Computer Security
[EN] no-pyccku

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:12365
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:JOOMLA : Joomla 1.5
 WORDPRESS : WordPress 3.3
 SERENDIPITY : Serendipity 1.6
 ORANGEHRM : OrangeHRM 2.7
 PIVOTX : PivotX 2.3
 PLUXML : PluXml 5.1
 MICROTECHNOLOGY : Lynx Message Server 7.11
 JOOMLA : Joomla 2.5
 OPENCONF : OpenConf 4.11
 DRUPAL : Drupal 7.14
CVE:CVE-2012-2413 (Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.)
 CVE-2012-2274 (Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in PivotX 2.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.)
 CVE-2012-2227 (Directory traversal vulnerability in update/index.php in PluXml before 5.1.6 allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the default_lang parameter.)
 CVE-2012-1507 (Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php.)
 CVE-2012-1506 (SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information.)
 CVE-2012-1002 (Unspecified vulnerability in OpenConf 4.x before 4.12 has unknown impact and attack vectors.)
Original documentdocumentn0b0d13s_(at), [CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability (10.05.2012)
 documentJanek Vind, [waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template (10.05.2012)
 documentJanek Vind, [waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page (10.05.2012)
 documentbede_(at), SQL Injection and other issues in Micro Technology Services, Inc. Lynx (10.05.2012)
 documentMustLive, IAA, Redirector and XSS vulnerabilities in WordPress (10.05.2012)
 documentHigh-Tech Bridge Security Research, Local File Inclusion in PluXml (10.05.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OrangeHRM (10.05.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Pivotx (10.05.2012)
 documentsecurity_(at), Serendipity 1.6 Backend Cross-Site Scripting and SQL-Injection vulnerability (10.05.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod