536 matches found
CVE-2007-0384
Cross-site scripting XSS vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2007-0385
The faq section in PostNuke 0.764 allows remote attackers to obtain sensitive information the full path via "unvalidated output" in FAQ/index.php, possibly involving an undefined idcat variable...
CVE-2007-0386
Technical details for CVE-2007-0386 are not provided in the supplied documents; the records only state an unspecified vulnerability in PostNuke 0.764 with unknown impact. Monitor for updates.
CVE-2007-0385
The CVE-2007-0385 entry affects PostNuke 0.764. Affected component: FAQ/index.php where unvalidated output may disclose the server’s full path, potentially involving an undefined id_cat variable. This is a remote information-disclosure issue in the FAQ section. The connected sources confirm the v...
CVE-2007-0386
Unspecified vulnerability in the rating section in PostNuke 0.764 has unknown impact and attack vectors, related to "an interesting bug."...
PostNuke Admin.PHP SQL注入漏洞
PostNuke是一款基于PHP的内容管理程序。 PostNuke不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞进行sql注入攻击获得敏感信息。 问题是由于'admin.PHP'脚本对用户提交的web参数缺少过滤,提交恶意sql查询作为参数数据,可更改原来的sql逻辑,获得敏感信息,或可能操作数据库。 PostNuke PostNuke CMS 0.76 http://www.postnuke.com/...
PostNuke多个远程输入验证漏洞 Exploit
No description provided by source. --- 跨站脚本 --- http://HOST/DIR/modules/Xanthia/pnhtml/demo.php?skin=%3C/script%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E http://HOST/DIR/modules/Xanthia/pnhtml/demo.php?paletteid=%3C/script%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E 如果可以看到php错误并注册global...
PostNukeSQL注入和跨站脚本漏洞(CSS/XSS) Exploit
No description provided by source. /modules/Messages/readpmsg.php ======================= $sql = "SELECT $columnmsgid AS "msgid", $columnmsgimage AS "msgimage", $columnsubject AS "subject", $columnfromuserid AS "fromuserid", $columntouserid AS "touserid", $columnmsgtime AS "msgtime",...
PostNuke多个远程输入验证漏洞
PostNuke是一款开放源码、开放开发的内容管理系统(CMS)。PostNuke中存在多个输入验证漏洞,起因是应用程序没能正确的过滤用户提供的输入。SQL注入漏洞可能允许远程攻击者向数据库查询提供恶意输入,导致修改查询逻辑或其他攻击。成功的攻击可能导致入侵应用程序,泄漏或修复数据,或允许攻击者利用基础数据库实现中的漏洞。 PostNuke还受多个跨站脚本漏洞的影响。攻击者可能利用这些漏洞在没有戒备用户的浏览器中执行任意脚本代码,导致窃取基于cookie的认证凭据或其他攻击。 Phoenix 0.750-0.760-RC3...
PostNukeSQL注入和跨站脚本漏洞(CSS/XSS)
PostNuke是开放源码,开放开发的内容管理系统(CMS)。PostNuke中存在SQL注入和跨站脚本漏洞,影响Messages模块,可能允许攻击者修改SQL请求的逻辑,在用户浏览器上执行任意HTML和脚本代码。PostNuke的readmsg.php脚本没有充分过滤start参数值,攻击者可以提交恶意SQL命令作为此参数数据,导致更改原来的SQL逻辑,可造成数据库更改或信息泄露。 0.750-0.76 RC4a 厂商补丁: PostNuke -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...
CVE-2006-6267
PostNuke 0.7.5.0, and certain minor versions, allows remote attackers to obtain sensitive information via a non-numeric value of the stop parameter, which reveals the path in an error message...
CVE-2006-6267
PostNuke 0.7.5.0, and certain minor versions, allows remote attackers to obtain sensitive information via a non-numeric value of the stop parameter, which reveals the path in an error message...
CVE-2006-6267
PostNuke 0.7.5.0, and certain minor versions, allows remote attackers to obtain sensitive information via a non-numeric value of the stop parameter, which reveals the path in an error message...
CVE-2006-6267
The CVE-2006-6267 issue affects PostNuke 0.7.5.0 and some minor versions. The vulnerability allows remote attackers to obtain sensitive information by supplying a non-numeric value for the stop parameter, which causes an error message that reveals the path, enabling information disclosure. The av...
CVE-2006-6233
SQL injection vulnerability in the Downloads module for unknown versions of PostNuke allows remote attackers to execute arbitrary SQL commands via the lid parameter in a viewdownloaddetails operation. NOTE: this issue might have been in the viewdownloaddetails function in dl-downloaddetails.php,...
CVE-2006-6233
SQL injection vulnerability in the Downloads module for unknown versions of PostNuke allows remote attackers to execute arbitrary SQL commands via the lid parameter in a viewdownloaddetails operation. NOTE: this issue might have been in the viewdownloaddetails function in dl-downloaddetails.php,...
CVE-2006-6233
The CVE refers to an SQL injection in the Downloads module of PostNuke (unknown versions). The vulnerability is triggered by the lid parameter in a viewdownloaddetails operation, potentially arising from the viewdownloaddetails function in dl-downloaddetails.php. Impact is partial confidentiality...
CVE-2006-6233
SQL injection vulnerability in the Downloads module for unknown versions of PostNuke allows remote attackers to execute arbitrary SQL commands via the lid parameter in a viewdownloaddetails operation. NOTE: this issue might have been in the viewdownloaddetails function in dl-downloaddetails.php,...
PostNuke Error.PHP本地文件包含漏洞
PostNuke一款流行的内容管理程序。 PostNuke不正确处理用户提交的url数据,远程攻击者可以利用漏洞以web权限查看系统文件内容。 问题存在于error.php脚本中,由于对PNSVlang会话变量缺少过滤,可导致包含和以web权限查看本地文件,导致敏感信息泄露。 PostNuke PostNuke CMS 0.763 PostNuke PostNuke CMS 0.762 升级到PostNuke 0.764 版本: http://www.postnuke.com/...
Vulnerability in PostNuke
Error PostNuke in the variable stop which can be exploited by malicious people to disclose system information. Luckily the vulnerability affects to the 0.7.5.0 version and minors. POC: http://www.web-with-PostNuke.com/user.php?stop=a no numeric value Example:...