Vulnerabilities > B2Evolution

DATE CVE VULNERABILITY TITLE RISK
2021-04-15 CVE-2021-28242 Command Injection vulnerability in B2Evolution 7.2.2
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.
network
low complexity
b2evolution CWE-77
6.5
2021-02-09 CVE-2020-22839 Cross-Site Scripting vulnerability in B2Evolution CMS 6.11.6
Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter.
4.3
2021-02-09 CVE-2020-22841 Cross-Site Scripting vulnerability in B2Evolution
Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.
3.5
2021-02-09 CVE-2020-22840 Open Redirect vulnerability in B2Evolution
Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
5.8
2019-05-23 CVE-2016-8901 Injection vulnerability in B2Evolution 6.7.6
b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php.
network
low complexity
b2evolution CWE-74
7.5
2018-01-02 CVE-2017-1000423 Improper Input Validation vulnerability in B2Evolution
b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation (backslash and single quote escape) in basic install functionality resulting in unauthenticated attacker gaining PHP code execution on the victim's setup.
network
low complexity
b2evolution CWE-20
7.5
2017-01-23 CVE-2017-5553 Cross-Site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL.
3.5
2017-01-23 CVE-2017-5539 Path Traversal vulnerability in B2Evolution 6.8.4
The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability.
network
low complexity
b2evolution CWE-22
critical
9.0
2017-01-18 CVE-2016-7150 Cross-Site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name.
3.5
2017-01-18 CVE-2016-7149 Cross-Site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function.
4.3