Computer Security
[EN] no-pyccku

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:14543
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:WORDPRESS : se-html5-album-audio-player 1.1
 ISPCONFIG : ISPConfig 3.0
 SYMPHONY : Symphony CMS 2.6
 CONCRETE5 : Concrete5 CMS 5.7
 NOVELL : ZENworks 3.1
 ADOBE : Adobe Connect 9.3
 WORDPRESS : aviary-image-editor-add-on-for-gravity-forms 3.0
 ELASTIC : Kibana 4.0
 BONITASOFT : Bonita BPM 6.5
 SILVERSTRIPE : SilverStripe CMS 3.1
CVE:CVE-2015-4119 (Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php.)
 CVE-2015-4118 (SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2.)
 CVE-2015-4093 (Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2015-3897 (Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.)
 CVE-2015-0343 (Cross-site scripting (XSS) vulnerability in admin/home/homepage/search in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.)
Original documentdocumentstasvolfus_(at), XSS vulnerability Adobe Connect 9.3 (CVE-2015-0343 ) (14.06.2015)
 documentludwig.stage_(at), [SYSS-2015-020] ZENWorks Mobile Management - Cross-Site Scripting (14.06.2015)
 documentapparitionsec_(at), ZCMS SQL Injection & Persistent XSS (14.06.2015)
 documentapparitionsec_(at), Nakid-CMS CSRF, Persistent XSS & LFI (14.06.2015)
 documentEgidio Romano, [KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability (14.06.2015)
 documentEgidio Romano, [KIS-2015-02] Concrete5 <= Multiple Reflected Cross-Site Scripting Vulnerabilities (14.06.2015)
 documentEgidio Romano, [KIS-2015-01] Concrete5 <= (sendmail) Remote Code Execution Vulnerability (14.06.2015)
 documentapparitionsec_(at), Symphony CMS XSS Vulnerability [Corrected Post] (14.06.2015)
 documentapparitionsec_(at), SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities (14.06.2015)
 documentapparitionsec_(at), SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities (14.06.2015)
 documentELASTIC, Kibana vulnerability CVE-2015-4093 (14.06.2015)
 documentHigh-Tech Bridge Security Research, Arbitrary File Disclosure and Open Redirect in Bonita BPM (14.06.2015)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in ISPConfig (14.06.2015)
 documentlarry0_(at), Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin (14.06.2015)
 documentlarry0_(at), Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 (14.06.2015)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod