Computer Security
[EN] no-pyccku

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:12910
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:FOSWIKI : Foswiki 1.1
 RUBY : ruby_parser 2.0
 WORDPRESS : pretty-link 1.6
 GLFUSION : glFusion 1.2
 PHPFUSION : PHP-Fusion 7.02
 ZEROCLIPBOARD : ZeroClipboard 1.0
CVE:CVE-2013-1759 (Cross-site scripting (XSS) vulnerability in the Responsive Logo Slideshow plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the "URL and Image" field.)
 CVE-2013-1758 (Cross-site scripting (XSS) vulnerability in the Marekkis Watermark plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pfad parameter to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.)
 CVE-2013-1636 (Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.)
 CVE-2013-1466 (Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.)
 CVE-2013-1362 (Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.)
 CVE-2013-0162 (The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.)
 CVE-2012-6329 (The _compile function in in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.)
Original documentdocumentMustLive, XSS vulnerabilities in ZeroClipboard (24.02.2013)
 documentMustLive, XSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery (24.02.2013)
 documentMustLive, XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS (24.02.2013)
 documentKrzysztof Katowicz-Kowalewski, PHP-Fusion 7.02.05 SQL Injection (24.02.2013)
 documentEmmanuel FARCY, Reflective XSS in Marekkis Watermark-Plugin Cross-Site Scripting Vulnerability (24.02.2013)
 documentEmmanuel FARCY, Reflective/Stored XSS in Responsive Logo Slideshow Plugin Cross-Site Scripting Vulnerability (24.02.2013)
 documentrobert_(at), SQLi found in Kodak Insite (24.02.2013)
 documentHigh-Tech Bridge Security Research, Multiple Cross-Site Scripting (XSS) in glFusion (24.02.2013)
 documentGeorge Clark, Foswiki Security: Alert CVE-2013-1666 - Remote Code Execution Vulnerability in MAKETEXT macro. (24.02.2013)
 documentRudolph Pereira, OSEC-2013-01: nagios metacharacter filtering omission (24.02.2013)
 documenthip_(at), [CVE-2013-1636]Wordpress pretty-link plugin XSS in SWF‏ (24.02.2013)
 documentREDHAT, CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage / Public Service Announcement (24.02.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod