Vulnerabilities > Ushahidi

DATE CVE VULNERABILITY TITLE RISK
2020-02-04 CVE-2012-5618 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Ushahidi
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens.
network
low complexity
ushahidi CWE-640
5.0
2014-04-25 CVE-2013-2025 Cross-Site Scripting vulnerability in Ushahidi Platform 2.5/2.6/2.6.1
Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x through 2.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
ushahidi CWE-79
4.3
2012-08-12 CVE-2012-3476 Cross-Site Scripting vulnerability in Ushahidi Platform
Multiple cross-site scripting (XSS) vulnerabilities in (1) application/views/admin/layout.php and (2) themes/default/views/header.php in the Ushahidi Platform before 2.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to a site name.
network
ushahidi CWE-79
3.5
2012-08-12 CVE-2012-3475 Unspecified vulnerability in Ushahidi Platform
The installer in the Ushahidi Platform before 2.5 omits certain calls to the exit function, which allows remote attackers to obtain administrative privileges via unspecified vectors.
network
low complexity
ushahidi
7.5
2012-08-12 CVE-2012-3474 Information Exposure vulnerability in Ushahidi Platform
The comments API in application/libraries/api/MY_Comments_Api_Object.php in the Ushahidi Platform before 2.5 allows remote attackers to obtain sensitive information about the e-mail address, IP address, and other attributes of the author of a comment via an API function call.
network
low complexity
ushahidi CWE-200
5.0
2012-08-12 CVE-2012-3473 Improper Authentication vulnerability in Ushahidi Platform
The (1) reports API and (2) administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions.
network
low complexity
ushahidi CWE-287
6.4
2012-08-12 CVE-2012-3472 Improper Authentication vulnerability in Ushahidi Platform
The email API in application/libraries/api/MY_Email_Api_Object.php in the Ushahidi Platform before 2.5 does not require authentication, which allows remote attackers to list, delete, or organize messages via a GET request.
network
low complexity
ushahidi CWE-287
6.4
2012-08-12 CVE-2012-3471 SQL Injection vulnerability in Ushahidi Platform
Multiple SQL injection vulnerabilities in the edit functions in (1) application/controllers/admin/reports.php and (2) application/controllers/members/reports.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via an incident id.
network
low complexity
ushahidi CWE-89
7.5
2012-08-12 CVE-2012-3470 SQL Injection vulnerability in Ushahidi Platform
Multiple SQL injection vulnerabilities in application/libraries/api/MY_Countries_Api_Object.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to _get_countries functions.
network
low complexity
ushahidi CWE-89
7.5
2012-08-12 CVE-2012-3469 SQL Injection vulnerability in Ushahidi Platform
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.
network
low complexity
ushahidi CWE-89
7.5