CVE-2020-22840

Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirectto parameter in emailpassthrough.php...

CVE-2017-1000423

b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation backslash and single quote escape in basic install functionality resulting in unauthenticated attacker gaining PHP code execution on the victim's setup...

CVE-2011-3709

b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ruRU/ru-RU.locale.php and certain other files...

CVE-2016-8901

b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/callplugin.php...

CVE-2013-7352

Cross-site request forgery CSRF vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the showstatuses parameter, related to CVE-2013-2945...

CVE-2022-44036

In b2evolution 7.2.5, if configured with adminscanmanipulatesensitivefiles, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to...

CVE-2022-44036

In b2evolution 7.2.5, if configured with adminscanmanipulatesensitivefiles, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to...

Design/Logic Flaw

DISPUTED In b2evolution 7.2.5, if configured with adminscanmanipulatesensitivefiles, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious...

CVE-2022-44036

In b2evolution 7.2.5, if configured with adminscanmanipulatesensitivefiles, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to...

b2evolution 代码问题漏洞

b2evolution is a community content management system based on PHP and MySQL. A security vulnerability exists in b2evolution version 7.2.5. An attacker can exploit this vulnerability to upload arbitrary files and execute arbitrary commands...

PT-2023-14430 · Unknown · B2Evolution

Name of the Vulnerable Software and Affected Versions: b2evolution version 7.2.5 Description: The issue allows for arbitrary file upload, leading to command execution, when configured with admins can manipulate sensitive files. This is considered a feature by the vendor, but it can be exploited b...

CVE-2022-44036

In b2evolution 7.2.5, if configured with adminscanmanipulatesensitivefiles, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to...

CVE-2022-44036

CVE-2022-44036 affects b2evolution 7.2.5. When configured with the option "admins_can_manipulate_sensitive_files", admins can upload arbitrary files, which can lead to command execution. The vendor treats this as a feature, and disabling the feature is suggested as a mitigation. No explicit patch...

CVE-2022-30935

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

CVE-2022-30935

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

Authorization

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

CVE-2022-30935

The CVE-2022-30935 entry describes an authorization bypass in b2evolution caused by a bad randomness function in password-reset tokens. This allows remote, unauthenticated attackers to predict tokens, enabling them to establish valid sessions for arbitrary users and potentially reset passwords. T...

CVE-2022-30935

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

CVE-2022-30935

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...

b2evolution 安全特征问题漏洞

b2evolution is a community content management system based on PHP and MySQL. A security signature issue vulnerability exists in b2evolution 7.2.3 and earlier versions, which stems from the ability to predict any user's password through the use of a bad random function, which can be exploited by a...