Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:3 февраля 2014 г.
Источник:
SecurityVulns ID:13548
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:JOOMLA : JomSocial 3.1
 JOOMLA : JV Comment 3.0
 JOOMLA : Komento 1.7
 EVENTUM : Eventum 2.3
 JAMON : JAMon 2.7
 DRUPAL : EventCalendar 7.14
 MEDIATRIX : Mediatrix 4402
 DRUPAL : Drupal 7.25
 OPENPNE : OpenPNE 3.8
 WORDPRESS : Contact Form 7 3.5
CVE:CVE-2014-1632
 CVE-2014-1631
 CVE-2014-1612 (Cross-site scripting (XSS) vulnerability in login.esp in the Web Management Interface in Media5 Mediatrix 4402 VoIP Gateway with firmware Dgw 1.1.13.186 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.)
 CVE-2014-1607 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future.)
 CVE-2014-1476 (The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.)
 CVE-2014-1475 (The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.)
 CVE-2014-0794 (SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php.)
 CVE-2014-0793 (Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to the default URI.)
 CVE-2013-6235 (Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java Application Monitor) 2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listenertype or (2) currentlistener parameter to mondetail.jsp or ArraySQL parameter to (3) mondetail.jsp, (4) jamonadmin.jsp, (5) sql.jsp, or (6) exceptions.jsp.)
 CVE-2013-5350 (The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.)
Оригинальный текстdocumentMustLive, Code Execution vulnerability in Contact Form 7 for WordPress (03.02.2014)
 documentMustLive, Vulnerabilities in Contact Form 7 for WordPress (03.02.2014)
 documentSECUNIA, Secunia Research: OpenPNE PHP Object Injection Vulnerability (03.02.2014)
 documentDEBIAN, [SECURITY] [DSA 2847-1] drupal7 security update (03.02.2014)
 documenttudor.enache_(at)_helpag.com, Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page (03.02.2014)
 documentali.hussein_(at)_helpag.com, [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module (03.02.2014)
 documentChristian Catalano, [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7 (03.02.2014)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in Eventum (03.02.2014)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Komento Joomla Extension (03.02.2014)
 documentHigh-Tech Bridge Security Research, SQL Injection in JV Comment Joomla Extension (03.02.2014)
 documentMark Litchfield, Ektron CMS Take Over - Hijacking Accounts (03.02.2014)
 documentMark Litchfield, Vulnerabilities within Mura CMS / Sitecore MCS / SmarterMail (03.02.2014)
 documentMark Litchfield, SiteCore XML Control Script Insertion (03.02.2014)
 documentmatias.fontanini_(at)_gmail.com, Joomla! JomSocial component < 3.1.0.1 - Remote code execution (03.02.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород