4 matches found
CVE-2014-9367
Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting XSS attacks via a "'" single quote in the scope parameter to do/view/TWiki/WebSearch...
Cross site scripting
Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting XSS attacks via a "'" single quote in the scope parameter to do/view/TWiki/WebSearch...
CVE-2014-7237
lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte %00 in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code...
Twiki Perl 4.x, 5.x, 6.x Upload Bypass / Code Execution Vulnerabilities
The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution and suffer from a file upload bypass vulnerability. This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution...