Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12660
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:OPENX : OpenX 2.8
 CMSQLITE : CMSQLITE 1.3
 VBULLETIN : Vbulletin 4.1
 WORDPRESS : Wordfence Security 3.3
 ATUTOR : ATutor 1.2
 SUBRION : Subrion CMS 2.2
 JCORE : jCore 1.0
 SILVERSTRIPE : SilverStripe 2.4
 TEMPLATECMS : Template CMS 2.1
 CAMPAIGNENTERPRI : Campaign Enterprise 11
 WORDPRESS : Wordpress Social Discussions 6.1
 WORDPRESS : Wordpress Slideshow 2.1
 UNIRGY : uStoreLocator 2.0
 FILEBOUND : FileBound On-Site 6.1
 VOLK : vOlk Botnet Framework 4.0
 OMNISTAR : Omnistar Document Manager 8.0
 INTERSPIRE : Interspire Email Marketer 6.0
 OMNISTAR : Omnistar Mailer 7.2
 PHPFREECHAT : phpFreeChat 1.4
 PHPTAX : phptax 0.8
 SWITCHVOX : Switchvox Asterisk 5.1
 AXIS : Axis VoIP Manager 2.1
 NEOBILL : NeoBill CMS 0.8
 ATLASSIAN : Confluence 3.5
 ATLASSIAN : Confluence 4.0
 ATLASSIAN : Confluence 4.1
 TORRENTTRADER : TorrentTrader 2.08
CVE:CVE-2012-5169 (Multiple cross-site scripting (XSS) vulnerabilities in file_manager/preview_top.php in ATutor AContent before 1.2-2 allow remote attackers to inject arbitrary web script or HTML via the (1) pathext, (2) popup, (3) framed, or (4) file parameter.)
 CVE-2012-5168 (ATutor AContent before 1.2-1 allows remote attackers to modify arbitrary user passwords or category names via a direct request to (1) user/index_inline_editor_submit.php or (2) course_category/index_inline_editor_submit.php.)
 CVE-2012-5167 (Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 allow remote attackers to execute arbitrary SQL commands via the (1) field parameter to course_category/index_inline_editor_submit.php or (2) user/index_inline_editor_submit.php; or (3) id parameter to user/user_password.php.)
 CVE-2012-4990 (SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action.)
 CVE-2012-4989 (Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in OpenX 2.8.10 before revision 81823 allows remote attackers to inject arbitrary web script or HTML via the parent parameter in an info action.)
 CVE-2012-4902 (Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php.)
 CVE-2012-4901 (Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter an add_template action to admin/index.php.)
 CVE-2012-4773 (Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to hijack the authentication of administrators for requests that add, delete, or modify sensitive information, as demonstrated by adding an administrator account via an add action to admin/accounts/add/.)
 CVE-2012-4772 (SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter.)
 CVE-2012-4771 (Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) admin/accounts/, (2) admin/manage/, or (3) admin/manage/blocks/edit/; or (4) group parameter to admin/configuration/. NOTE: The f[accounts][fullname] and f[accounts][username] vectors are covered in CVE-2012-5452.)
 CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.)
 CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.)
 CVE-2012-3824
 CVE-2012-3823
 CVE-2012-3822
 CVE-2012-3821
 CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.)
Оригинальный текстdocumentJanek Vind, [waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, [INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability (22.10.2012)
 documentVulnerability Lab, Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Better WP Security v3.4.3 Wordpress - Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentpereira_(at)_secbiz.de, phptax 0.8 <= Remote Code Execution Vulnerability (22.10.2012)
 documentNetsparker Advisories, XSS Vulnerabilities in phpFreeChat (22.10.2012)
 documentVulnerability Lab, Omnistar Mailer v7.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites (22.10.2012)
 documentVulnerability Lab, Omnistar Document Manager v8.0 - Multiple Vulnerabilities (22.10.2012)
 documentVulnerability Lab, vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities (22.10.2012)
 documentlists_(at)_senseofsecurity.com, FileBound - Privilege Escalation Vulnerability - Security Advisory - SOS-12-010 (22.10.2012)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20121017-1 :: Unirgy uStoreLocator SQL Injection - Magento extension (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin (22.10.2012)
 documentVulnerability Lab, CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies (22.10.2012)
 documentMustLive, Multiple vulnerabilities in Megapolis.Portal Manager (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Template CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OpenX (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in jCore (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Subrion CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in AContent (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Persistent Cross Site Scripting Vulnerability (22.10.2012)
 documentMustLive, XSS and IAA vulnerabilities in Wordfence Security for WordPress (22.10.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород