Application: Tiki Wiki CMS/Groupware
Affected Version: versions prior to 6.8 and 9.2.
Vendor’s URL: Tiki Wiki CMS/Groupware
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 6.8 or 9.2.
Content Management, Remote Command Execution
Application: SugarCRM
Affected Version: versions prior to 6.4.0.
Vendor’s URL: SugarCRM
Bug Type: Code Execution
Risk Level:
Solution:
Update to version 6.4.0 or later.
Content Management, Remote Command Execution
Application: Gajim
Affected Version: versions prior to 0.15.
Vendor’s URL: Gajim
Bug Type: SQL and Command Injection
Risk Level: Critical
Solution:
Update to version 0.15.
Remote Command Execution, SQL Injection
Application: OpenCart
Affected Version: version 1.5.2.1 and other versions.
Vendor’s URL: OpenCart
Bug Type: arbitrary code execution
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified. Restrict access to the download folder (e.g. via .htaccess)
E-Commerce, Remote Command Execution
Application: Drupal
Affected Version: Ubercart 6.x-2.x. Drupal versions 6.x-2.x prior to 6.x-2.8 and versions 7.x-3.x prior to 7.x-3.1.
Vendor’s URL: Ubercart Module
Bug Type: Cross Site Scripting and code injection
Risk Level: Critical
Solution:
Update to version 6.x-2.8 or 7.x-3.1.
Content Management, Cross Site Scripting, Remote Command Execution
Application: WordPress
Affected Version: version 1.1 and other versions.
Vendor’s URL: Video Embed & Thumbnail Generator Plugin
Bug Type: Code Execution
Risk Level: Critical
Solution:
Upgrade to version 2.0.
Content Management, Remote Command Execution
Application: Drupal
Affected Version:
* FCKeditor module versions 6.x-2.x prior to 6.x-2.3.
* CKEditor module versions 6.x-1.x prior to 6.x-1.9.
* CKEditor module versions 7.x-1.x prior to 7.x-1.7.
Vendor’s URL: CKEditor / FCKeditor Modules
Bug Type: Cross Site Scripting and Code Execution
Risk Level: Critical
Solution:
Update to a fixed version.
Content Management, Cross Site Scripting, Remote Command Execution
Application: WordPress
Affected Version: version 1.9.26 and other versions.
Vendor’s URL: Yet Another Photoblog Plugin
Bug Type: Command Injection
Risk Level: Critical
Solution:
Update to version 1.10 or later.
Content Management, Remote Command Execution
Application: WordPress
Affected Version: version 2.2.3 and prior versions.
Vendor’s URL: Zingiri Web Shop Plugin
Bug Type: Code Injection
Risk Level: Critical
Solution:
Update to version 2.2.4.
Content Management, Remote Command Execution
Application: zenphoto
Affected Version: version 1.4.1.4 and prior versions.
Vendor’s URL: Ajax File Manager
Bug Type: Code Injection
Risk Level: Critical
Solution:
Update to version 1.4.1.5 or later.
Image Galleries, Remote Command Execution
Application: Joomla!
Affected Version:
* Add to Menu, versions prior to 1.8.1.
* AdminBar Docker, versions prior to 1.6.1.
* Advanced Module Manager, versions prior to 2.2.3.
* Articles Anywhere, versions prior to 1.13.1.
* Better Preview, versions prior to 1.10.1.
* Cache Cleaner, versions prior to 1.11.1.
* CDN, versions prior to 1.6.1.
* Content Templater, versions prior to 1.14.1.
* CustoMenu, versions prior to 2.8.1.
* DB Replacer, versions prior to 1.3.2.
* Modalizer, versions prior to 3.6.1.
* Modules Anywhere, versions prior to 1.13.1.
* NoNumber! Extension Manager, versions prior to 2.6.2.
* ReReplacer, versions prior to 2.17.2.
* Slider, versions prior to 1.7.1.
* Snippets, versions prior to 1.2.1.
* Sourcerer, versions prior to 2.11.1.
* Tabber, versions prior to 1.7.1.
* Timed Styles, versions prior to 1.4.1.
* Tooltips, versions prior to 1.1.1.
* What? Nothing!, versions prior to 6.2.1.
Vendor’s URL: Multiple NoNumber Extensions
Bug Type: File Inclusion and Code Execution
Risk Level: Critical
Solution:
Update to the respective latest version.
Content Management, File Inclusion, Remote Command Execution
Application: ImpressPages CMS
Affected Version: version 1.0.12 and prior versions.
Vendor’s URL: ImpressPages CMS
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 1.0.13.
Content Management, Remote Command Execution
Application: Joomla!
Affected Version: versions prior to 1.5.
Vendor’s URL: FLEXIcontent Component
Bug Type: Insecure Permissions and Command Injection
Risk Level:
Solution:
Update to version 1.5.
Content Management, Remote Command Execution
Application: Drupal
Affected Version: versions prior to 6.x-3.4.
Vendor’s URL: Panels Module
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 6.x-3.4.
Content Management, Remote Command Execution
Application: Joomla
Affected Version: version 1.1 and other versions.
Vendor’s URL: Camp26 VisitorData Module
Bug Type: Command Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitised.
Content Management, Remote Command Execution
Application: Drupal
Affected Version: versions prior to 5.x-1.1.
Vendor’s URL: Mime Mail Module
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 5.x-1.1.
http://drupal.org/node/752166
Content Management, Remote Command Execution
Application: Drupal
Affected Version: versions prior to 6.x-1.1.
Vendor’s URL: Email Input Filter Module
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 6.x-1.1 or later.
Content Management, Remote Command Execution
Application: Drupal
Affected Version: versions prior to 6.x-1.3 and 5.x-2.6.
Vendor’s URL: Internationalization Module
Bug Type: Code Execution
Risk Level: Critical
Solution:
Internationalization 6.x:
http://drupal.org/node/731590
Internationalization 5.x:
http://drupal.org/node/731586
Content Management, Remote Command Execution
Application: Drupal
Affected Version: versions prior to 6.x-1.6 and 5.x-1.3.
Vendor’s URL: Graphviz Filter Module
Bug Type: Command Execution
Risk Level: Critical
Solution:
If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6.
If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3.
Content Management, Remote Command Execution
Application: WordPress
Affected Version: version 0.9.8 and other versions.
Vendor’s URL: WP-Syntax Plugin
Bug Type: Code Execution
Risk Level: Critical
Solution:
Remove the “wp-syntax/test” directory.
Content Management, Remote Command Execution