Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:18 июня 2012 г.
Источник:
SecurityVulns ID:12433
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:HORDE : imp 4.3
 TINYWEBGALLERY : TinyWebGallery 1.8
 COLLABTIVE : Collabtive 0.6
 NAGIOS : Nagios XI 2011
 WORDPRESS : Organizer 1.2
 SERENDIPITY : Serendipity 1.6
 JWPLAYER : JW Player 5.9
 NUKEDKLAN : Nuked Klan SP CMS 4.5
 ISCRIPTS : EasyCreate CMS 2.0
 ADICO : ADICO CMS 1.1
 QUICKBLOG : QuickBlog 0.8
 ESYNDICAT : eSyndiCat Pro 2.4
 SQUIRRELCART : Squirrelcart Cart 3.3
 SWOPO : Swoopo Gold Shop 8.4
 SIMPLEFORUMPHP : Simple Forum PHP 2.1
 MYRE : Real Estate Mobile 2012
 COLLABTIVE : Collabtive 0.7
 BIGWARE : Bigware shop 2.17
CVE:CVE-2012-2932 (Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php.)
 CVE-2012-2931
 CVE-2012-2930 (Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php.)
 CVE-2012-2762 (SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php.)
 CVE-2012-0791 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) composeCache, (2) rtemode, or (3) filename_* parameters to the compose page; (4) formname parameter to the contacts popup window; or (5) IMAP mailbox names. NOTE: some of these details are obtained from third party information.)
Оригинальный текстdocumentrwenzel_(at)_dw-itsecurity.de, SQL injection in Bigware shop software (18.06.2012)
 documentMark Hoopes, Arbitrary File Upload/Execution in Collabtive (18.06.2012)
 documentDEBIAN, [SECURITY] [DSA 2485-1] imp4 security update (18.06.2012)
 documentVulnerability Lab, Nuked Klan SP CMS v4.5 - SQL injection Vulnerability (18.06.2012)
 documentVulnerability Lab, Interspire Shopping Cart v6 - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, iScripts EasyCreate CMS v2.0 - Multiple Web Vulnerabilites (18.06.2012)
 documentVulnerability Lab, ADICO CMS v1.1 - Blind SQL Injection Vulnerability (18.06.2012)
 documentVulnerability Lab, QuickBlog v0.8 CMS - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, Boonex Dolphin v7.0.9 CMS & Mobile App - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, [Suspected Spam] eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, Squirrelcart Cart Shop v3.3.4 - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, Swoopo Gold Shop CMS v8.4.56 - Multiple Web Vulnerabilities (18.06.2012)
 documentVulnerability Lab, Jobs Portal v3.0 NetArtMedia - Multiple Web Vulnerabilites (18.06.2012)
 documentVulnerability Lab, Simple Forum PHP 2.1 - SQL Injection Vulnerabilities (18.06.2012)
 documentVulnerability Lab, Cells Blog CMS v1.1 - Multiple Web Vulnerabilites (18.06.2012)
 documentVulnerability Lab, MYRE Real Estate Mobile 2012|2 - Multiple Vulnerabilities (18.06.2012)
 document0a29 40, 0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0 (18.06.2012)
 documentMustLive, Vulnerabilities in JW Player and millions of web sites (18.06.2012)
 documentHigh-Tech Bridge Security Research, SQL injection in Serendipity (18.06.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in TinyWebGallery (18.06.2012)
 documentMustLive, DT, XSS and FPD vulnerabilities in Organizer for WordPress (18.06.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород