Application: Drupal
Affected Version: versions prior to 6.x-1.6 and 5.x-1.3.
Vendor’s URL: Graphviz Filter Module
Bug Type: Command Execution
Risk Level: Critical
Solution:
If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6.
If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3.
Content Management, Remote Command Execution
Application: WordPress
Affected Version: version 0.9.8 and other versions.
Vendor’s URL: WP-Syntax Plugin
Bug Type: Code Execution
Risk Level: Critical
Solution:
Remove the “wp-syntax/test” directory.
Content Management, Remote Command Execution
Application: TWiki
Affected Version:
Vendor’s URL: TWiki
Bug Type: Cross Site Scripting and Command Injection
Risk Level: Critical
Solution:
Update to version 4.2.4.
Content Management, Cross Site Scripting, Remote Command Execution
Application: TWiki
Affected Version: versions prior to 4.2.3.
Vendor’s URL: TWiki
Bug Type: Command Execution
Risk Level: Critical
Solution:
Update to version 4.2.3.
Content Management, Remote Command Execution
Application: PunBB
Affected Version: prior to 1.2.19
Vendor’s URL: PunBB
Bug Type: Command Injection and Cross Site Scripting
Risk Level: Critical
Solution:
Update to version 1.2.19.
http://punbb.informer.com/downloads.php
Cross Site Scripting, Discussion Boards, Remote Command Execution
Application: Drupal
Affected Version: prior to 5.x-1.1
Vendor’s URL: Magic Tabs Module
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to 5.x-1.1.
http://drupal.org/project/magic_tabs
Content Management, Remote Command Execution
Application: 1Book
Affected Version: version 1.0.1 and other versions.
Vendor’s URL: http://1scripts.net/php-scripts/index.php?p=16
Bug Type: Code Execution
Risk Level: Critical
Solution:
Update to version 1.0.2.
Remote Command Execution
Application: ITCms
Affected Version: version 1.9 and other versions.
Vendor’s URL: ITCms
Bug Type: Code execution
Risk Level: Critical
Solution:
Restrict access to trusted users only.
Content Management, Remote Command Execution
Application: KwsPHP
Affected Version: Version 1.3.456 downloaded before 2008-04-16 and other versions.
Vendor’s URL: KwsPHP
Bug Type: File Inclusion and Code Execution
Risk Level: Critical
Solution:
Update to version 1.3.456 downloaded on or after 2008-04-16 and apply official patch.
File Inclusion, Remote Command Execution
Application: PacerCMS
Affected Version: 0.6.2 and other versions.
Vendor’s URL: http://pacercms.sourceforge.net/
Bug Type: Remote Code Execution
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Content Management, Remote Command Execution
Application: Coppermine Photo Gallery
Affected Version: 1.4.14 and other versions.
Vendor’s URL: http://coppermine-gallery.net/
Bug Type: Cross Site Scripting and System Access
Risk Level: Critical
Solution:
Update to version 1.4.15.
Cross Site Scripting, Image Galleries, Remote Command Execution
Application: MyBB
Affected Version: 1.2.10 and prior versions.
Vendor’s URL: http://www.mybboard.net/
Bug Type: System access, SQL Injection
Risk Level: Critical
Solution:
Update to version 1.2.11.
Discussion Boards, Remote Command Execution, SQL Injection
Application: Drupal Meta Tags Module
Affected Version: 5.x-1.6.
Vendor’s URL: http://drupal.org/project/nodewords
Bug Type: System access
Risk Level: Critical
Solution:
Update to version 5.x-1.7.
Content Management, Remote Command Execution
Application: Xcms
Affected Version: prior to 1.84.
Vendor’s URL: http://www.xcms.it/
Bug Type: Security Bypass, System Access
Risk Level: Critical
Solution:
Update to version 1.84.
Content Management, File Inclusion, Remote Command Execution
Application: SyndeoCMS
Affected Version: SyndeoCMS 2.x
Vendor’s URL: Application site
Bug Type: Access Bypass
Risk Level: Low
Solution:
Update to version 2.5.01.
Access Bypass, Remote Command Execution
Application: CONTENTCustomizer
Affected Version: CONTENTCustomizer 3.x
Vendor’s URL: Application site
Bug Type: Exposure of sensitive information
Risk Level: Critical
Solution:
Contact to provider for proper action.
Remote Command Execution
Application: Original Photo Gallery
Affected Version: Original Photo Gallery 0.11.2 and prior version
Vendor’s URL: Application download site
Bug Type: System access bypass remotely.
Risk Level: Critical
Solution:
Update to version 0.11.3.
Access Bypass, Remote Command Execution
Application: MediaWiki
Affected Version:
MediaWiki 1.11 < = 1.11.0rc1
MediaWiki 1.10 <= 1.10.1
MediaWiki 1.9 <= 1.9.3
MediaWiki 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
Vendor’s URL: MediaWiki HomePage
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Update to version 1.11.0, 1.10.2, 1.9.4, or 1.8.5.
Cross Site Scripting, Remote Command Execution
Application: Joomla
Affected Version: Restaurante 1.x
Vendor’s URL: Restaurante DownloadPage
Bug Type: Malicious file upload cause script exploit
Risk Level: High
Solution:
Update to latest version.
Remote Command Execution
Application: Joomla
Affected Version: 1.5 beta 2
Vendor’s URL: http://www.joomla.org/
Bug Type: Command Execution
Risk Level: Medium
Solution:
Upgrade to latest stable version 1.5 RC immediately which fixed the issue!
Remote Command Execution