Vulnerabilities > Dokeos

DATE CVE VULNERABILITY TITLE RISK
2008-03-10 CVE-2008-1222 Cross-Site Scripting vulnerability in Dokeos Open Source Learning and Knowledge Management Tool 1.8.4
Cross-site scripting (XSS) vulnerability in Dokeos 1.8.4 before SP3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
dokeos CWE-79
4.3
4.3
2008-02-21 CVE-2008-0851 Cross-Site Scripting vulnerability in Dokeos E-Learning System 1.8.4
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to inscription.php, (2) courseCode parameter to main/calendar/myagenda.php, (3) category parameter to main/admin/course_category.php, (4) message parameter to main/admin/session_list.php in a show_message action, and (5) an avatar image to main/auth/profile.php.
network
dokeos CWE-79
4.3
4.3
2008-02-21 CVE-2008-0850 SQL Injection vulnerability in Dokeos 1.8.4
Multiple SQL injection vulnerabilities in Dokeos 1.8.4 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to whoisonline.php, (2) tracking_list_coaches_column parameter to main/mySpace/index.php, (3) tutor_name parameter to main/create_course/add_course.php, the (4) Referer HTTP header to index.php, and the (5) X-Fowarded-For HTTP header to main/admin/class_list.php.
network
low complexity
dokeos CWE-89
7.5
7.5
2007-12-28 CVE-2007-6574 Cross-Site Scripting vulnerability in Dokeos products
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the origin parameter to work/work.php in a display_upload_form action, or the forum parameter to (2) forum/viewforum.php or (3) forum/viewthread.php.
network
dokeos CWE-79
4.3
4.3
2007-12-20 CVE-2007-6479 Permissions, Privileges, and Access Controls vulnerability in Dokeos 1.8.4
Unrestricted file upload vulnerability in the "My productions" component for main/auth/profile.php (aka the "My profile" page) in Dokeos 1.8.4 allows remote authenticated users to upload and execute arbitrary PHP files via a filename with a double extension, which can then be accessed through a URI under main/upload/users/.
network
dokeos CWE-264
4.9
4.9
2007-05-30 CVE-2007-2902 SQL-Injection vulnerability in Dokeos
SQL injection vulnerability in main/auth/my_progress.php in Dokeos 1.8.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the course parameter.
network
low complexity
dokeos
7.5
7.5
2007-05-30 CVE-2007-2901 SQL Injection and Cross-Site Scripting vulnerability in Dokeos
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the img parameter to main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php and other unspecified vectors.
network
dokeos
4.3
4.3
2007-05-30 CVE-2007-2889 SQL Injection vulnerability in Dokeos CourseLog.PHP
SQL injection vulnerability in tracking/courseLog.php in Dokeos 1.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the scormcontopen parameter.
network
low complexity
dokeos
7.5
7.5
2006-09-19 CVE-2006-4844 Code Injection vulnerability in multiple products
PHP remote file inclusion vulnerability in inc/claro_init_local.inc.php in Claroline 1.7.7 and earlier, as used in Dokeos and possibly other products, allows remote attackers to execute arbitrary PHP code via a URL in the extAuthSource[newUser] parameter.
network
high complexity
claroline dokeos CWE-94
5.1
5.1
2006-07-28 CVE-2006-3924 Cross-Site Scripting vulnerability in Dokeos
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos before 1.6.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
dokeos CWE-79
4.3
4.3