Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 22.02.2015
Published:23.02.2015
Source:
SecurityVulns ID:14273
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:BUGZILLA : Bugzilla 4.2
 LANDESK : Landesk Management Suite 9.5
 RADEXSCRIPT : Radexscript CMS 2.2
 WORDPRESS : Liftux holding_pattern 0.6
 NINJAFORMS : Ninja Forms 2.8
 WORDPRESS : Easing Slider 2.2
 ARTICLEFR : articleFR 3.0
 PIWIGO : Piwigo 2.7
 ZARAFA : zarafa 7.1
 FATFREECRM : Fat Free CRM 0.13
 UNIT4 : Prosoft HRMS 8.14
 BMC : BMC Footprints 11.5
 JUIFILTERRULES : jui_filter_rules 1.6
 HYBRIS : Hybris 5.3
 FORKCMS : Fork CMS 3.8
 MANAGEENGINE : ManageEngine Desktop Central 9
 PANDORAFMS : Pandora FMS 5.1
 MYLITTLEFORUM : my little forum 2.3
 DJANGO : django 1.7
CVE:CVE-2015-1614 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Image Metadata Cruncher plugin for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) image_metadata_cruncher[alt] or (2) image_metadata_cruncher[caption] parameter in an update action in the image_metadata_cruncher_title page to wp-admin/options.php or (3) custom image meta tag to the image metadata cruncher page.)
 CVE-2015-1585 (Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.)
 CVE-2015-1518 (SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.)
 CVE-2015-1517 (SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.)
 CVE-2015-1467 (Multiple SQL injection vulnerabilities in Translations in Fork CMS before 3.8.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) language[] or (2) type[] parameter to private/en/locale/index.)
 CVE-2015-1436 (Cross-site scripting (XSS) vulnerability in the Easing Slider plugin before 2.2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the edit parameter in the (1) easingslider_manage_customizations or (2) easingslider_edit_sliders page to wp-admin/admin.php.)
 CVE-2015-1435 (Cross-site scripting (XSS) vulnerability in my little forum before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the back parameter to index.php.)
 CVE-2015-1434 (Multiple SQL injection vulnerabilities in my little forum before 2.3.4 allow remote administrators to execute arbitrary SQL commands via the (1) letter parameter in a user action or (2) edit_category parameter to index.php.)
 CVE-2015-1364 (SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.)
 CVE-2015-1363 (Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleFR 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the q parameter to search/v/.)
 CVE-2015-1172 (Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.)
 CVE-2014-9465 (senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Zarafa Collaboration Platform (ZCP) 7.x before 7.1.12 beta 1 and 7.2.x before 7.2.0 beta 1 allows remote attackers to cause a denial of service (/tmp disk consumption) by uploading a large number of files.)
 CVE-2014-9331 (Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.)
 CVE-2014-8871
 CVE-2014-8630 (Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.)
 CVE-2014-5360 (Cross-site scripting (XSS) vulnerability in the admin interface in LANDESK Management Suite before 9.6 SP1 allows remote attackers to inject arbitrary web script or HTML via the AMTVersion parameter to remote/serverlist_grouptree.aspx.)
Original documentdocumentalex_haynes_(at)_outlook.com, CVE-2014-5360 Landesk Management Suite XSS (Cross-Site Scripting) Security Vulnerability (23.02.2015)
 documenttien.d.tran_(at)_itas.vn, articleFR CMS 3.0.5 - Arbitrary File Upload (23.02.2015)
 documenttien.d.tran_(at)_itas.vn, articleFR CMS 3.0.5 - SQL injection vulnerability (23.02.2015)
 documenttien.d.tran_(at)_itas.vn, articleFR CMS 3.0.5 - XSS vulnerability (23.02.2015)
 documentsven_(at)_bsddaemon.org, [CVE-2015-1467] Fork CMS - SQL Injection in Version 3.8.5 (23.02.2015)
 documentborg_(at)_servernet.se, CVE-2015-1172 Wordpress-theme remote arbitrary code (23.02.2015)
 documentMANDRIVA, [ MDVSA-2015:030 ] bugzilla (23.02.2015)
 documentMANDRIVA, [ MDVSA-2015:036 ] python-django (23.02.2015)
 documentayman.abdelaziz_(at)_helpag.com, BMC Footprints Service Core 11.5 - Multiple Cross Site Scripting Vulnerabilities (XSS) (23.02.2015)
 documentitas.team_(at)_itas.vn, Radexscript CMS 2.2.0 - SQL Injection vulnerability (23.02.2015)
 documentMANDRIVA, [ MDVSA-2015:040 ] zarafa (22.02.2015)
 documentHigh-Tech Bridge Security Research, Two Reflected XSS Vulnerabilities in Easing Slider WordPress Plugin (22.02.2015)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in my little forum (22.02.2015)
 documentVulnerability Lab, Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability (22.02.2015)
 documentsn_(at)_1dn.eu, Ninja Forms WordPress Plugin Multiple Cross-Site Scripting Vulnerability (22.02.2015)
 documentjerold_(at)_v00d00sec.com, UNIT4 Prosoft HRMS XSS Vulnerability (22.02.2015)
 documentsven_(at)_bsddaemon.org, [CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5 (22.02.2015)
 documentl0om, Cosmoshop - XSS on Admin-Login Mask (22.02.2015)
 documentkingkaustubh_(at)_me.com, Multiple Cross site scripting in wordpress Plugin Image Metadata cruncher (22.02.2015)
 documentkingkaustubh_(at)_me.com, CVE-2015-1614 csrf/xss in in wordpress Plugin Image Metadata cruncher (22.02.2015)
 documentRedTeam Pentesting, [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite (22.02.2015)
 documentsven_(at)_bsddaemon.org, [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3 (22.02.2015)
 documenttschmid_(at)_ernw.de, PHP Code Execution in jui_filter_rules Parsing Library (22.02.2015)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod