Easynews
by Myiosoft
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-1649 | 0.03 | — | 0.02 | Apr 2, 2008 | Cross-site scripting (XSS) vulnerability in staticpages/easypublish/index.php in EasyNews 4.0 allows remote attackers to inject arbitrary web script or HTML via the read parameter in an edp_pupublish action. | |||
| CVE-2008-1651 | 0.03 | — | 0.03 | Apr 2, 2008 | Directory traversal vulnerability in admin/login.php in EasyNews 4.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. | |||
| CVE-2008-1650 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action. | |||
| CVE-2006-6866 | 0.03 | — | 0.03 | Dec 31, 2006 | STphp EasyNews PRO 4.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, email addresses, and password hashes via a direct request for data/users.txt. | |||
| CVE-2006-5412 | 0.03 | — | 0.04 | Oct 20, 2006 | admin.php in PHP Outburst Easynews 4.4.1 and earlier, when register_globals is enabled, allows remote attackers to bypass authentication, and gain the ability to execute arbitrary code, via the en_login_id parameter. | |||
| CVE-2001-1525 | 0.03 | — | 0.03 | Dec 31, 2001 | Directory traversal vulnerability in the comments action in easyNews 1.5 and earlier allows remote attackers to modify news.dat, template.dat and possibly other files via a ".." in the cid parameter. | |||
| CVE-2007-3331 | 0.00 | — | 0.01 | Jun 21, 2007 | Cross-site request forgery (CSRF) vulnerability in STphp EasyNews PRO 4.0 allows remote attackers to change the admin password via (1) a certain HTML form that is posted automatically by JavaScript or (2) a news post. | |||
| CVE-2007-3330 | 0.00 | — | 0.01 | Jun 21, 2007 | Cross-site scripting (XSS) vulnerability in STphp EasyNews PRO 4.0 allows remote attackers to inject arbitrary web script or HTML via a news post, which is stored in news/ without sanitization. | |||
| CVE-2001-1526 | 0.00 | — | 0.01 | Dec 31, 2001 | Cross-site scripting (XSS) vulnerability in the comments action in index.php in easyNews 1.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the zeit parameter. | |||
| CVE-2001-1527 | 0.00 | — | 0.00 | Dec 31, 2001 | easyNews 1.5 and earlier stores administration passwords in cleartext in settings.php, which allows local users to obtain the passwords and gain access. | |||
| CVE-2001-1437 | 0.00 | — | 0.02 | Dec 1, 2001 | easyScripts easyNews 1.5 allows remote attackers to obtain the full path of the web root via a view request with a non-integer news message id field, which leaks the path in a PHP error message when the script times out. |
- CVE-2008-1649Apr 2, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in staticpages/easypublish/index.php in EasyNews 4.0 allows remote attackers to inject arbitrary web script or HTML via the read parameter in an edp_pupublish action.
- CVE-2008-1651Apr 2, 2008risk 0.03cvss —epss 0.03
Directory traversal vulnerability in admin/login.php in EasyNews 4.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
- CVE-2008-1650Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action.
- CVE-2006-6866Dec 31, 2006risk 0.03cvss —epss 0.03
STphp EasyNews PRO 4.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, email addresses, and password hashes via a direct request for data/users.txt.
- CVE-2006-5412Oct 20, 2006risk 0.03cvss —epss 0.04
admin.php in PHP Outburst Easynews 4.4.1 and earlier, when register_globals is enabled, allows remote attackers to bypass authentication, and gain the ability to execute arbitrary code, via the en_login_id parameter.
- CVE-2001-1525Dec 31, 2001risk 0.03cvss —epss 0.03
Directory traversal vulnerability in the comments action in easyNews 1.5 and earlier allows remote attackers to modify news.dat, template.dat and possibly other files via a ".." in the cid parameter.
- CVE-2007-3331Jun 21, 2007risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in STphp EasyNews PRO 4.0 allows remote attackers to change the admin password via (1) a certain HTML form that is posted automatically by JavaScript or (2) a news post.
- CVE-2007-3330Jun 21, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in STphp EasyNews PRO 4.0 allows remote attackers to inject arbitrary web script or HTML via a news post, which is stored in news/ without sanitization.
- CVE-2001-1526Dec 31, 2001risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the comments action in index.php in easyNews 1.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the zeit parameter.
- CVE-2001-1527Dec 31, 2001risk 0.00cvss —epss 0.00
easyNews 1.5 and earlier stores administration passwords in cleartext in settings.php, which allows local users to obtain the passwords and gain access.
- CVE-2001-1437Dec 1, 2001risk 0.00cvss —epss 0.02
easyScripts easyNews 1.5 allows remote attackers to obtain the full path of the web root via a view request with a non-integer news message id field, which leaks the path in a PHP error message when the script times out.