Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:07.09.2012
Source:
SecurityVulns ID:12579
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:ZABBIX : Zabbix 1.8
 APACHE : Wicket 1.4
 TESTLINK : TestLink 1.9
 APACHE : Wicket 1.5
 FLOGR : Flogr 2.5
 MOIN : Moin 1.9
 KAYAKO : Kayako Fusion 4.40
 EKTRON : Ektron CMS 8.5
 EFRONT : eFront Enterprise 3.6
 ESJOBSEARCH : ES Job Search Engine 3.0
 EFRONT : eFront Educational 3.6
 ADMIDIO : Admidio 2.3
CVE:CVE-2012-4404 (security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.)
 CVE-2012-4336 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) an arbitrary parameter.)
 CVE-2012-3435 (SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.)
 CVE-2012-3373 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.)
 CVE-2012-3233 (Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php in Kayako Fusion 4.40.1148, and possibly before 4.50.1581, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.)
 CVE-2012-2275 (Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php.)
Original documentdocumentsschurtz_(at)_darksecurity.de, Admidio 2.3.5 Multiple security vulnerabilities (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentVulnerability Lab, eFront Educational v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentVulnerability Lab, ES Job Search Engine v3.0 - SQL injection vulnerability (07.09.2012)
 documentVulnerability Lab, eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentlists_(at)_senseofsecurity.com, Ektron CMS - Multiple Vulnerabilities - Security Advisory - SOS-12-009 (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) Vulnerabilities in Flogr (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Kayako Fusion (07.09.2012)
 documentHigh-Tech Bridge Security Research, –°ross-Site Request Forgery (CSRF) in TestLink (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2538-1] moin security update (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2539-1] zabbix security update (07.09.2012)
 documentcmenzel_(at)_wicketbuch.de, [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter (07.09.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod