at)_infoserve.de, SQLiteManager 1.2.4 Multiple Cross-Site-Scripting vulnerabilities (09.01.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород