Osclass
Products
1- 13 CVEs
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-27515 | 0.00 | — | 0.01 | Feb 28, 2024 | Osclass 5.1.2 is vulnerable to SQL Injection. | |||
| CVE-2016-10751 | 0.00 | — | 0.03 | May 24, 2019 | osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload. | |||
| CVE-2018-14481 | 0.00 | — | 0.01 | Jan 3, 2019 | Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280. | |||
| CVE-2014-8085 | 0.00 | — | 0.03 | Jan 5, 2015 | Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request… | |||
| CVE-2014-8084 | 0.00 | — | 0.03 | Jan 5, 2015 | Directory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action. | |||
| CVE-2014-8083 | 0.00 | — | 0.02 | Jan 5, 2015 | SQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action. | |||
| CVE-2014-6308 | 0.00 | — | 0.22 | Oct 20, 2014 | Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php. | |||
| CVE-2014-6280 | 0.00 | — | 0.02 | Oct 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in OSClass before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) action or (2) nsextt parameter to oc-admin/index.php or the (3) nsextt parameter in an items_reported action to… | |||
| CVE-2012-5163 | 0.00 | — | 0.02 | Sep 26, 2012 | Cross-site scripting (XSS) vulnerability in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an enable_category action to index.php. | |||
| CVE-2012-5162 | 0.00 | — | 0.01 | Sep 26, 2012 | Multiple SQL injection vulnerabilities in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) edit_category_post or (2) enable_category action to index.php. | |||
| CVE-2012-1617 | 0.00 | — | 0.10 | Sep 26, 2012 | Directory traversal vulnerability in combine.php in OSClass before 2.3.6 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the type parameter. NOTE: this vulnerability can be leveraged to upload arbitrary files. | |||
| CVE-2012-0974 | 0.00 | — | 0.04 | Sep 25, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the getParam function in oc-includes/osclass/core/Params.php in OSClass before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) sCity, (2) sPattern, (3) sPriceMax, and (4) sPriceMin parameters… | |||
| CVE-2012-0973 | 0.00 | — | 0.02 | Sep 25, 2012 | Multiple SQL injection vulnerabilities in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the sCategory parameter to index.php, which is not properly handled by the (1) osc_search_category_id function in oc-includes/osclass/helpers/hSearch.php… |
- CVE-2024-27515Feb 28, 2024risk 0.00cvss —epss 0.01
Osclass 5.1.2 is vulnerable to SQL Injection.
- CVE-2016-10751May 24, 2019risk 0.00cvss —epss 0.03
osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload.
- CVE-2018-14481Jan 3, 2019risk 0.00cvss —epss 0.01
Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280.
- CVE-2014-8085Jan 5, 2015risk 0.00cvss —epss 0.03
Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request…
- CVE-2014-8084Jan 5, 2015risk 0.00cvss —epss 0.03
Directory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action.
- CVE-2014-8083Jan 5, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action.
- CVE-2014-6308Oct 20, 2014risk 0.00cvss —epss 0.22
Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.
- CVE-2014-6280Oct 20, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OSClass before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) action or (2) nsextt parameter to oc-admin/index.php or the (3) nsextt parameter in an items_reported action to…
- CVE-2012-5163Sep 26, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an enable_category action to index.php.
- CVE-2012-5162Sep 26, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) edit_category_post or (2) enable_category action to index.php.
- CVE-2012-1617Sep 26, 2012risk 0.00cvss —epss 0.10
Directory traversal vulnerability in combine.php in OSClass before 2.3.6 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the type parameter. NOTE: this vulnerability can be leveraged to upload arbitrary files.
- CVE-2012-0974Sep 25, 2012risk 0.00cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in the getParam function in oc-includes/osclass/core/Params.php in OSClass before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) sCity, (2) sPattern, (3) sPriceMax, and (4) sPriceMin parameters…
- CVE-2012-0973Sep 25, 2012risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in OSClass before 2.3.5 allow remote attackers to execute arbitrary SQL commands via the sCategory parameter to index.php, which is not properly handled by the (1) osc_search_category_id function in oc-includes/osclass/helpers/hSearch.php…