CVE-2015-1575
published 2015-02-11CVE-2015-1575: Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
3.28%
86.9th percentile
Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8) delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15) newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php; the (17) s parameter to u5admin/characters.php; the (18) page parameter to u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 3.13.0-79.123 | 3.13.0-79.123 |
| yuba | u5cms | <= 3.9.3 | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pqrg-pvgv-93gq: Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3
ghsa_unreviewed·2022-05-17
CVE-2015-1575 [MEDIUM] CWE-79 GHSA-pqrg-pvgv-93gq: Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3
Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8) delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15) newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php; the (17) s parameter to u5admin/characters.php; the (18) page parameter to u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php.
OSV
linux-lts-utopic vulnerabilities
osv·2016-02-22·CVSS 6.2
CVE-2016-1576 linux-lts-utopic vulnerabilities
linux-lts-utopic vulnerabilities
halfdog discovered that OverlayFS, when mounting on top of a FUSE mount,
incorrectly propagated file attributes, including setuid. A local
unprivileged attacker could use this to gain privileges. (CVE-2016-1576)
halfdog discovered that OverlayFS in the Linux kernel incorrectly
propagated security sensitive extended attributes, such as POSIX ACLs. A
local unprivileged attacker could use this to gain privileges.
(CVE-2016-1575)
It was discovered that the Linux kernel's Filesystem in Userspace (FUSE)
implementation did not handle initial zero length segments properly. A
local attacker could use this to cause a denial of service (unkillable
task). (CVE-2015-8785)
OSV
linux vulnerabilities
osv·2016-02-22·CVSS 5.5
CVE-2016-1576 linux vulnerabilities
linux vulnerabilities
halfdog discovered that OverlayFS, when mounting on top of a FUSE mount,
incorrectly propagated file attributes, including setuid. A local
unprivileged attacker could use this to gain privileges. (CVE-2016-1576)
halfdog discovered that OverlayFS in the Linux kernel incorrectly
propagated security sensitive extended attributes, such as
POSIX ACLs. A local unprivileged attacker could use this to gain
privileges. (CVE-2016-1575)
It was discovered that the Linux kernel keyring subsystem contained a race
between read and revoke operations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2015-7550)
郭永刚 discovered that the Linux kernel networking implementation did
not validate protocol identifiers for certain protocol families, A local
OSV
linux-lts-vivid vulnerabilities
osv·2016-02-22·CVSS 5.5
CVE-2016-1576 linux-lts-vivid vulnerabilities
linux-lts-vivid vulnerabilities
halfdog discovered that OverlayFS, when mounting on top of a FUSE mount,
incorrectly propagated file attributes, including setuid. A local
unprivileged attacker could use this to gain privileges. (CVE-2016-1576)
halfdog discovered that OverlayFS in the Linux kernel incorrectly
propagated security sensitive extended attributes, such as POSIX ACLs. A
local unprivileged attacker could use this to gain privileges.
(CVE-2016-1575)
It was discovered that the Linux kernel keyring subsystem contained a race
between read and revoke operations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2015-7550)
郭永刚 discovered that the Linux kernel networking implementation did
not validate protocol identifiers for certain protocol families
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/130292/u5CMS-3.9.3-Cross-Site-Scripting.htmlhttp://www.exploit-db.com/exploits/36029http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5223.phphttp://packetstormsecurity.com/files/130292/u5CMS-3.9.3-Cross-Site-Scripting.htmlhttp://www.exploit-db.com/exploits/36029http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5223.php
2015-02-11
Published