Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:22 декабря 2014 г.
Источник:
SecurityVulns ID:14155
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CREATIVEMINDSSOL : cm-download-manager 2.0
 BIRDFEEDER : Bird Feeder 1.2
 KONKART : Konakart 7.3
 FUZZYLIME : Fuzzylime 3.03
 MEDIAWIKI : mediawiki 1.19
 MORFYCMS : Morfy CMS 1.05
 REVIVEADSERVER : Revive Adserver 3,0
 RESOURCESPACE : ResourceSpace 6.4
 WORDPRESS : W3 Total Cache 0.9
 PAPOO : Papoo Light 6.0
 PHPMYADMIN : phpmyadmin 4.2
 PBBOARD : PBBoard 3.0
 CONCRETE5 : Concrete5 CMS 5.7
 PHPTRAFFICA : phpTrafficA 2.3
 TWIKI : Twiki 6.0
 ITWITTER : iTwitter 0.04
 JEASECMS : Jease CMS 2.11
 ELEFANTCMS : Elefant CMS 1.3
CVE:CVE-2014-9367 (Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch.)
 CVE-2014-9325 (Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences.)
 CVE-2014-9277 (The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.)
 CVE-2014-9219 (Cross-site scripting (XSS) vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter.)
 CVE-2014-9218 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service (resource consumption) via a long password.)
 CVE-2014-9215 (SQL injection vulnerability in the CheckEmail function in includes/functions.class.php in PBBoard 3.0.1 before 20141128 allows remote attackers to execute arbitrary SQL commands via the email parameter in the register page to index.php. NOTE: the email parameter in the forget page vector is already covered by CVE-2012-4034.2.)
 CVE-2014-9129 (Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.)
 CVE-2014-8875 (The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack.)
 CVE-2014-8793 (Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/PublisherIdField.php in Revive Adserver before 3.0.6 allows remote attackers to inject arbitrary web script or HTML via the refresh_page parameter to www/admin/report-generate.php.)
 CVE-2014-8724 (Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin before 0.9.4.1 for WordPress, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments, as demonstrated by the PATH_INFO to the default URI.)
 CVE-2014-8340 (SQL injection vulnerability in Php/Functions/log_function.php in phpTrafficA 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via a User-Agent HTTP header.)
 CVE-2014-2026 (Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.)
 CVE-2014-2025
Оригинальный текстdocumentpetri.iivonen_(at)_tmbc.gov.uk, ResourceSpace Multiple Cross Site Scripting, and HTML and SQL Injection Vulnerabilities (22.12.2014)
 documentDaniel Geerts, [CVE-2014-8340] phpTrafficA SQL injection (22.12.2014)
 documentsimo_(at)_morxploit.com, Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities (22.12.2014)
 documentsahm_(at)_post.com, CMS Made Simple PHP Code Injection Vulnerability (All versions) (22.12.2014)
 documenttien.d.tran_(at)_itas.vn, CVE-2014-9215 - SQL Injection in PBBoard CMS (22.12.2014)
 documenthenri_(at)_nerv.fi, CVE-2014-9129: XSS and CSRF in CM Download Manager plugin for WordPress (22.12.2014)
 documentDEBIAN, [SECURITY] [DSA 3100-1] mediawiki security update (22.12.2014)
 documentMANDRIVA, [ MDVSA-2014:243 ] phpmyadmin (22.12.2014)
 documentChristian Schneider, CVE-2014-2025 Remote Code Execution (RCE) in "Intrexx Professional" (22.12.2014)
 documentChristian Schneider, CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" (22.12.2014)
 documentsteffen.roesemann1986_(at)_gmail.com, Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701 (22.12.2014)
 documentMazin Ahmed, W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface (22.12.2014)
 documentVulnerability Lab, Elefant CMS v1.3.9 - Persistent Name Update Vulnerability (22.12.2014)
 documentVulnerability Lab, Fuzzylime v3.03b CMS - CS Cross Scripting Vulnerability (22.12.2014)
 documentVulnerability Lab, Konakart v7.3.0.1 CMS - CS Cross Site Web Vulnerability (22.12.2014)
 documentMatteo Beccati, [REVIVE-SA-2014-002] Revive Adserver 3.0.6 and 3.1.0 fix multiple vulnerabilities (22.12.2014)
 documentTobias Glemser, secuvera-SA-2014-01: Reflected XSS in W3 Total Cache (22.12.2014)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Revive Adserver (22.12.2014)
 documentVulnerability Lab, Bird Feeder v1.2.3 WP Plugin - CSRF & XSS Vulnerability (22.12.2014)
 documentVulnerability Lab, Morfy CMS v1.05 - Command Execution Vulnerability (22.12.2014)
 documentVulnerability Lab, Jease CMS v2.11 - Persistent UI Web Vulnerability (22.12.2014)
 documentVulnerability Lab, iTwitter v0.04 WP Plugin - XSS & CSRF Web Vulnerability (22.12.2014)
 documentVulnerability Lab, E-Journal CMS (ID) - Multiple Web Vulnerabilities (22.12.2014)
 documentOnur Yilmaz, TWiki Security Advisory - XSS Vulnerability - CVE-2014-9325 (22.12.2014)
 documentOnur Yilmaz, TWiki Security Advisory - XSS Vulnerability - CVE-2014-9367 (22.12.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород