Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:7 сентября 2012 г.
Источник:
SecurityVulns ID:12579
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:ZABBIX : Zabbix 1.8
 APACHE : Wicket 1.4
 TESTLINK : TestLink 1.9
 APACHE : Wicket 1.5
 FLOGR : Flogr 2.5
 MOIN : Moin 1.9
 KAYAKO : Kayako Fusion 4.40
 EKTRON : Ektron CMS 8.5
 EFRONT : eFront Enterprise 3.6
 ESJOBSEARCH : ES Job Search Engine 3.0
 EFRONT : eFront Educational 3.6
 ADMIDIO : Admidio 2.3
CVE:CVE-2012-4404 (security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.)
 CVE-2012-4336 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) an arbitrary parameter.)
 CVE-2012-3435 (SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.)
 CVE-2012-3373 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.)
 CVE-2012-3233 (Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php in Kayako Fusion 4.40.1148, and possibly before 4.50.1581, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.)
 CVE-2012-2275 (Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php.)
Оригинальный текстdocumentsschurtz_(at)_darksecurity.de, Admidio 2.3.5 Multiple security vulnerabilities (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentVulnerability Lab, eFront Educational v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentVulnerability Lab, ES Job Search Engine v3.0 - SQL injection vulnerability (07.09.2012)
 documentVulnerability Lab, eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentlists_(at)_senseofsecurity.com, Ektron CMS - Multiple Vulnerabilities - Security Advisory - SOS-12-009 (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) Vulnerabilities in Flogr (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Kayako Fusion (07.09.2012)
 documentHigh-Tech Bridge Security Research, Сross-Site Request Forgery (CSRF) in TestLink (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2538-1] moin security update (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2539-1] zabbix security update (07.09.2012)
 documentcmenzel_(at)_wicketbuch.de, [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter (07.09.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород