B2evolution

B2evolution

24 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.1

CVE-2017-5480

  • EPSS 0.32%
  • Veröffentlicht 15.01.2017 22:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. (dot dot) in the fm_selected array paramet...

5.4

CVE-2017-5494

  • EPSS 0.22%
  • Veröffentlicht 15.01.2017 22:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame.

7.5

CVE-2016-9479

  • EPSS 0.84%
  • Veröffentlicht 02.12.2016 16:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.

4.3

CVE-2014-9599

Exploit
  • EPSS 0.54%
  • Veröffentlicht 16.01.2015 15:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php.

6.8

CVE-2013-7352

Exploit
  • EPSS 0.28%
  • Veröffentlicht 02.04.2014 18:55:21
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, r...

6.5

CVE-2013-2945

Exploit
  • EPSS 1.35%
  • Veröffentlicht 02.04.2014 16:17:06
  • Zuletzt bearbeitet 12.04.2025 10:46:40

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthe...

4.3

CVE-2012-5911

Exploit
  • EPSS 0.48%
  • Veröffentlicht 17.11.2012 21:55:05
  • Zuletzt bearbeitet 11.04.2025 00:51:21

Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body.

6.5

CVE-2012-5910

  • EPSS 0.6%
  • Veröffentlicht 17.11.2012 21:55:05
  • Zuletzt bearbeitet 11.04.2025 00:51:21

SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter.

5

CVE-2011-3709

Exploit
  • EPSS 0.28%
  • Veröffentlicht 23.09.2011 23:55:02
  • Zuletzt bearbeitet 11.04.2025 00:51:21

b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ru_RU/ru-RU.locale.php and certain other files.

7.5

CVE-2007-2681

  • EPSS 0.38%
  • Veröffentlicht 15.05.2007 00:19:00
  • Zuletzt bearbeitet 09.04.2025 00:30:58

Directory traversal vulnerability in blogs/index.php in b2evolution 1.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the core_subdir parameter.