Vulnerabilities > B2Evolution > B2Evolution

DATE CVE VULNERABILITY TITLE RISK
2017-01-15 CVE-2017-5494 Cross-site Scripting vulnerability in B2Evolution
Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. 		3.5
3.5
2017-01-15 CVE-2017-5480 Path Traversal vulnerability in B2Evolution
Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a ..
network
low complexity
b2evolution CWE-22
5.5
5.5
2016-12-02 CVE-2016-9479 Credentials Management vulnerability in B2Evolution
The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.
network
low complexity
b2evolution CWE-255
5.0
5.0
2015-01-16 CVE-2014-9599 Cross-site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. 		4.3
4.3
2014-04-02 CVE-2013-7352 Cross-Site Request Forgery (CSRF) vulnerability in B2Evolution
Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. 		6.8
6.8
2014-04-02 CVE-2013-2945 SQL Injection vulnerability in B2Evolution
SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter.
network
low complexity
b2evolution CWE-89
6.5
6.5
2012-11-17 CVE-2012-5911 Cross-Site Scripting vulnerability in B2Evolution 4.1.3
Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. 		4.3
4.3
2012-11-17 CVE-2012-5910 SQL Injection vulnerability in B2Evolution 4.1.3
SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter.
network
low complexity
b2evolution CWE-89
6.5
6.5
2011-09-23 CVE-2011-3709 Information Exposure vulnerability in B2Evolution 3.3.3
b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ru_RU/ru-RU.locale.php and certain other files.
network
low complexity
b2evolution CWE-200
5.0
5.0
2009-05-18 CVE-2009-1657 SQL Injection vulnerability in B2Evolution Starrating Plugin 0.6/0.7/0.7.5
Multiple SQL injection vulnerabilities in the Starrating plugin before 0.7.7 for b2evolution allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
b2evolution CWE-89
7.5
7.5