CVE-2007-6487

Affected product: Plain Black WebGUI 7.4.0–7.4.17. Vulnerability arises in the admin account creation logic that allows remote authenticated users with Secondary Admin privileges to create Admin accounts (privilege escalation). No exploitation details are provided in the documents. Remediation: u...

WebGUI次管理员安全绕过漏洞

WebGUI是一款开放源代码的网站管理系统。 WebGUI不正确验证用户权限，拥有合法用户帐户信息的非特权攻击者可以利用漏洞建立管理员帐户，提升特权。 问题是次级管理Secondary Admin可建立管理员权限的用户，可导致特权提升。 WebGUI WebGUI 7.4.17 WebGUI WebGUI 7.4.16 WebGUI WebGUI 7.4.15 WebGUI WebGUI 7.4.14 WebGUI WebGUI 7.4.13 WebGUI WebGUI 7.4.12 WebGUI WebGUI 7.4.11 WebGUI WebGUI 7.4.10 WebGUI...

WebGUI < 7.4.18 Secondary Admin Remote Privilege Escalation

Binary data 4315.prm...

WebGUI < 7.3.14 viewList() Function Authentication Bypass

Binary data 4035.prm...

CVE-2007-2746

The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain Black WebGUI before 7.3.14 does not properly use data structures containing privilege information, which allows remote authenticated users to obtain sensitive information or possibly have other unspecified impact...

Design/Logic Flaw

The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain Black WebGUI before 7.3.14 does not properly use data structures containing privilege information, which allows remote authenticated users to obtain sensitive information or possibly have other unspecified impact...

CVE-2007-2746

The CVE-2007-2746 entry concerns Plain Black WebGUI: the viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm for versions before 7.3.14 improperly uses data structures containing privilege information, enabling remote authenticated users to obtain sensitive data or potentially cause other u...

CVE-2007-2746

The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain Black WebGUI before 7.3.14 does not properly use data structures containing privilege information, which allows remote authenticated users to obtain sensitive information or possibly have other unspecified impact...

CVE-2007-0629

The wwwpurgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information...

Information disclosure

The wwwpurgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information...

CVE-2007-0629

The wwwpurgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information...

CVE-2007-0629

CVE-2007-0629 affects Plain Black WebGUI prior to version 7.3.8, where the www_purgeList method fails to properly enforce user permissions, enabling an attacker to delete assets they should not be able to access. The vulnerability is documented in multiple sources (NVD/NVD-derived entries) and is...

WebGUI < 7.3.8 www_purgeList Method Asset Deletion

Binary data 3897.prm...

[SA23754] WebGUI User Name Script Insertion Vulnerability

TITLE: WebGUI User Name Script Insertion Vulnerability SECUNIA ADVISORY ID: SA23754 VERIFY ADVISORY: http://secunia.com/advisories/23754/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: From remote SOFTWARE: WebGUI 7.x http://secunia.com/product/13252/ DESCRIPTION: A vulnerabili...

CVE-2007-0407

Cross-site scripting XSS vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 beta allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate...

Cross site scripting

Cross-site scripting XSS vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 beta allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate...

CVE-2007-0407

Cross-site scripting XSS vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 beta allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate...

CVE-2007-0407

CVE-2007-0407 describes a cross-site scripting (XSS) vulnerability in Plain Black WebGUI, specifically in Operation/User.pm for versions before 7.3.5 (beta). The issue arises from accepting a username during anonymous registration, allowing an attacker to inject arbitrary web script or HTML. The ...

Cross site scripting

Cross-site scripting XSS vulnerability in Plain Black WebGUI before 7.3.4 beta allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles...

CVE-2007-0308

Cross-site scripting XSS vulnerability in Plain Black WebGUI before 7.3.4 beta allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles...