Efiction
by Efiction
CVEs (10)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2007-1118 | 0.04 | — | 0.11 | Feb 27, 2007 | Multiple PHP remote file inclusion vulnerabilities in eFiction 3.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path_to_smf parameter to (1) bridges/SMF/logout.php or (2) get_session_vars.php. | ||
| CVE-2006-4427 | 0.04 | — | 0.10 | Aug 29, 2006 | index.php in eFiction before 2.0.7 allows remote attackers to bypass authentication and gain privileges by setting the (1) adminloggedin, (2) loggedin, and (3) level parameters to "1". | ||
| CVE-2005-4171 | 0.04 | — | 0.08 | Dec 11, 2005 | The "Upload new image" command in the "Manage Images" eFiction 1.1, when members are allowed to upload images, allows remote attackers to execute arbitrary PHP code by uploading a filename with a .php extension that contains a GIF header, which passes the image validity check but executes any PHP code within the file. | ||
| CVE-2008-2754 | 0.03 | — | 0.00 | Jun 18, 2008 | SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter. | ||
| CVE-2005-4170 | 0.03 | — | 0.02 | Dec 11, 2005 | SQL injection vulnerability in eFiction 1.1 allows remote attackers to execute arbitrary SQL commands via the uid parameter to viewuser.php. | ||
| CVE-2005-4167 | 0.03 | — | 0.01 | Dec 11, 2005 | Cross-site scripting (XSS) vulnerability in eFiction 1.0 and 1.1 allows remote attackers to inject arbitrary web script or HTML via the let parameter in a viewlist action to titles.php. | ||
| CVE-2005-4169 | 0.03 | — | 0.01 | Dec 11, 2005 | Multiple SQL injection vulnerabilities in eFiction 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) let parameter in a viewlist action to authors.php and (2) sid parameter to viewstory.php. | ||
| CVE-2005-4168 | 0.03 | — | 0.01 | Dec 11, 2005 | Multiple SQL injection vulnerabilities in eFiction 1.0, 1.1, and 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the let parameter in a viewlist action to titles.php and (2) the username. | ||
| CVE-2005-4173 | 0.00 | — | 0.01 | Dec 11, 2005 | eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive information by accessing phpinfo.php, which executes the PHP phpinfo function. | ||
| CVE-2005-4172 | 0.00 | — | 0.01 | Dec 11, 2005 | eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive information via a direct request to storyblock.php without arguments, which leaks the full pathname in the resulting PHP error message. |
- CVE-2007-1118Feb 27, 2007risk 0.04cvss —epss 0.11
Multiple PHP remote file inclusion vulnerabilities in eFiction 3.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path_to_smf parameter to (1) bridges/SMF/logout.php or (2) get_session_vars.php.
- CVE-2006-4427Aug 29, 2006risk 0.04cvss —epss 0.10
index.php in eFiction before 2.0.7 allows remote attackers to bypass authentication and gain privileges by setting the (1) adminloggedin, (2) loggedin, and (3) level parameters to "1".
- CVE-2005-4171Dec 11, 2005risk 0.04cvss —epss 0.08
The "Upload new image" command in the "Manage Images" eFiction 1.1, when members are allowed to upload images, allows remote attackers to execute arbitrary PHP code by uploading a filename with a .php extension that contains a GIF header, which passes the image validity check but executes any PHP code within the file.
- CVE-2008-2754Jun 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter.
- CVE-2005-4170Dec 11, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in eFiction 1.1 allows remote attackers to execute arbitrary SQL commands via the uid parameter to viewuser.php.
- CVE-2005-4167Dec 11, 2005risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in eFiction 1.0 and 1.1 allows remote attackers to inject arbitrary web script or HTML via the let parameter in a viewlist action to titles.php.
- CVE-2005-4169Dec 11, 2005risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in eFiction 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) let parameter in a viewlist action to authors.php and (2) sid parameter to viewstory.php.
- CVE-2005-4168Dec 11, 2005risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in eFiction 1.0, 1.1, and 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the let parameter in a viewlist action to titles.php and (2) the username.
- CVE-2005-4173Dec 11, 2005risk 0.00cvss —epss 0.01
eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive information by accessing phpinfo.php, which executes the PHP phpinfo function.
- CVE-2005-4172Dec 11, 2005risk 0.00cvss —epss 0.01
eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive information via a direct request to storyblock.php without arguments, which leaks the full pathname in the resulting PHP error message.