Computer Security
[EN] no-pyccku

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:13548
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:JOOMLA : JomSocial 3.1
 JOOMLA : JV Comment 3.0
 JOOMLA : Komento 1.7
 EVENTUM : Eventum 2.3
 JAMON : JAMon 2.7
 DRUPAL : EventCalendar 7.14
 MEDIATRIX : Mediatrix 4402
 DRUPAL : Drupal 7.25
 OPENPNE : OpenPNE 3.8
 WORDPRESS : Contact Form 7 3.5
 CVE-2014-1612 (Cross-site scripting (XSS) vulnerability in login.esp in the Web Management Interface in Media5 Mediatrix 4402 VoIP Gateway with firmware Dgw and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.)
 CVE-2014-1607 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future.)
 CVE-2014-1476 (The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.)
 CVE-2014-1475 (The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.)
 CVE-2014-0794 (SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a action to index.php.)
 CVE-2014-0793 (Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to the default URI.)
 CVE-2013-6235 (Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java Application Monitor) 2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listenertype or (2) currentlistener parameter to mondetail.jsp or ArraySQL parameter to (3) mondetail.jsp, (4) jamonadmin.jsp, (5) sql.jsp, or (6) exceptions.jsp.)
 CVE-2013-5350 (The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before and 3.8.9 before does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.)
Original documentdocumentMustLive, Code Execution vulnerability in Contact Form 7 for WordPress (03.02.2014)
 documentMustLive, Vulnerabilities in Contact Form 7 for WordPress (03.02.2014)
 documentSECUNIA, Secunia Research: OpenPNE PHP Object Injection Vulnerability (03.02.2014)
 documentDEBIAN, [SECURITY] [DSA 2847-1] drupal7 security update (03.02.2014)
 documenttudor.enache_(at), Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page (03.02.2014)
 documentali.hussein_(at), [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module (03.02.2014)
 documentChristian Catalano, [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7 (03.02.2014)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in Eventum (03.02.2014)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Komento Joomla Extension (03.02.2014)
 documentHigh-Tech Bridge Security Research, SQL Injection in JV Comment Joomla Extension (03.02.2014)
 documentMark Litchfield, Ektron CMS Take Over - Hijacking Accounts (03.02.2014)
 documentMark Litchfield, Vulnerabilities within Mura CMS / Sitecore MCS / SmarterMail (03.02.2014)
 documentMark Litchfield, SiteCore XML Control Script Insertion (03.02.2014)
 documentmatias.fontanini_(at), Joomla! JomSocial component < - Remote code execution (03.02.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod