Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:22 февраля 2012 г.
Источник:
SecurityVulns ID:12211
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CUBECART : CubeCart 3.0
 TESTLINK : TestLink 1.8
 WEBSITEBAKER : WebsiteBaker 2.8
 DOLPHIN : Dolphin 7.0
 FEX : fex 20111129-2
 OXWALL : OxWall 1.1
 PANDORA : Pandora FMS 4.0
 TESTLINK : TestLink 1.9
 VOXTRONIC : voxlog 3.7
 LEPTON : Lepton 1.1
 11IN1 : 11in1 1.2
CVE:CVE-2012-1000 (Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to account/preferences.php.)
 CVE-2012-0999 (SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter.)
 CVE-2012-0998 (Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the language parameter.)
 CVE-2012-0997 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in 11in1 1.2.1 stable 12-31-2011 allows remote attackers to hijack the authentication of administrators for requests that add new topics via an addTopic action.)
 CVE-2012-0996 (Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. (dot dot) in the class parameter to (1) index.php or (2) admin/index.php.)
 CVE-2012-0939 (Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in requirements/. NOTE: some of these details are obtained from third party information.)
 CVE-2012-0938 (Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with certain permissions to execute arbitrary SQL commands via the root_node parameter in the display_children function to (1) getrequirementnodes.php or (2) gettprojectnodes.php in lib/ajax/; the (3) cfield_id parameter in an edit action to lib/cfields/cfieldsEdit.php; the (4) id parameter in an edit action or (5) plan_id parameter in a create action to lib/plan/planMilestonesEdit.php; or the req_spec_id parameter to (6) reqImport.php or (7) in a create action to reqEdit.php in lib/requirements/. NOTE: some of these details are obtained from third party information.)
 CVE-2012-0873 (Multiple cross-site scripting (XSS) vulnerabilities in Boonex Dolphin before 7.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) explain parameter to explanation.php or the (2) photos_only, (3) online_only, or (4) mode parameters to viewFriends.php.)
 CVE-2012-0872 (Multiple cross-site scripting (XSS) vulnerabilities in OxWall 1.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) captchaField, (2) email, (3) form_name, (4) password, (5) realname, (6) repeatPassword, or (7) username parameters to Oxwall/join; (8) captcha, (9) email, (10) form_name, (11) from, or (12) subject parameters to Oxwall/contact; (13) tag parameter to Oxwall/blogs/browse-by-tag; or (14) PATH_INFO to Oxwall/photo/viewlist/tagged, (15) Oxwall/photo/viewlist, or (16) Oxwall/video/viewlist.)
Оригинальный текстdocumentHigh-Tech Bridge Security Research, Multiple vulnerabilities in 11in1 (22.02.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in LEPTON (22.02.2012)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXTRONIC voxlog professional (22.02.2012)
 documentjnatal, SQL Injection Vulnerabilities in TestLink (22.02.2012)
 documentVulnerability Lab, Pandora FMS v4.0.1 - Local File Include Vulnerability + VD Session (22.02.2012)
 documentsschurtz_(at)_darksecurity.de, WebsiteBaker 2.8.2 SP2 HTTP-Referer XSS vulnerability (22.02.2012)
 documentYGN Ethical Hacker Group, CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability [Updated] (22.02.2012)
 documentYGN Ethical Hacker Group, Dolphin 7.0.7 <= Multiple Cross Site Scripting Vulnerabilities (22.02.2012)
 documentYGN Ethical Hacker Group, OxWall 1.1.1 <= Multiple Cross Site Scripting Vulnerabilities (22.02.2012)
 documentmr xadal, CMS wizard Cross Site Scripting (22.02.2012)
 documentmuuratsalo experimental hack lab, F*EX 20111129-2 Cross Site Scripting Vulnerability (22.02.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород