Vulnerabilities > B2Evolution > B2Evolution
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-01-15 | CVE-2017-5494 | Cross-site Scripting vulnerability in B2Evolution Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. | 3.5 |
2017-01-15 | CVE-2017-5480 | Path Traversal vulnerability in B2Evolution Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. | 5.5 |
2016-12-02 | CVE-2016-9479 | Credentials Management vulnerability in B2Evolution The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. | 5.0 |
2015-01-16 | CVE-2014-9599 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. | 4.3 |
2014-04-02 | CVE-2013-7352 | Cross-Site Request Forgery (CSRF) vulnerability in B2Evolution Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. | 6.8 |
2014-04-02 | CVE-2013-2945 | SQL Injection vulnerability in B2Evolution SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. | 6.5 |
2012-11-17 | CVE-2012-5911 | Cross-Site Scripting vulnerability in B2Evolution 4.1.3 Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. | 4.3 |
2012-11-17 | CVE-2012-5910 | SQL Injection vulnerability in B2Evolution 4.1.3 SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter. | 6.5 |
2011-09-23 | CVE-2011-3709 | Information Exposure vulnerability in B2Evolution 3.3.3 b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ru_RU/ru-RU.locale.php and certain other files. | 5.0 |
2009-05-18 | CVE-2009-1657 | SQL Injection vulnerability in B2Evolution Starrating Plugin 0.6/0.7/0.7.5 Multiple SQL injection vulnerabilities in the Starrating plugin before 0.7.7 for b2evolution allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |