Joomla! Multiple Vulnerabilities

February 28th, 2014

Application: Joomla!
Affected Version: versions 2.5.18, 3.2.1 and 3.2.2
Vendor’s URL: Joomla!
Bug Type: Security Bypass, Cross Site Scripting, SQL Injection
Risk Level: Critical

Solution:
Update to version 2.5.19 or 3.2.3.

Access Bypass, Content Management, Cross Site Scripting, SQL Injection

WordPress Search Everything Plugin SQL Injection

February 28th, 2014

Application: WordPress
Affected Version: version 7.0.2 and prior versions.
Vendor’s URL: Search Everything Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 7.0.3 or later.

Content Management, SQL Injection

Drupal Slickgrid Module Security Bypass Security Issue

February 28th, 2014

Application: Drupal
Affected Version: 7.x-1.x versions prior to 7.x-2.0.
Vendor’s URL: Slickgrid Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 7.x-2.0.

Access Bypass, Content Management

WordPress AdRotate Plugin “track” SQL Injection

February 28th, 2014

Application: WordPress
Affected Version: AdRotate Free version 3.9.4 and reported in AdRotate Pro versions prior to 3.9.6.
Vendor’s URL: AdRotate Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to a fixed version.

Content Management, SQL Injection

WordPress BuddyPress Plugin Script Insertion and Security Bypass

February 28th, 2014

Application: WordPress
Affected Version: version 1.9.1 and prior versions.
Vendor’s URL: BuddyPress Plugin
Bug Type: Script Insertion and Security Bypass
Risk Level: Critical

Solution:
Update to version 1.9.2.

Access Bypass, Content Management, Cross Site Scripting

WordPress Kiddo Theme “uploadify.php” Arbitrary File Upload

February 28th, 2014

Application: WordPress
Affected Version:
Vendor’s URL: Kiddo Theme
Bug Type: File Upload
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, File Inclusion

Zabbix API User Spoofing and Security Bypass

February 28th, 2014

Application: Zabbix
Affected Version: versions prior to 2.0.11 and 2.2.2.
Vendor’s URL: Zabbix
Bug Type: User Spoofing and Security Bypass
Risk Level: Critical

Solution:
Update to version 2.0.11 or 2.2.2.

Access Bypass

Drupal Services Module Security Bypass

February 28th, 2014

Application: Drupal
Affected Version: 7.x-1.x versions prior to 7.x-3.7.
Vendor’s URL: Drupal Services Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 7.x-3.7.

Access Bypass, Content Management

Joomla! PROJOOM Smart Flash Header Component Arbitrary File Upload

February 28th, 2014

Application: Joomla!
Affected Version: versions prior to 3.0.3.
Vendor’s URL: PROJOOM Smart Flash Header Component
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 3.0.3.

Content Management, File Inclusion

MyBB “keywords” Cross-Site Scripting

February 28th, 2014

Application: MyBB
Affected Version: version 1.6.12 and other versions.
Vendor’s URL: MyBB
Bug Type: Cross-Site Scripting
Risk Level: Critical

Solution:
No official solution is currently available.

Cross Site Scripting, Discussion Boards

ImpressCMS “image_path” Arbitrary File Deletion

February 28th, 2014

Application: ImpressCMS
Affected Version: versions 1.3.5, 1.3.6, and 1.3.6.1 and other versions.
Vendor’s URL: ImpressCMS
Bug Type: File Deletion
Risk Level: Critical

Solution:
The vendor has released a fix in version 1.3.6, however, the fix is only partially effective. No official solution is currently available.

Access Bypass, Content Management

Joomla! Music Collection Component Unspecified Vulnerability

February 28th, 2014

Application: Joomla!
Affected Version: version 2.4.0 and prior versions.
Vendor’s URL: Music Collection Component
Bug Type:
Risk Level: Critical

Solution:
Update to version 2.4.1.

Content Management

Joomla! JV Comment Component “id” SQL Injection

February 28th, 2014

Application: Joomla!
Affected Version: version 3.0.2 and prior versions
Vendor’s URL: JV Comment Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 3.0.3.

Content Management, SQL Injection

WordPress WordFence Plugin “User-Agent” Script Insertion

January 29th, 2014

Application: WordPress
Affected Version: version 3.8.6 and prior versions.
Vendor’s URL: WordFence Plugin
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 3.8.7.

Content Management, Cross Site Scripting

Joomla! Sexy Polling Component “answer_id[]” SQL Injection

January 29th, 2014

Application: Joomla!
Affected Version: version 1.0.8 and prior versions.
Vendor’s URL: Sexy Polling Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.0.9.

Content Management, SQL Injection

Drupal Taxonomy Security Bypass and OpenID Account Hijacking

January 29th, 2014

Application: Drupal
Affected Version: 6.x versions prior to 6.30 and 7.x versions prior to 7.26.
Vendor’s URL: Drupal
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to a fixed version.

Access Bypass, Content Management

Drupal Anonymous Posting Module Contact Name Script Insertion

January 29th, 2014

Application: Drupal
Affected Version: versions 7.x-1.2 and 7.x-1.3.
Vendor’s URL: Anonymous Posting Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 7.x-1.4.

Content Management, Cross Site Scripting

WordPress Let Them Unsubscribe Plugin Unspecified Vulnerabilities

January 29th, 2014

Application: WordPress
Affected Version: version 1.0.
Vendor’s URL: Let Them Unsubscribe Plugin
Bug Type: -
Risk Level: Critical

Solution:
Update to version 1.1.

Content Management

InstantCMS “orderby” SQL Injection

December 30th, 2013

Application: InstantCMS
Affected Version: versions 1.10.3 and prior.
Vendor’s URL: InstantCMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Apply patch.

Content Management, SQL Injection

WordPress FormCraft Plugin “id” SQL Injection

December 30th, 2013

Application: WordPress
Affected Version: version 1.3 and other versions.
Vendor’s URL: FormCraft Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
No official solution is currently available.

Content Management, SQL Injection