17 matches found
CVE-2024-35409
WeBid 1.1.2 is vulnerable to SQL Injection through the admin/tax.php endpoint. The root cause is a SQL query in admin/tax.php that permits unauthorized access to database information, leading to high impact on confidentiality, integrity, and availability (CVSS 3.1 base score 9.8). The connected P...
CVE-2022-41477
WeBid
CVE-2014-5101
CVE-2014-5101 affects WeBid 1.1.1 with multiple XSS vulnerabilities (and LDAP injection per some sources). The issues allow remote attackers to inject arbitrary scripts/HTML via parameters in register.php (TPL_name, TPL_nick, TPL_email, TPL_year, TPL_address, TPL_city, TPL_prov, TPL_zip, TPL_phon...
CVE-2019-11592
CVE-2019-11592 affects WeBid 1.2.2 and is a reflected XSS vulnerability. The issue is triggered via user-supplied input in the id parameter of admin/deletenews.php, admin/editbannersuser.php, admin/editfaqscategory.php, or admin/excludeuser.php, and via the offset parameter in admin/edituser.php....
CVE-2023-47397
CVE-2023-47397 affects WeBid 1.2.2 and earlier, with a code injection vulnerability via admin/categoriestrans.php. The issue is confirmed across multiple feeds (e.g., PT-2023-30442) and is rated CVSS v3.1 9.8 (Critical) with impact to confidentiality, integrity, and availability. Remediation: upg...
CVE-2024-32166
The CVE-2024-32166 issue affects Webid v1.2.1 and is an Insecure Direct Object Reference (IDOR) leading to Broken Access Control. This allows horizontal privilege escalation—attackers can prematurely complete a purchase on a suspended auction. Root cause and exact vulnerable component are describ...
CVE-2010-4873
The CVE-2010-4873 entry concerns WeBid 0.8.5 P1 with a reflected cross-site scripting (XSS) vulnerability in confirm.php, exploitable by supplying a crafted id parameter. The root cause is insufficient input sanitization of user-supplied id, enabling remote attackers to inject arbitrary script/HT...
CVE-2011-3815
WeBid 1.0.0 is affected by an information-disclosure vulnerability: an unauthorized remote user can trigger an error page from certain PHP files (e.g., js/calendar.php) that reveals the installation path. Affects components handling direct PHP requests; underlying cause is improper error handling...
CVE-2018-1000882
CVE-2018-1000882 concerns WeBid up to version 1.2.2, where a directory traversal vulnerability exists in the getthumb.php script, allowing Arbitrary Image File Read. The issue is exploitable via HTTP GET requests and is caused by insufficient validation of file paths in getthumb.php. Multiple con...
CVE-2008-7117
CVE-2008-7117 affects WeBid 0.5.4: eledicss.php lets remote attackers modify arbitrary CSS files (file parameter set to style.css). This could enable cross-site scripting. No further exploit details are provided in the connected documents; no remediation is specified here.
CVE-2008-7118
WeBid auction script 0.5.4 stores sensitive information under the web root with insufficient access control, allowing remote attackers to obtain SQL query logs via a direct request for logs/cron.log. No remediation details are provided in the supplied documents; public exploit references exist bu...
CVE-2014-5114
WeBid <= 1.1.1 is vulnerable to LDAP injection via the (1) js and (2) cat parameters, allowing remote attackers to exploit the issue (CVE-2014-5114). Multiple sources (NVD, Red Hat advisory, CVE listings, and OpenVAS) confirm this vulnerability in WeBid 1.1.1, with a CVSSv2 base score of 7.5 (...
CVE-2018-1000868
WeBid up to version 1.2.2 is affected by a Cross-Site Scripting (XSS) vulnerability in user_login.php and register.php. The issue allows execution of JavaScript in a user’s browser when a victim user clicks a malicious link, via injected markup on the affected pages. The vulnerability is fixed af...
CVE-2008-7119
CVE-2008-7119 is a SQL injection vulnerability affecting WeBid auction script 0.5.4, in item.php via the id parameter, allowing remote attackers to execute arbitrary SQL commands. The issue is publicly documented in NVD/NVD-derived records and is corroborated by references to exploit code (e.g., ...
CVE-2020-23359
CVE-2020-23359 affects WeBid 1.2.2 (admin/newuser.php) where password rechecking during registration uses a loose comparison, allowing two non-identical passwords to bypass the identicalness check. The issue is caused by non-strict equality logic in the registration flow, enabling potential bypas...
CVE-2008-7116
The vulnerability CVE-2008-7116 affects WeBid auction script 0.5.4 and is an SQL injection in the admin panel (admin/). The underlying issue is injection via the username parameter, allowing remote attackers to execute arbitrary SQL commands. Affected component: admin panel; impact: arbitrary SQL...
CVE-2018-1000867
Affected software: WeBid (up to current version 1.2.2). Vulnerability: SQL Injection in all five yourauctions*.php scripts, allowing (via HTTP requests) a Blind SQL Injection that can cause database read. Root cause: improper input handling in the listed PHP scripts. Impact: potential data exposu...