Информационная безопасность
[RU] switch to English

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 3 октября 2013 г.
Опубликовано:3 октября 2013 г.
SecurityVulns ID:13318
Уровень опасности:
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:PHPBB : phpBB 3.0
 WIKKA : WikkaWiki 1.3
 SILVERSTRIPE : SilverStripe CMS 3.0
 EPROLOG : elproLOG MONITOR WebAccess 2.1
 VTIGER : vtiger CRM 5.4
 EXPRESSIONENGINE : ExpressionEngine 2.6
 MEDIAWIKI : mediawiki 1.20
 MOODLE : Moodle 2.5
 WORDPRESS : Design-approval-system 3.6
 WORDPRESS : Event Easy Calendar 1.0
CVE:CVE-2013-5679 (The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.)
 CVE-2013-5586 (Cross-site scripting (XSS) vulnerability in wikka.php in WikkaWiki before 1.3.4-p1 allows remote attackers to inject arbitrary web script or HTML via the wakka parameter to sql/.)
 CVE-2013-5091 (SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.)
 CVE-2013-4302 ((1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.)
 CVE-2013-4301 (includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.)
Оригинальный текстdocumentroguecoder_(at)_hush.com, Event Easy Calendar 1.0.0 WP plugin (03.10.2013)
 documentDEBIAN, [SECURITY] [DSA 2752-1] phpbb3 security update (03.10.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in WikkaWiki (03.10.2013)
 documentAlexandro Silva, [iBliss Security Advisory] Cross-Site Scripting (XSS) vulnerability in Design-approval-system wordpress plugin (03.10.2013)
 documentKevin W. Wall, OWASP ESAPI Security Advisory: MAC Bypass in ESAPI Symmetric Encryption (03.10.2013)
 documentEmilio Pinna, Moodle 2.5.0-1 (badges/external.php) PHP Object Injection Vulnerability (03.10.2013)
 documentMANDRIVA, [ MDVSA-2013:235 ] mediawiki (03.10.2013)
 documentRichard Clifford, ExpressionEngine 2.6 Persistent XSS (03.10.2013)
 documentHigh-Tech Bridge Security Research, SQL Injection in vtiger CRM (03.10.2013)
 documentVulnerability Lab, SilverStripe Framework CMS 3.0.5 - Multiple Web Vulnerabilities (03.10.2013)
 documentVulnerability Lab, elproLOG MONITOR WebAccess 2.1 - Multiple Web Vulnerabilities (03.10.2013)
 documentVulnerability Lab, WebAssist PowerCMS PHP - Multiple Web Vulnerabilities (03.10.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород