Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 03.10.2013
Published:03.10.2013
Source:
SecurityVulns ID:13318
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:PHPBB : phpBB 3.0
 WIKKA : WikkaWiki 1.3
 SILVERSTRIPE : SilverStripe CMS 3.0
 EPROLOG : elproLOG MONITOR WebAccess 2.1
 SEMPERFIWEBDESIG : All in One SEO Pack 2.0
 VTIGER : vtiger CRM 5.4
 EXPRESSIONENGINE : ExpressionEngine 2.6
 MEDIAWIKI : mediawiki 1.20
 MOODLE : Moodle 2.5
 OWASP : ESAPI 2.0
 WORDPRESS : Design-approval-system 3.6
 WORDPRESS : Event Easy Calendar 1.0
CVE:CVE-2013-5679 (The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.)
 CVE-2013-5586 (Cross-site scripting (XSS) vulnerability in wikka.php in WikkaWiki before 1.3.4-p1 allows remote attackers to inject arbitrary web script or HTML via the wakka parameter to sql/.)
 CVE-2013-5091 (SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.)
 CVE-2013-4303
 CVE-2013-4302 ((1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.)
 CVE-2013-4301 (includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.)
Original documentdocumentroguecoder_(at)_hush.com, Event Easy Calendar 1.0.0 WP plugin (03.10.2013)
 documentDEBIAN, [SECURITY] [DSA 2752-1] phpbb3 security update (03.10.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in WikkaWiki (03.10.2013)
 documentAlexandro Silva, [iBliss Security Advisory] Cross-Site Scripting (XSS) vulnerability in Design-approval-system wordpress plugin (03.10.2013)
 documentKevin W. Wall, OWASP ESAPI Security Advisory: MAC Bypass in ESAPI Symmetric Encryption (03.10.2013)
 documentEmilio Pinna, Moodle 2.5.0-1 (badges/external.php) PHP Object Injection Vulnerability (03.10.2013)
 documentMANDRIVA, [ MDVSA-2013:235 ] mediawiki (03.10.2013)
 documentRichard Clifford, ExpressionEngine 2.6 Persistent XSS (03.10.2013)
 documentHigh-Tech Bridge Security Research, SQL Injection in vtiger CRM (03.10.2013)
 documentVulnerability Lab, SilverStripe Framework CMS 3.0.5 - Multiple Web Vulnerabilities (03.10.2013)
 documentVulnerability Lab, elproLOG MONITOR WebAccess 2.1 - Multiple Web Vulnerabilities (03.10.2013)
 documentVulnerability Lab, WebAssist PowerCMS PHP - Multiple Web Vulnerabilities (03.10.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod