Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:02.02.2015
Source:
SecurityVulns ID:14253
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:ZOHO : SupportCenter Plus 7.9
 WORDPRESS : Photo Gallery 1.2
 MICROWEB : Microweber 0.95
 MANTISBT : MantisBT 1,2
 WORDPRESS : Blubrry PowerPress 6.0
 FANCYCON : FAMOC 3.16
 SEFRENGO : Sefrengo CMS 1.6
 WORDPRESS : Banner Effect Header 1.2
CVE:CVE-2015-1428 (Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a save_value action to backend/main.php.)
 CVE-2015-1394
 CVE-2015-1393 (SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php.)
 CVE-2015-1385 (Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a powerpress-editcategoryfeed action in the powerpressadmin_categoryfeeds.php page to wp-admin/admin.php.)
 CVE-2015-1384 (Cross-site scripting (XSS) vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the banner_effect_divid parameter in the BannerEffectOptions page to wp-admin/options-general.php.)
 CVE-2015-0866 (Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.)
 CVE-2014-9573 (SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.)
 CVE-2014-9572 (MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.)
 CVE-2014-9571 (Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.)
 CVE-2014-9464 (SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQL commands via the category parameter when displaying a category, related to the $parent_id variable.)
Original documentdocumentOnur Yilmaz, Banner Effect Header Security Advisory - XSS Vulnerability - CVE-2015-1384 (02.02.2015)
 documentitas.team_(at)_itas.vn, Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities (02.02.2015)
 documentitas.team_(at)_itas.vn, Microweber 0.95 - SQL Injection Vulnerability (02.02.2015)
 documentPedro Ribeiro, [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360) (02.02.2015)
 documentOnur Yilmaz, Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385 (02.02.2015)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in MantisBT (02.02.2015)
 documentHigh-Tech Bridge Security Research, Two XSS Vulnerabilities in SupportCenter Plus (02.02.2015)
 documentsven_(at)_bsddaemon.org, [CVE-2015-1394] Photo Gallery (Wordpress Plugin) - Multiple XSS Vulnerabilities Version 1.2.8 (02.02.2015)
 documentsven_(at)_bsddaemon.org, [CVE-2015-1393] Photo Gallery (Wordpress Plugin) - SQL Injection in Version 1.2.8 (02.02.2015)
 documentmatthias.deeg_(at)_syss.de, [SYSS-2014-013] FancyFon FAMOC - Use of a One-Way Hash without a Salt (02.02.2015)
 documentmatthias.deeg_(at)_syss.de, [SYSS-2014-012] FancyFon FAMOC - Session Fixation (02.02.2015)
 documentmatthias.deeg_(at)_syss.de, [SYSS-2014-011] FancyFon FAMOC - Cross-Site Scripting (02.02.2015)
 documentmatthias.deeg_(at)_syss.de, [SYSS-2014-010] FancyFon FAMOC - SQL Injection (02.02.2015)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod