Vulnerabilities > Dokeos > Medium

DATE CVE VULNERABILITY TITLE RISK
2009-06-08 CVE-2009-2009 Cross-Site Scripting vulnerability in Dokeos 1.8.5
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) curdirpath parameter to main/document/slideshow.php and the (2) file parameter to main/exercice/testheaderpage.php.
network
dokeos CWE-79
4.3
4.3
2009-06-08 CVE-2009-2008 SQL Injection vulnerability in Dokeos 1.8.5
Multiple SQL injection vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) uInfo parameter to main/tracking/userLog.php and the (2) course parameter to main/mySpace/lp_tracking.php, a different vector than CVE-2009-2006.2.
network
dokeos CWE-89
6.8
6.8
2009-06-08 CVE-2009-2007 Path Traversal vulnerability in Dokeos 1.8.5
Multiple directory traversal vulnerabilities in Dokeos 1.8.5, and possibly earlier, allow remote attackers to (1) read portions of arbitrary files via a ..
network
low complexity
dokeos CWE-22
5.0
5.0
2009-06-08 CVE-2009-2005 Cross-Site Request Forgery (CSRF) vulnerability in Dokeos 1.8.5
Cross-site request forgery (CSRF) vulnerability in Dokeos 1.8.5, and possibly earlier, allows remote attackers to hijack the authentication of unspecified victims and add new personal agenda items via unknown vectors.
network
dokeos CWE-352
6.8
6.8
2008-03-10 CVE-2008-1222 Cross-Site Scripting vulnerability in Dokeos Open Source Learning and Knowledge Management Tool 1.8.4
Cross-site scripting (XSS) vulnerability in Dokeos 1.8.4 before SP3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
dokeos CWE-79
4.3
4.3
2008-02-21 CVE-2008-0851 Cross-Site Scripting vulnerability in Dokeos E-Learning System 1.8.4
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to inscription.php, (2) courseCode parameter to main/calendar/myagenda.php, (3) category parameter to main/admin/course_category.php, (4) message parameter to main/admin/session_list.php in a show_message action, and (5) an avatar image to main/auth/profile.php.
network
dokeos CWE-79
4.3
4.3
2007-12-28 CVE-2007-6574 Cross-Site Scripting vulnerability in Dokeos products
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the origin parameter to work/work.php in a display_upload_form action, or the forum parameter to (2) forum/viewforum.php or (3) forum/viewthread.php.
network
dokeos CWE-79
4.3
4.3
2007-12-20 CVE-2007-6479 Permissions, Privileges, and Access Controls vulnerability in Dokeos 1.8.4
Unrestricted file upload vulnerability in the "My productions" component for main/auth/profile.php (aka the "My profile" page) in Dokeos 1.8.4 allows remote authenticated users to upload and execute arbitrary PHP files via a filename with a double extension, which can then be accessed through a URI under main/upload/users/.
network
dokeos CWE-264
4.9
4.9
2007-05-30 CVE-2007-2901 SQL Injection and Cross-Site Scripting vulnerability in Dokeos
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the img parameter to main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php and other unspecified vectors.
network
dokeos
4.3
4.3
2006-09-19 CVE-2006-4844 Code Injection vulnerability in multiple products
PHP remote file inclusion vulnerability in inc/claro_init_local.inc.php in Claroline 1.7.7 and earlier, as used in Dokeos and possibly other products, allows remote attackers to execute arbitrary PHP code via a URL in the extAuthSource[newUser] parameter.
network
high complexity
claroline dokeos CWE-94
5.1
5.1