CVE-2017-0897

ExpressionEngine <= 2.x (prior to 2.11.8) and

CVE-2017-0897

ExpressionEngine version 2.x 2.11.8 and version 3.x 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution...

ExpressionEngine: Remote Code Execution in the Import Channel function

Hello, Administrators are allow to import channels by visiting http://HOST/PATHTOEE/admin.php?/cp/channels/sets and uploading .zip archives that contain the information about the channels to be imported. The archives are then extracted into temporary directories, which are kept in the...

ExpressionEngine: Open redirects protection bypass

Hello, When a redirect is to be issue on an ExpressionEngine instance, a request to the following URL is made: http://HOST/PATHTOEE/index.php?URL=TARGETURL Where TARGETURL is replaced with the actual URL we desire to redirect to. The script PATHTOEEDIR/system/ee/legacy/libraries/Redirect.php is t...

ExpressionEngine: Type Juggling -> PHP Object Injection -> SQL Injection Chain

Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here:...

ExpressionEngine: Reflective XSS

URL http://blackdoorsec.net/sandbox/express/admin.php?/cp/members/bans&search=&sortcol=me%22%3E%3Cimg%20src=x%20onerror=promptdocument.domain%3Emberid&sortdir=desc URL Parameters /cp/members/bans search= sortcol=me%22%3E%3Cimg%20src=x%20onerror=promptdocument.domain%3Emberid sortdir=desc The...

ExpressionEngine: Full path + some back-end code disclosure

Hello, Ironically enough, I just discovered a full path disclosure issue. When an admin edits their personal information, a request like the following gets sent: POST /ee/admin.php?/cp/members/profile/settings&id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:45.0...

CVE-2014-5387

Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the 1 columnfilter or 2 category parameter to system/index.php or the 3 tblsort0 parameter in the comment module to system/index.php...

Sql injection

Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the 1 columnfilter or 2 category parameter to system/index.php or the 3 tblsort0 parameter in the comment module to system/index.php...

CVE-2014-5387

Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the 1 columnfilter or 2 category parameter to system/index.php or the 3 tblsort0 parameter in the comment module to system/index.php...

CVE-2014-5387

EllisLab ExpressionEngine Core is affected by multiple SQL injection vulnerabilities in versions prior to 2.9.1. An authenticated attacker can abuse vulnerable parameters (column_filter, category[] in system/index.php; tbl_sort[0][] in the comment module’s system/index.php) to execute arbitrary S...

EllisLab ExpressionEngine Core SQL Injection

Vulnerability title: Multiple Authenticated SQL Injections in EllisLab ExpressionEngine Core CVE: CVE-2014-5387 Vendor: EllisLab Product: ExpressionEngine Core Affected version: Versions earlier than 2.9.0 Fixed version: 2.9.1 Reported by: Jerzy Kramarz and Alex Murillo Moya Details: SQL injectio...

ExpressionEngine: Cross Site Scripting (Stored)

Occurred in the URL : https://store.ellislab.com/billing After adding a product to the cart proceed to add the billing and card information and in the card fields give your card details respectively and in the fields 1. First name 2. Last name 3. Street Address 4. Apt/Suite/ 5. City. Give the...

ExpressionEngine 1.2.1 HTTP Response Splitting and Cross Site Scripting Vulnerabilities

No description provided by source. source: http://www.securityfocus.com/bid/27128/info ExpressionEngine is prone to an HTTP-response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to...

ExpressionEngine 1.6 Avtaar Name HTML Injection Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/34193/info ExpressionEngine is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and...

PMachine ExpressionEngine 1.4.1 HTTP Referrer HTML Injection Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/16377/info ExpressionEngine is prone to an HTML-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to HTTP 'Referer' header before using it in dynamically...

ExpressionEngine 2.6 Persistent XSS

Hi, I'd like to disclose a vulnerability I found in ExpressionEngine 2.6 and below. The issue is when you submit a new entry through Admin - Content - Publish and you are using the RTE, if you enter HTML into that editor, the next page will execute the HTML, which it shouldn’t. The RTE should...

XSS vulnerability in swfupload in ExpressionEngine

Hello 3APA3A! Here is information about Cross-Site Scripting vulnerability in swfupload in ExpressionEngine. After publication of my advisory XSS vulnerability in web applications with swfupload: AionWeb, Magento, Liferay Portal, SurgeMail, symfony http://securityvulns.ru/docs28761.html and after...

http-config-backup NSE Script

Checks for backups and swap files of common content management system and web server configuration files. When web server files are edited in place, the text editor can leave backup or swap files in a place where the web server can serve them. The script checks for these files: wp-config.php:...

MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter

CVE: CVE-2011-4025 Vendor: EllisLab Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3 Vulnerabilities: xssclean filter bypass, leading to Cross-Site Scripting XSS Risk: High Attack Vector: From Remote Reference: http://secureappdev.blogspot.com/2011/11/ellislab-xssclean-filter-bypass.html 1...