Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 28.01.2013
Published:28.01.2013
Source:
SecurityVulns ID:12850
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:GANGLIA : ganglia 3.3
 MOVABLETYPE : MovableType 5.1
 WORDPRESS : SolveMedia 1.1
 IMAGECMS : ImageCMS 4.0
 GPEASY : gpEasy 3.5
 COMBODO : iTop 2.0
 COMBODO : iTop 1.2
 DIGILIBE : DigiLIBE 3.4
CVE:CVE-2013-1402 (DigiLIBE 3.4 and possibly other versions sends a redirect but does not exit, which allows remote attackers to obtain sensitive configuration information via a direct request to configuration/general_configuration.html.)
 CVE-2013-1401
 CVE-2013-1400
 CVE-2013-0807 (Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action to index.php.)
 CVE-2013-0805 (Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information.)
 CVE-2013-0209 (lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.)
 CVE-2012-6290 (SQL injection vulnerability in ImageCMS before 4.2 allows remote authenticated administrators to execute arbitrary SQL commands via the q parameter to admin/admin_search/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.)
 CVE-2012-3448 (Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.)
Original documentdocumentHigh-Tech Bridge Security Research, SQL Injection Vulnerability in ImageCMS (28.01.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) vulnerability in gpEasy (28.01.2013)
 documentstephan.rickauer_(at)_csnc.ch, CVE-2013-0805 / CSNC-2013-001 (28.01.2013)
 documenti_(at)_amroot.com, CVE-2013-1402 - DigiLIBE Management Console - Execution After Redirect (EAR) Vulnerability (28.01.2013)
 documentillSecResearchGroup_(at)_gmail.com, WordPress SolveMedia 1.1.0 CSRF Vulnerability (28.01.2013)
 documentVulnerability Lab, Wordpress Valums Uploader - File Upload Vulnerability (28.01.2013)
 documentillSecResearchGroup_(at)_gmail.com, Wordpress Developer Formatter CSRF Vulnerability (28.01.2013)
 documentDEBIAN, [SECURITY] [DSA 2611-1] movabletype-opensource security update (28.01.2013)
 documentDEBIAN, [SECURITY] [DSA 2610-1] ganglia security update (28.01.2013)
 documentmarcelavbx_(at)_gmail.com, Multiple SQL injection vulnerabilities in Cardoza Wordpress poll plugin (27.01.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod