Vulnerabilities > Dokeos > Dokeos > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-06-08 | CVE-2009-2009 | Cross-Site Scripting vulnerability in Dokeos 1.8.5 Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) curdirpath parameter to main/document/slideshow.php and the (2) file parameter to main/exercice/testheaderpage.php. | 4.3 |
| 2009-06-08 | CVE-2009-2008 | SQL Injection vulnerability in Dokeos 1.8.5 Multiple SQL injection vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) uInfo parameter to main/tracking/userLog.php and the (2) course parameter to main/mySpace/lp_tracking.php, a different vector than CVE-2009-2006.2. | 6.8 |
| 2009-06-08 | CVE-2009-2007 | Path Traversal vulnerability in Dokeos 1.8.5 Multiple directory traversal vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to (1) read portions of arbitrary files via a .. | 5.0 |
| 2009-06-08 | CVE-2009-2005 | Cross-Site Request Forgery (CSRF) vulnerability in Dokeos 1.8.5 Cross-site request forgery (CSRF) vulnerability in Dokeos 1.8.5, and possibly earlier, allows remote attackers to hijack the authentication of unspecified victims and add new personal agenda items via unknown vectors. | 6.8 |
| 2007-12-20 | CVE-2007-6479 | Permissions, Privileges, and Access Controls vulnerability in Dokeos 1.8.4 Unrestricted file upload vulnerability in the "My productions" component for main/auth/profile.php (aka the "My profile" page) in Dokeos 1.8.4 allows remote authenticated users to upload and execute arbitrary PHP files via a filename with a double extension, which can then be accessed through a URI under main/upload/users/. | 4.9 |
| 2007-05-30 | CVE-2007-2901 | SQL Injection and Cross-Site Scripting vulnerability in Dokeos Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the img parameter to main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php and other unspecified vectors. network dokeos | 4.3 |
| 2006-07-28 | CVE-2006-3924 | Cross-Site Scripting vulnerability in Dokeos Multiple cross-site scripting (XSS) vulnerabilities in Dokeos before 1.6.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2006-05-10 | CVE-2006-2286 | Code Injection vulnerability in Dokeos and Dokeos Community Release Multiple PHP remote file inclusion vulnerabilities in claro_init_global.inc.php in Dokeos 1.6.3 and earlier, and Dokeos community release 2.0.3, allow remote attackers to execute arbitrary PHP code via a URL in the (1) rootSys and (2) clarolineRepositorySys parameters, and possibly the (3) lang_path, (4) extAuthSource, (5) thisAuthSource, (6) main_configuration_file_path, (7) phpDigIncCn, and (8) drs parameters to (a) testheaderpage.php and (b) resourcelinker.inc.php. | 6.8 |
| 2006-05-10 | CVE-2006-2284 | Remote File Include vulnerability in Claroline Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) clarolineRepositorySys parameter in ldap.inc.php and the (2) claro_CasLibPath parameter in casProcess.inc.php. | 6.8 |
| 2005-08-17 | CVE-2005-2598 | Directory Traversal vulnerability in Dokeos Multiple directory traversal vulnerabilities in Dokeos 1.6 and earlier, and possibly Claroline, allow remote attackers to (1) delete arbitrary files or directories via the delete parameter to claroline/scorm/scormdocument.php, (2) move arbitrary files via the move_to and move_file parameters to claroline/document/document.php, or determine the existence of arbitrary files via the file parameter to (3) claroline/scorm/showinframes.php or (4) claroline/scorm/contents.php. | 5.0 |