CVE-2009-1315
published 2009-04-17CVE-2009-1315: Multiple cross-site scripting (XSS) vulnerabilities in AbleSpace 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) gid parameter to…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.75%
75.0th percentile
Multiple cross-site scripting (XSS) vulnerabilities in AbleSpace 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) gid parameter to groups_profile.php, (2) cat_id and (3) razd_id parameters to adv_cat.php, and the (4) URL to blogs_full.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| abk-soft | ablespace | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! Component webERPcustomer - Local File Inclusion
exploitdb·2010-04-01
CVE-2010-1315 Joomla! Component webERPcustomer - Local File Inclusion
Joomla! Component webERPcustomer - Local File Inclusion
---
Joomla Component webERPcustomer Local File Inclusion
Author : Chip D3 Bi0s
Group : LatinHackTeam
Email & msn : [email protected]
Date : 31 March 2010
Critical Lvl : Moderate
Impact : Exposure of sensitive information
Where : From Remote
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : webERPcustomer
version : 1.2.1
Developer : Mo Kelly
License : GPL type : Commercial
Price : 20.00 USD
Date Added : 24 June 2009
Download : http://joomlamo.com/joomlamo/downloads/cat_view/8-extensions-integrated-with-weberp.html
Description :
webERPcustomer is a Joomla! component integrated with webERP. Upon logging in and clicking the webERPcustomer
menu selection the user/salesperson will be able to view and updat
Exploit-DB
ablespace 1.0 - Cross-Site Scripting / Blind SQL Injection
exploitdb·2009-04-14
CVE-2009-1316 ablespace 1.0 - Cross-Site Scripting / Blind SQL Injection
ablespace 1.0 - Cross-Site Scripting / Blind SQL Injection
---
riginal advisory: http://dsecrg.com/pages/vul/show.php?id=137
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-037
Application: AbleSpace
Versions Affected: 1.0
Vendor URL: http://abk-soft.com/
Bugs: Multiple Blind SQL Injections, Multiple XSS
Exploits: YES
Reported: 18.03.2009
Vendor Response: NONE
Secondly Reported: 29.03.2009
Solution: NONE
Date of Public Advisory: 14.04.2009
Author: Eugene "Corwin" Ermakov
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Details
1. Multiple Blind Sql Injections
1.1 Attacker can inject SQL code in events_view.php vulnerable parametr eid
Example:
http://[server]/[installdir]/events_view.php?eid=69'
1.2 Attacker can inject SQL code in events_clndr_vie
No writeups or analysis indexed.
http://dsecrg.com/pages/vul/show.php?id=137http://secunia.com/advisories/34663http://www.securityfocus.com/archive/1/502670/100/0/threadedhttp://www.securityfocus.com/bid/34512https://exchange.xforce.ibmcloud.com/vulnerabilities/44847https://www.exploit-db.com/exploits/8424http://dsecrg.com/pages/vul/show.php?id=137http://secunia.com/advisories/34663http://www.securityfocus.com/archive/1/502670/100/0/threadedhttp://www.securityfocus.com/bid/34512https://exchange.xforce.ibmcloud.com/vulnerabilities/44847https://www.exploit-db.com/exploits/8424
2009-04-17
Published