Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:11.02.2013
Source:
SecurityVulns ID:12880
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:EASYITSP : EasyITSP 2.0
 DATALIFE : DataLife Engine 9.7
 WORDPRESS : Wordpress Audio Player 2.0
 CUBECART : CubeCart 5.2
 WORDPRESS : wp-table-reloaded 1.9
 WORDPRESS : Wysija Newsletters 2.2
 WORDPRESS : CommentLuv 2.92
 FREEMONTHLYWEBSI : Free Monthly Websites 2.0
 NAGIOS : Nagios 3.4
 SWAT : Samba Web Administration Tool 4.0
 SWAT : Samba Web Administration Tool 3.6
CVE:CVE-2013-1464 (Cross-site scripting (XSS) vulnerability in ssets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter.)
 CVE-2013-1463 (Cross-site scripting (XSS) vulnerability in js/tabletools/zeroclipboard.swf in the WP-Table Reloaded module before 1.9.4 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this might be the same vulnerability as CVE-2013-1808. If so, it is likely that CVE-2013-1463 will be REJECTed.)
 CVE-2013-1409 (Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php.)
 CVE-2013-1408 (Multiple SQL injection vulnerabilities in the Wysija Newsletters plugin before 2.2.1 for WordPress allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search or (2) orderby parameter to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.)
 CVE-2013-0214 (Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to hijack the authentication of arbitrary users by leveraging knowledge of a password and composing requests that perform SWAT actions.)
 CVE-2013-0213 (The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element.)
 CVE-2012-6096 (Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 2616-1] nagios3 security update (11.02.2013)
 documentMichal Blaszczak, Directory Traversal - EasyITSP <= 2.0.7 (11.02.2013)
 documentVulnerability Lab, 0day full - Free Monthly Websites v2.0 - Multiple Web Vulnerabilities (11.02.2013)
 documentnoreply_(at)_ptsecurity.ru, [PT-2012-53] Privilege Gaining in DataLife Engine (11.02.2013)
 documenthip_(at)_insight-labs.org, [CVE-2013-1463]Wordpress wp-table-reloaded‏ plugin XSS in SWF (11.02.2013)
 documentHigh-Tech Bridge Security Research, SQL Injection Vulnerability in Wysija Newsletters WordPress Plugin (11.02.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin (11.02.2013)
 documentEgidio Romano, [KIS-2013-02] CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability (11.02.2013)
 documenthip_(at)_insight-labs.org, [CVE-2013-1464]Wordpress Audio Player Plugin XSS in SWF‏‏ (11.02.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod