Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:14 июня 2015 г.
Источник:
SecurityVulns ID:14543
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:WORDPRESS : se-html5-album-audio-player 1.1
 ISPCONFIG : ISPConfig 3.0
 SYMPHONY : Symphony CMS 2.6
 CONCRETE5 : Concrete5 CMS 5.7
 NOVELL : ZENworks 3.1
 ADOBE : Adobe Connect 9.3
 WORDPRESS : aviary-image-editor-add-on-for-gravity-forms 3.0
 ELASTIC : Kibana 4.0
 BONITASOFT : Bonita BPM 6.5
 SILVERSTRIPE : SilverStripe CMS 3.1
CVE:CVE-2015-4119 (Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php.)
 CVE-2015-4118 (SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2.)
 CVE-2015-4093 (Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2015-3898
 CVE-2015-3897 (Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.)
 CVE-2015-0343 (Cross-site scripting (XSS) vulnerability in admin/home/homepage/search in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.)
Оригинальный текстdocumentstasvolfus_(at)_gmail.com, XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 ) (14.06.2015)
 documentludwig.stage_(at)_syss.de, [SYSS-2015-020] ZENWorks Mobile Management - Cross-Site Scripting (14.06.2015)
 documentapparitionsec_(at)_gmail.com, ZCMS SQL Injection & Persistent XSS (14.06.2015)
 documentapparitionsec_(at)_gmail.com, Nakid-CMS CSRF, Persistent XSS & LFI (14.06.2015)
 documentEgidio Romano, [KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability (14.06.2015)
 documentEgidio Romano, [KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities (14.06.2015)
 documentEgidio Romano, [KIS-2015-01] Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability (14.06.2015)
 documentapparitionsec_(at)_gmail.com, Symphony CMS XSS Vulnerability [Corrected Post] (14.06.2015)
 documentapparitionsec_(at)_gmail.com, SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities (14.06.2015)
 documentapparitionsec_(at)_gmail.com, SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities (14.06.2015)
 documentELASTIC, Kibana vulnerability CVE-2015-4093 (14.06.2015)
 documentHigh-Tech Bridge Security Research, Arbitrary File Disclosure and Open Redirect in Bonita BPM (14.06.2015)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in ISPConfig (14.06.2015)
 documentlarry0_(at)_me.com, Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin (14.06.2015)
 documentlarry0_(at)_me.com, Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 (14.06.2015)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород