7 matches found
CVE-2014-4170
CVE-2014-4170 describes an improper access control vulnerability in ArticleFR (Free Reprintables) where the data.php script lacks sufficient restrictions. A remote attacker can issue crafted requests to /data.php and execute arbitrary UPDATE SQL commands, enabling modification or deletion of data...
CVE-2015-1364
CVE-2015-1364 concerns the Free Reprintables ArticleFR CMS 3.0.5. The vulnerability is a SQL injection in the function getProfile (file: system/profile.functions.php) where the vulnerable parameter is username . The query shown is: SELECT ... FROM users WHERE username = '" . $_username . "' which...
CVE-2015-6591
The CVE-2015-6591 entry concerns Free Reprintables ArticleFR 3.0.7 and earlier. It affects the web application path application/templates/amelia/loadjs.php, where the s parameter is used to read files via file_get_contents without proper validation, enabling local arbitrary file read by a non-aut...
CVE-2015-1363
CVE-2015-1363 concerns Free Reprintables ArticleFR CMS 3.0.5. Affected component: search/v/ query parameter q. Underlying issue: cross-site scripting (XSS) allowing remote attackers to inject arbitrary script/HTML. Impact as per sources: script execution in the victim’s browser. Exploitation cont...
CVE-2014-5097
CVE-2014-5097 describes SQL injection in ArticleFR CMS (Free Reprintables) versions 3.0.4 and earlier. The vulnerability arises from insufficient sanitization of the HTTP GET parameter “id” passed to /rate.php when act is either “get” or “set,” allowing remote attackers to execute arbitrary SQL c...
CVE-2015-5530
CVE-2015-5530 affects Free Reprintables ArticleFR 3.0.6. The vulnerability is CSRF that lets an attacker cause an admin account to be created via dashboard/users/create/, effectively hijacking an administrator’s authentication context. The NVD entry lists a base score of 6.8 (Medium) with network...
CVE-2015-5529
Affected software: Free Reprintables ArticleFR 3.0.6. Vulnerable components: dashboard/settings/categories/ (name parameter), dashboard/settings/links/ (title and rel parameters), dashboard/tools/pingservers/ (url parameter). Issue: stored cross-site scripting due to inadequate input sanitization...