CVE-2013-7194

CVE-2013-7194 describes multiple XSS vulnerabilities in the eFront 3.6.14 (build 18012) software, specifically in www/administrator.php. The underlying issue allows remote authenticated administrators to inject arbitrary web script or HTML via one of three fields: Last name, Lesson name, or Cours...

CVE-2010-1003

CVE-2010-1003 concerns a local file inclusion vulnerability in eFront up to version 3.5.5, caused by improper sanitization of the langname parameter in the language.php script, enabling directory traversal via .. to include and potentially execute arbitrary local PHP files. Multiple sources (NVD ...

CVE-2009-3660

The CVE-2009-3660 issue affects Efront up to version 3.5.4 in the PHP library libraries/database.php. The root cause is a remote file inclusion (RFI) vulnerability when register_globals is enabled, allowing a remote attacker to execute arbitrary PHP code via a URL supplied in the path parameter. ...

CVE-2012-4269

Summary of CVE-2012-4269 : The vulnerability is an unrestricted file upload in eFront 3.6.11. According to the sources, remote authenticated users could execute arbitrary code by uploading a file with an executable extension via an attachment in a message. The CVSS data in the NVD entry indicates...

CVE-2008-7026

CVE-2008-7026 describes an unrestricted file-upload vulnerability in eFront (version 3.5.1 build 2710 and earlier) where an attacker can upload a file with an executable extension as a user avatar via the filesystem3.class.php upload process, and then access it through a direct request to the fil...

CVE-2015-4461

Absolute path traversal in Epignosis/ eFront CMS 3.6.15.4 and earlier allows remote access to sensitive information via the other parameter. Affected component is the application’s path handling, enabling exposure of full pathnames. Documents consistently describe the vulnerability as a path trav...

CVE-2015-4462

The CVE-2015-4462 issue affects eFront CMS pre-3.6.15.5 in the file_manager component. It enables absolute path traversal via the Upload file from url field in professor.php, allowing remote authenticated users to read arbitrary files on the server. No remediation details are provided in the conn...

CVE-2015-4463

The CVE-2015-4463 entry concerns the file_manager component of eFront CMS prior to version 3.6.15.5. Affected software: eFront CMS. What is vulnerable: the file_manager’s file upload handling can be bypassed by remote authenticated users through a crafted parameter appended to the file URL, enabl...

CVE-2012-4270

CVE-2012-4270 describes a Cross-site scripting (XSS) vulnerability in eFront 3.6.11 where remote authenticated users can inject arbitrary script/HTML via the subject field of a message. The NVD entry lists a low base score (CVSSv2 3.5) with network access and user interaction not required, but au...

CVE-2014-4033

CVE-2014-4033 is an XSS vulnerability in Epignosis eFront 3.6.14.4, identified in libraries/includes/personal/profile.php. It can be triggered via the surname parameter to student.php to inject arbitrary web script/HTML. Red Hat and NVD entries reproduce the same description. Exploitation details...

CVE-2010-1918

CVE-2010-1918 affects eFront (versions up to 3.6.2 and earlier). The vulnerability is an SQL injection in the web application’s ask_chat.php, exploitable via the chatrooms_ID parameter. This allows remote attackers to execute arbitrary SQL commands on the backend. The published metrics assign a C...

CVE-2012-6515

The CVE-2012-6515 entry affects eFront 3.6.10, 3.6.11 build 15059, and earlier. The vulnerability arises in the lesson_info module (index.php) where an invalid courses_ID parameter can cause an error message that reveals the installation path, resulting in partial information disclosure. Multiple...