Vulnerabilities > B2Evolution
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-01-23 | CVE-2017-5553 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL. | 3.5 |
2017-01-23 | CVE-2017-5539 | Path Traversal vulnerability in B2Evolution 6.8.4 The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. | 9.0 |
2017-01-18 | CVE-2016-7150 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. | 3.5 |
2017-01-18 | CVE-2016-7149 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. | 4.3 |
2017-01-15 | CVE-2017-5494 | Cross-site Scripting vulnerability in B2Evolution Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame. | 3.5 |
2017-01-15 | CVE-2017-5480 | Path Traversal vulnerability in B2Evolution Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. | 5.5 |
2016-12-02 | CVE-2016-9479 | Credentials Management vulnerability in B2Evolution The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. | 5.0 |
2015-01-16 | CVE-2014-9599 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. | 4.3 |
2014-04-02 | CVE-2013-7352 | Cross-Site Request Forgery (CSRF) vulnerability in B2Evolution Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. | 6.8 |
2014-04-02 | CVE-2013-2945 | SQL Injection vulnerability in B2Evolution SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. | 6.5 |