Archive

Archive for the ‘Remote Command Execution’ Category

Tiki Wiki CMS/Groupware “unserialize()” PHP Code Execution

October 30th, 2012
Comments Off

Application: Tiki Wiki CMS/Groupware
Affected Version: versions prior to 6.8 and 9.2.
Vendor’s URL: Tiki Wiki CMS/Groupware
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 6.8 or 9.2.

Content Management, Remote Command Execution

SugarCRM “unserialize()” PHP Code Execution

June 30th, 2012
Comments Off

Application: SugarCRM
Affected Version: versions prior to 6.4.0.
Vendor’s URL: SugarCRM
Bug Type: Code Execution
Risk Level:

Solution:
Update to version 6.4.0 or later.

Content Management, Remote Command Execution

Gajim SQL and Command Injection Vulnerabilities

April 30th, 2012
Comments Off

Application: Gajim
Affected Version: versions prior to 0.15.
Vendor’s URL: Gajim
Bug Type: SQL and Command Injection
Risk Level: Critical

Solution:
Update to version 0.15.

Remote Command Execution, SQL Injection

OpenCart Two Vulnerabilities

April 30th, 2012
Comments Off

Application: OpenCart
Affected Version: version 1.5.2.1 and other versions.
Vendor’s URL: OpenCart
Bug Type: arbitrary code execution
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified. Restrict access to the download folder (e.g. via .htaccess)

E-Commerce, Remote Command Execution

Drupal Ubercart Module Script Insertion and Code Injection Vulnerabilities

April 30th, 2012
Comments Off

Application: Drupal
Affected Version: Ubercart 6.x-2.x. Drupal versions 6.x-2.x prior to 6.x-2.8 and versions 7.x-3.x prior to 7.x-3.1.
Vendor’s URL: Ubercart Module
Bug Type: Cross Site Scripting and code injection
Risk Level: Critical

Solution:
Update to version 6.x-2.8 or 7.x-3.1.

Content Management, Cross Site Scripting, Remote Command Execution

WordPress Video Embed & Thumbnail Generator Plugin Code Execution Vulnerabilities

March 30th, 2012
Comments Off

Application: WordPress
Affected Version: version 1.1 and other versions.
Vendor’s URL: Video Embed & Thumbnail Generator Plugin
Bug Type: Code Execution
Risk Level: Critical

Solution:
Upgrade to version 2.0.

Content Management, Remote Command Execution

Drupal CKEditor / FCKeditor Modules Cross Site Scripting and Code Execution Vulnerabilities

March 30th, 2012
Comments Off

Application: Drupal
Affected Version:
* FCKeditor module versions 6.x-2.x prior to 6.x-2.3.
* CKEditor module versions 6.x-1.x prior to 6.x-1.9.
* CKEditor module versions 7.x-1.x prior to 7.x-1.7.
Vendor’s URL: CKEditor / FCKeditor Modules
Bug Type: Cross Site Scripting and Code Execution
Risk Level: Critical

Solution:
Update to a fixed version.

Content Management, Cross Site Scripting, Remote Command Execution

WordPress Yet Another Photoblog Plugin “fltr[]” Command Injection

December 1st, 2011
Comments Off

Application: WordPress
Affected Version: version 1.9.26 and other versions.
Vendor’s URL: Yet Another Photoblog Plugin
Bug Type: Command Injection
Risk Level: Critical

Solution:
Update to version 1.10 or later.

Content Management, Remote Command Execution

WordPress Zingiri Web Shop Plugin “selectedDoc[]” Code Injection

December 1st, 2011
Comments Off

Application: WordPress
Affected Version: version 2.2.3 and prior versions.
Vendor’s URL: Zingiri Web Shop Plugin
Bug Type: Code Injection
Risk Level: Critical

Solution:
Update to version 2.2.4.

Content Management, Remote Command Execution

zenphoto Ajax File Manager Code Injection

December 1st, 2011
Comments Off

Application: zenphoto
Affected Version: version 1.4.1.4 and prior versions.
Vendor’s URL: Ajax File Manager
Bug Type: Code Injection
Risk Level: Critical

Solution:
Update to version 1.4.1.5 or later.

Image Galleries, Remote Command Execution

Joomla! Multiple NoNumber Extensions Local File Inclusion and PHP Code Execution

November 1st, 2011
Comments Off

Application: Joomla!
Affected Version:
* Add to Menu, versions prior to 1.8.1.
* AdminBar Docker, versions prior to 1.6.1.
* Advanced Module Manager, versions prior to 2.2.3.
* Articles Anywhere, versions prior to 1.13.1.
* Better Preview, versions prior to 1.10.1.
* Cache Cleaner, versions prior to 1.11.1.
* CDN, versions prior to 1.6.1.
* Content Templater, versions prior to 1.14.1.
* CustoMenu, versions prior to 2.8.1.
* DB Replacer, versions prior to 1.3.2.
* Modalizer, versions prior to 3.6.1.
* Modules Anywhere, versions prior to 1.13.1.
* NoNumber! Extension Manager, versions prior to 2.6.2.
* ReReplacer, versions prior to 2.17.2.
* Slider, versions prior to 1.7.1.
* Snippets, versions prior to 1.2.1.
* Sourcerer, versions prior to 2.11.1.
* Tabber, versions prior to 1.7.1.
* Timed Styles, versions prior to 1.4.1.
* Tooltips, versions prior to 1.1.1.
* What? Nothing!, versions prior to 6.2.1.
Vendor’s URL: Multiple NoNumber Extensions
Bug Type: File Inclusion and Code Execution
Risk Level: Critical

Solution:
Update to the respective latest version.

Content Management, File Inclusion, Remote Command Execution

ImpressPages CMS Unspecified Code Execution

September 30th, 2011
Comments Off

Application: ImpressPages CMS
Affected Version: version 1.0.12 and prior versions.
Vendor’s URL: ImpressPages CMS
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 1.0.13.

Content Management, Remote Command Execution

Joomla! FLEXIcontent Component Insecure Permissions and Command Injection

April 27th, 2011
Comments Off

Application: Joomla!
Affected Version: versions prior to 1.5.
Vendor’s URL: FLEXIcontent Component
Bug Type: Insecure Permissions and Command Injection
Risk Level:

Solution:
Update to version 1.5.

Content Management, Remote Command Execution

Drupal Panels Module PHP Code Execution

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-3.4.
Vendor’s URL: Panels Module
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 6.x-3.4.

Content Management, Remote Command Execution

Joomla Camp26 VisitorData Module Shell Command Injection

May 26th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.1 and other versions.
Vendor’s URL: Camp26 VisitorData Module
Bug Type: Command Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Remote Command Execution

Drupal Mime Mail Module Arbitrary Code Execution

March 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 5.x-1.1.
Vendor’s URL: Mime Mail Module
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 5.x-1.1.
http://drupal.org/node/752166

Content Management, Remote Command Execution

Drupal Email Input Filter Module PHP Code Execution

March 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-1.1.
Vendor’s URL: Email Input Filter Module
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 6.x-1.1 or later.

Content Management, Remote Command Execution

Drupal Internationalization Module Arbitrary Code Execution

March 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-1.3 and 5.x-2.6.
Vendor’s URL: Internationalization Module
Bug Type: Code Execution
Risk Level: Critical

Solution:
Internationalization 6.x:

http://drupal.org/node/731590

Internationalization 5.x:

http://drupal.org/node/731586

Content Management, Remote Command Execution

Drupal Graphviz Filter Module Arbitrary Command Execution

February 23rd, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-1.6 and 5.x-1.3.
Vendor’s URL: Graphviz Filter Module
Bug Type: Command Execution
Risk Level: Critical

Solution:
If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6.
If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3.

Content Management, Remote Command Execution

WordPress WP-Syntax Plugin Code Execution

September 23rd, 2009
Comments Off

Application: WordPress
Affected Version: version 0.9.8 and other versions.
Vendor’s URL: WP-Syntax Plugin
Bug Type: Code Execution
Risk Level: Critical

Solution:
Remove the “wp-syntax/test” directory.

Content Management, Remote Command Execution