RSS   Podatności dla 'B2evolution'   RSS

2021-04-15
 
CVE-2021-28242

CWE-77
 

 
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.

 
2021-02-09
 
CVE-2020-22841

CWE-79
 

 
Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.

 
 
CVE-2020-22840

CWE-601
 

 
Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.

 
2019-05-23
 
CVE-2016-8901

CWE-74
 

 
b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php.

 
2018-01-02
 
CVE-2017-1000423

CWE-20
 

 
b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation (backslash and single quote escape) in basic install functionality resulting in unauthenticated attacker gaining PHP code execution on the victim's setup.

 
2017-03-14
 
CVE-2017-6902

 

 
Unrestricted file upload vulnerability in 'file upload' modules in b2evolution 6.8.8 allows authenticated users to upload malicious code (shell) by visiting the admin.php?ctrl=files page, even though the system has restricted the .php extension.

 
2017-01-23
 
CVE-2017-5553

 

 
Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL.

 
 
CVE-2017-5539

CWE-22
 

 
The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. An attacker can use ..\/ to bypass the filter rule. Then, this attacker can exploit this vulnerability to delete or read any files on the server. It can also be used to determine whether a file exists.

 
2017-01-18
 
CVE-2016-7150

 

 
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name.

 
 
CVE-2016-7149

 

 
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function.

 


Copyright 2024, cxsecurity.com

 

Back to Top