Vulnerabilities > B2Evolution > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-06 | CVE-2021-31631 | Cross-Site Request Forgery (CSRF) vulnerability in B2Evolution CMS 7.2.3 b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. | 6.8 |
| 2021-04-15 | CVE-2021-28242 | SQL Injection vulnerability in B2Evolution 7.2.2 SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab. | 6.5 |
| 2021-02-09 | CVE-2020-22839 | Cross-site Scripting vulnerability in B2Evolution CMS 6.11.6 Reflected cross-site scripting vulnerability (XSS) in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter. | 4.3 |
| 2021-02-09 | CVE-2020-22840 | Open Redirect vulnerability in B2Evolution Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php. | 5.8 |
| 2017-01-18 | CVE-2016-7149 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. | 4.3 |
| 2017-01-15 | CVE-2017-5480 | Path Traversal vulnerability in B2Evolution Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a .. | 5.5 |
| 2016-12-02 | CVE-2016-9479 | Credentials Management vulnerability in B2Evolution The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. | 5.0 |
| 2015-01-16 | CVE-2014-9599 | Cross-site Scripting vulnerability in B2Evolution Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. | 4.3 |
| 2014-04-02 | CVE-2013-7352 | Cross-Site Request Forgery (CSRF) vulnerability in B2Evolution Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945. | 6.8 |
| 2014-04-02 | CVE-2013-2945 | SQL Injection vulnerability in B2Evolution SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. | 6.5 |