Ektron CMS Two SQL Injection

March 30th, 2014

Application: Ektron CMS
Affected Version: versions prior to 9.00.
Vendor’s URL: Ektron CMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Upgrade to version 9.00 or later.

Content Management, SQL Injection

WordPress Business Intelligence Lite Plugin Arbitrary File Upload

March 30th, 2014

Application: WordPress
Affected Version: version 1.0.6 and other versions.
Vendor’s URL: Business Intelligence Lite Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 1.1.

Content Management, File Inclusion

Netvolution CMS SQL Injection

March 30th, 2014

Application: Netvolution CMS
Affected Version: version 3 and other versions.
Vendor’s URL: Netvolution CMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, SQL Injection

Jorjweb “id” SQL Injection

March 30th, 2014

Application: Jorjweb
Affected Version: -
Vendor’s URL: Jorjweb
Bug Type: SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, SQL Injection

WordPress The Cotton Theme Arbitrary File Upload

March 30th, 2014

Application: WordPress
Affected Version: version 1.1.4 and other versions.
Vendor’s URL: The Cotton Theme
Bug Type: File Upload
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, File Inclusion

Joomla! AJAX Shoutbox Component “jal_lastID” SQL Injection

March 30th, 2014

Application: Joomla!
Affected Version: version 1.6 and prior versions.
Vendor’s URL: AJAX Shoutbox Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.7.

Content Management, SQL Injection

LuxCal Web Calendar Cross-Site Request Forgery and SQL Injection

March 30th, 2014

Application: LuxCal Web Calendar
Affected Version: version 3.2.2 and other versions.
Vendor’s URL: LuxCal Web Calendar
Bug Type: Cross-Site Request Forgery and SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, Cross Site Scripting, SQL Injection

WordPress WP SlimStat Plugin URL Script Insertion

March 30th, 2014

Application: WordPress
Affected Version: version 3.5.5 and prior versions.
Vendor’s URL: WP SlimStat Plugin
Bug Type: Script Insertion
Risk Level: Critical

Solution:
Update to version 3.5.6.

Content Management, Cross Site Scripting

WordPress Relevanssi Plugin “category_name” SQL Injection

March 30th, 2014

Application: WordPress
Affected Version: versions prior to 3.3.
Vendor’s URL: Relevanssi Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 3.3 or later.

Content Management, SQL Injection

Ganesha Digital Library Cross-Site Scripting and SQL Injection

March 30th, 2014

Application: Ganesha Digital Library
Affected Version: version 4.2 and other versions.
Vendor’s URL: Ganesha Digital Library
Bug Type: Cross-Site Scripting and SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Cross Site Scripting, SQL Injection

Cory Support “q” SQL Injection

March 30th, 2014

Application: Cory Support
Affected Version: version 1.0 and other versions.
Vendor’s URL: Cory Support
Bug Type: SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Customer Relationship, SQL Injection

Joomla! ODude Dir Component Unspecified Vulnerabilities

March 30th, 2014

Application: Joomla!
Affected Version: versions prior to 1.1.
Vendor’s URL: ODude Dir Component
Bug Type: unknown
Risk Level: Critical

Solution:
Update to version 1.1.

Content Management

CosmoShop ePRO Security Bypass

March 30th, 2014

Application: CosmoShop
Affected Version: version 10.17.00 and other versions.
Vendor’s URL: CosmoShop ePRO
Bug Type: Security Bypass
Risk Level: Critical

Solution:
No official solution is currently available.

Access Bypass, E-Commerce

Joomla! Multiple Vulnerabilities

February 28th, 2014

Application: Joomla!
Affected Version: versions 2.5.18, 3.2.1 and 3.2.2
Vendor’s URL: Joomla!
Bug Type: Security Bypass, Cross Site Scripting, SQL Injection
Risk Level: Critical

Solution:
Update to version 2.5.19 or 3.2.3.

Access Bypass, Content Management, Cross Site Scripting, SQL Injection

WordPress Search Everything Plugin SQL Injection

February 28th, 2014

Application: WordPress
Affected Version: version 7.0.2 and prior versions.
Vendor’s URL: Search Everything Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 7.0.3 or later.

Content Management, SQL Injection

Drupal Slickgrid Module Security Bypass Security Issue

February 28th, 2014

Application: Drupal
Affected Version: 7.x-1.x versions prior to 7.x-2.0.
Vendor’s URL: Slickgrid Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 7.x-2.0.

Access Bypass, Content Management

WordPress AdRotate Plugin “track” SQL Injection

February 28th, 2014

Application: WordPress
Affected Version: AdRotate Free version 3.9.4 and reported in AdRotate Pro versions prior to 3.9.6.
Vendor’s URL: AdRotate Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to a fixed version.

Content Management, SQL Injection

WordPress BuddyPress Plugin Script Insertion and Security Bypass

February 28th, 2014

Application: WordPress
Affected Version: version 1.9.1 and prior versions.
Vendor’s URL: BuddyPress Plugin
Bug Type: Script Insertion and Security Bypass
Risk Level: Critical

Solution:
Update to version 1.9.2.

Access Bypass, Content Management, Cross Site Scripting

WordPress Kiddo Theme “uploadify.php” Arbitrary File Upload

February 28th, 2014

Application: WordPress
Affected Version:
Vendor’s URL: Kiddo Theme
Bug Type: File Upload
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, File Inclusion

Zabbix API User Spoofing and Security Bypass

February 28th, 2014

Application: Zabbix
Affected Version: versions prior to 2.0.11 and 2.2.2.
Vendor’s URL: Zabbix
Bug Type: User Spoofing and Security Bypass
Risk Level: Critical

Solution:
Update to version 2.0.11 or 2.2.2.

Access Bypass