Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:13 октября 2013 г.
Источник:
SecurityVulns ID:13366
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:UEBIMIAU : Uebimiau 2.7
 MP3PLAYER : mp3-player 2.5
 FLVPLAYER : flv-player 3.5
 WORDPRESS : Cart66 1.5
 FENGOFFICE : Feng Office 2.3
 BOLWIRE : BoltWire 3.5
 DRUPAL : drupal 6.27
 DRUPAL : drupal 7.18
CVE:CVE-2013-5978
 CVE-2013-5977 (Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or conduct cross-site scripting (XSS) attacks via the (2) Product name or (3) Price description field in a product save action via a request to wp-admin/admin.php.)
 CVE-2013-5744 (Cross-site scripting (XSS) vulnerability in Feng Office 2.3.2-rc and earlier allows remote attackers to inject arbitrary web script or HTML via an arbitrary ref_XXX parameter.)
 CVE-2013-2651 (Multiple cross-site scripting (XSS) vulnerabilities in BoltWire 3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) "p" or (2) content parameter to index.php.)
 CVE-2013-2623
 CVE-2013-2622
 CVE-2013-2621
 CVE-2013-0245 (The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors.)
 CVE-2013-0244 (Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.)
 CVE-2012-5653 (The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.)
 CVE-2012-5652 (Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.)
 CVE-2012-5651 (Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.)
 CVE-2012-0826 (Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.)
 CVE-2012-0825 (Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2776-1] drupal6 security update (13.10.2013)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] Multiple Reflected XSS vulnerabilities in BoltWire <= v3.5 (13.10.2013)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] Multiple Vulnerabilities in Uebimiau <= 2.7.11 (13.10.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Feng Office (13.10.2013)
 documentjsibley1_(at)_gmail.com, Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities (13.10.2013)
 documentMustLive, Multiple vulnerabilities in flv-player (13.10.2013)
 documentMustLive, Multiple vulnerabilities in mp3-player (13.10.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород