Infos Sécurité Web

CMS Liste des vulnérabilités AVRIL 2015

Détails

 A noter en ce mois d'avril deux mises à jour de Wordpress corrigeant des failles critiques de sécurité : Wordpress 4.1.2 et Wordpress 4.2.1

vulnérabilités avril 2015

Nombre de vulnérabilités détéctées durant le mois de mars 2015

marsavril2015

source : OSVDB

Consultez la liste complète ...

DRUPAL - JOOMLA - WORDPRESS

DRUPAL

ID Disc Date Title
121465 29/04/2015 Camtasia Relay Module for Drupal Meta Access Tab Stored XSS
121467 29/04/2015 Smart Trim Module for Drupal Field Settings Form Stored XSS
121466 29/04/2015 MailChimp Module for Drupal Unspecified Stored XSS
121468 29/04/2015 Views Module for Drupal Caching Mechanism Filter Failure Remote Information Disclosure
121160 22/04/2015 HybridAuth Social Login Module for Drupal Plaintext Password Storage Local Information Disclosure
121161 22/04/2015 Keyword Research Module for Drupal Keyword Priority Setting Manipulation CSRF
121162 22/04/2015 Node Template Module for Drupal Node Template Deletion CSRF
120808 15/04/2015 Display Suite Module for Drupal Unspecified XSS
120809 15/04/2015 Services Module for Drupal Filename Handling File Upload Remote Code Execution
120810 15/04/2015 Services Module for Drupal Missing field_access Check Entity Displaying Remote Information Disclosure
120412 08/04/2015 CiviCRM private report Module for Drupal Report Deletion CSRF
120218 01/04/2015 Imagefield Info Module for Drupal Unspecified Administration Pages Stored XSS Weakness
120219 01/04/2015 EntityBulkDelete Module for Drupal Unspecified Administration Pages XSS
120220 01/04/2015 Password Policy Module for Drupal Unspecified Administration Pages Username Handling XSS
120221 01/04/2015 Current Search Links Module for Drupal Search Query Handling XSS
120222 01/04/2015 Open Graph Importer Module for Drupal Missing Permission Check Remote Content Creation
120223 01/04/2015 User Import Module for Drupal Ongoing Import Manipulation CSRF

JOOMLA

ID Disc Date Title
121506 27/04/2015 OS Property Component for Joomla! /index.php country_id Parameter SQL Injection

WORDPRESS

ID Disc Date Title
121411 28/04/2015 Exquisite - Ultimate Newspaper Theme Plugin for Wordpress jquery.foundation.plugins.js DOM-Based URI XSS
121366 27/04/2015 WooCommerce Amazon Affiliates Plugin for WordPress /plugins/wwc-amz-aff/modules/remote_support/remote_tunnel.php File Upload Remote Code Execution
121320 27/04/2015 WordPress Blog Comment Truncation Stored XSS
121286 25/04/2015 Disclaimer and Notification Manager for Authors Plugin for WordPress disclaimer-manager-multi-author-blog.php XSS
121287 25/04/2015 Theater Plugin for WordPress functions/wpt_importer.php settings_field_schedule() Function XSS
121288 25/04/2015 CoursePress Plugin for WordPress Unspecified XSS
121289 25/04/2015 Collapse-O-Matic Plugin for WordPress collapse-o-matic.php plugin_oven_activate_license() Function XSS
121290 24/04/2015 WP Google Map Plugin for WordPress wp-google-map-plugin.php XSS
121291 24/04/2015 WP User Avatar Plugin for WordPress Multiple Function XSS
121233 24/04/2015 Premium SEO Pack Plugin for WordPress remote_tunnel.php validate_connection() Function Bypass File Upload Remote Code Execution
121202 23/04/2015 WooFramework Theme for WordPress woo_sbm_callback() Function woo_sbm_post_action Action XSS
121294 23/04/2015 Slideshow Plugin for WordPress classes/SlideshowPluginSlideshowStylesheet.php Unspecified Issue
121296 22/04/2015 WooSidebars Plugin for WordPress classes/class-woo-sidebars.php XSS
121297 22/04/2015 WooSidebars Sidebar Manager Converter Plugin for WordPress classes/class-woosidebars-sbm-converter.php XSS
121298 22/04/2015 Icons for Features Plugin for WordPress classes/class-icons-for-features-admin.php XSS
121299 22/04/2015 Subscribe & Connect Plugin for WordPress classes/class-subscribe-and-connect-admin.php XSS
121300 22/04/2015 WooFramework Tweaks Plugin for WordPress wooframework-tweaks.php XSS
121301 22/04/2015 WooFramework Branding Plugin for WordPress wooframework-branding.php XSS
121164 22/04/2015 Ultimate Product Catalogue Plugin for WordPress Add_Products_From_Spreadsheet() Function File Upload Remote Code Execution
121165 22/04/2015 Ultimate Product Catalogue Plugin for WordPress Options Settings Unspecified SQL Injection
121507 22/04/2015 White Label CMS Plugin for WordPress wlcms-plugin.php Import Handling CSRF
121082 21/04/2015 MailChimp List Subscribe Form Plugin for WordPress User Subscription Email Field Stored XSS
121081 21/04/2015 MailChimp Subscribe Form Plugin for WordPress User Subscription Email Field Remote PHP Code Execution
121080 21/04/2015 MailChimp Subscribe Form Plugin for WordPress subscriber-list-download.php Direct Request Subscriber List Disclosure
121121 21/04/2015 NEX-Forms Plugin for WordPress wp-admin/admin-ajax.php submit_nex_form Action ex_forms_Id Parameter SQL Injection
121124 21/04/2015 MiwoFTP Plugin for WordPress /wp-admin/admin.php miwoftp Page item Parameter Remote File Download
121085 21/04/2015 WordPress Unspecified File Upload
121302 21/04/2015 PressBooks Textbook Plugin for WordPress symbionts/disable-comments/disable-comments.php XSS
121303 21/04/2015 WP-Spreadplugin Plugin for WordPress spreadplugin.php XSS
121304 21/04/2015 church_admin Plugin for WordPress Multiple Input XSS
121305 21/04/2015 WP Print Friendly Plugin for WordPress wp-print-friendly.php action_admin_notices_activation() Function XSS
121307 21/04/2015 CampTix Network Tools Plugin for WordPress includes/class-camptix-network-dashboard-list-table.php get_views() Function XSS
121382 21/04/2015 rtMedia Plugin for WordPress Multiple Input XSS
121383 21/04/2015 rtMedia Plugin for WordPress app/importers/RTMediaActivityUpgrade.php rtmedia_activity_upgrade() Ajax Method last_id Parameter SQL Injection
121279 21/04/2015 CMS Tree Page View Plugin for WordPress functions.php Multiple Parameter XSS
121381 21/04/2015 rtMedia Plugin for WordPress app/importers/RTMediaMediaSizeImporter.php rtmedia_media_size_import() Ajax Method last_id Parameter SQL Injection
121086 21/04/2015 WordPress Unspecified XSS
121087 21/04/2015 WordPress Unspecified Limited XSS
121069 20/04/2015 All In one SEO Pack Plugin for WordPress Multiple Function Unspecified XSS
121070 20/04/2015 Gravity Forms Plugin for WordPress Multiple Function Unspecified XSS
121072 20/04/2015 WP-E-Commerce Plugin for WordPress Multiple Function Unspecified XSS
121073 20/04/2015 WPTouch Plugin for WordPress Multiple Function Unspecified XSS
121074 20/04/2015 Barry Kooij Multiple Plugins for WordPress Multiple Function Unspecified XSS
121075 20/04/2015 My Calendar Plugin for WordPress Multiple Function Unspecified XSS
121076 20/04/2015 P3 Profiler Plugin for WordPress Multiple Function Unspecified XSS
121077 20/04/2015 Give Plugin for WordPress Multiple Function Unspecified XSS
121083 20/04/2015 iThemes Multiple Plugins / Themes for WordPress Multiple Function Unspecified XSS
121277 20/04/2015 Crayon Syntax Highlighter Plugin for WordPress crayon_wp.class.php crayon-theme-editor-save() Method CSS Theme Overwrite Issue
121066 20/04/2015 Jetpack Plugin for WordPress Multiple Function Unspecified XSS
121067 20/04/2015 WordPress SEO Plugin for WordPress Multiple Function Unspecified XSS
121079 20/04/2015 Ninja Forms Plugin for WordPress Multiple Function XSS Weakness
121078 20/04/2015 Broken-Link-Checker Plugin for WordPress Multiple Function XSS
121071 20/04/2015 UpdraftPlus Plugin for WordPress admin.php Multiple Function XSS
121308 20/04/2015 View All Post's Pages Plugin for WordPress view-all-posts-pages.php action_admin_notices_activation() Function XSS
121309 20/04/2015 Date-based Taxonomy Archives Plugin for WordPress date-based-taxonomy-archives.php filter_get_archives_link() Function XSS
121310 20/04/2015 Taxonomy Switcher Plugin for WordPress taxonomy-switcher.php XSS
121311 20/04/2015 Two Factor Authentication Plugin for WordPress includes/user_settings.php XSS
121312 20/04/2015 Two Factor Authentication Plugin for WordPress two-factor-login.php XSS
121313 20/04/2015 Two Factor Authentication Plugin for WordPress includes/admin_settings.php XSS
121122 20/04/2015 Google Analytics by Yoast Plugin for Wordpress URI Handling Popular Pages Functionality Stored XSS
121337 20/04/2015 WDS Multisite Aggregate Plugin for WordPress includes/WDS_Multisite_Aggregate_Options.php XSS
121338 20/04/2015 Link Library Plugin for WordPress link-library-admin.php XSS
121339 20/04/2015 Link Library Plugin for WordPress render-link-library-alpha-filter.php XSS
121340 20/04/2015 Link Library Plugin for WordPress render-link-library-sc.php XSS
121341 20/04/2015 Link Library Plugin for WordPress usersubmission.php XSS
121384 20/04/2015 Bilingual Linker Plugin for WordPress bilingual-linker.php XSS
121387 20/04/2015 Aesop Story Engine Plugin for WordPress admin/includes/class.welcome.php XSS Weakness
121084 20/04/2015 Easy Digital Downloads Multiple Plugins for WordPress Multiple Function Unspecified XSS
121068 20/04/2015 Google Analytics by Yoast Plugin for WordPress Multiple Function Unspecified XSS
120989 17/04/2015 Users Ultra Plugin for WordPress xooclasses/xoo.userultra.photos.php Gallery ID Handling SQL Injection
121042 17/04/2015 WP-Mon Plugin for WordPress /assets/download.php path Parameter Remote Path Traversal File Access
120988 17/04/2015 Mashshare Plugin for WordPress includes/admin/tools.php Multiple Functions Missing Capability Checks Remote Bypass
120840 16/04/2015 Ajax Store Locator Plugin for WordPress admin-ajax.php sl_dal_searchlocation_cbf() Function StoreLocation Parameter SQL Injection
121008 16/04/2015 FooBox Image Lightbox Plugin for WordPress foobox-free.php admin_notice() Function XSS
120859 16/04/2015 Citizen Space Plugin for WordPress citizenspace_consultation path Parameter Reflected XSS
120858 16/04/2015 Content Slide Plugin for WordPress content_slide.php wpcs_options[slide_image1] Parameter Stored XSS
120880 15/04/2015 WP Statistics Plugin for WordPress Settings Page Multiple Unspecified Parameter Stored XSS
121009 15/04/2015 Contus Video Gallery Plugin for WordPress admin/ajax/videoupload.php Video Upload CSRF
121392 15/04/2015 eShop Plugin for WordPress Unspecified Remote Code Execution
120794 14/04/2015 Contus Video Gallery Plugin for WordPress hdflvvideoshare.php vid Parameter SQL Injection
120797 14/04/2015 MiwoFTP Plugin for WordPress /wp-admin/admin.php miwoftp Page selitems[] Parameter Remote File Deletion
120798 14/04/2015 MiwoFTP Plugin for WordPress /wp-admin/admin.php miwoftp Page Multiple Parameter XSS Weakness
120791 14/04/2015 MiwoFTP Plugin for WordPress wp-comments.php PHP File Upload CSRF
120821 14/04/2015 WP Symposium Plugin for WordPress Forum Feature Unspecified SQL Injection
121125 14/04/2015 iThemes Security Plugin for WordPress better-wp-security/modules/free/four-oh-four/class-itsec-four-oh-four.php Multiple Vector Stored XSS
121278 14/04/2015 Crayon Syntax Highlighter Plugin for WordPress data-url Attribute Handling Remote Path Traversal File Access
120606 13/04/2015 Mobile Edition Plugin for WordPress /wp-content/themes/mTheme-Unus/css/css.php files Parameter Remote Path Traversal File Access
120608 13/04/2015 N-Media Website Contact Form with File Upload Plugin for WordPress upload_file() Function File Upload Remote Code Execution
121014 13/04/2015 My Wish List Plugin for WordPress my-wish-list.php Multiple Parameter XSS
121015 13/04/2015 Simple Secure Contact Form Plugin for WordPress simple-secure-contact-form.php Widget Description Handling XSS
121016 13/04/2015 My Wish List Plugin for WordPress templates/single-wishlist.php wish_donor_donation Parameter XSS
120823 12/04/2015 Tune Library Plugin for WordPress tune-library.php Multiple Input SQL Injection
121022 12/04/2015 Collapsing Categories List Plugin for WordPress collapscatlist.php Direct Request Remote Bypass
120825 12/04/2015 Community Events Plugin for WordPress get-events.php Multiple Parameter SQL Injection
120824 12/04/2015 Community Events Plugin for WordPress get-events-admin.php Multiple Parameter SQL Injection
120822 12/04/2015 Community Events Plugin for WordPress community-events.php Multiple Parameter SQL Injection
121024 11/04/2015 Broken Link Checker Plugin for WordPress core/core.php do_bulk_recheck() Function CSRF
121025 11/04/2015 Broken Link Checker Plugin for WordPress core/core.php name Parameter XSS
121023 11/04/2015 Add Link to Facebook Plugin for WordPress add-link-to-facebook-class.php Multiple Parameter Stored XSS
120545 10/04/2015 Fusion Engage Plugin for WordPress /wp-config.php fe_get_sv_html() Function video Parameter Remote Path Traversal File Access
121132 10/04/2015 BuddyPress Plugin for WordPress Load More Link Unspecified Input Validation issue
121133 10/04/2015 BuddyPress Plugin for WordPress Member Widget Manipulation CSRF
120546 10/04/2015 Windows Desktop and iPhone Photo Uploader Plugin for WordPress uploader.php File Upload Remote Code Execution
120510 09/04/2015 Zedity Plugin for WordPress Unspecified Issue
121126 09/04/2015 JSON REST API Plugin for WordPress (WP API) Unspecified Unpublished Content / Post Revision Disclosure
120509 09/04/2015 Duplicator Plugin for WordPress views/actions.php duplicator_delid Parameter SQL Injection
120491 08/04/2015 Traffic Analyzer Plugin for WordPress class-TrafficAnalyzer.php Referer Header Blind SQL Injection
121438 08/04/2015 TheCartPress Plugin for WordPress /shopping-cart/checkout/ Multiple Parameter Stored XSS
121439 08/04/2015 TheCartPress Plugin for WordPress /wp-admin/admin.php checkout_editor_settings Page tcp_box_path Parameter Path Traversal Local File Inclusion
121440 08/04/2015 TheCartPress Plugin for WordPress order_id Parameter Enumeration Arbitrary Customer Order Disclosure
121469 08/04/2015 TheCartPress Plugin for WordPress thecartpress/admin/AddressesList.php search_by Parameter Reflected XSS
121470 08/04/2015 TheCartPress Plugin for WordPress thecartpress/admin/AddressEdit.php Multiple Parameter Reflected XSS
121471 08/04/2015 TheCartPress Plugin for WordPress thecartpress/admin/AssignedCategoriesList.php Multiple Parameter Reflected XSS
121472 08/04/2015 TheCartPress Plugin for WordPress thecartpress/admin/CustomFieldsList.php post_type Parameter Reflected XSS
120511 07/04/2015 Floating Social Bar Plugin for WordPress class-floating-social-bar.php Remote Unauthorized Settings Manipulation
120512 07/04/2015 WP Fastest Cache Plugin for WordPress inc/wp-polls.php poll_id Parameter SQL Injection
120599 07/04/2015 Floating Social Bar Plugin for WordPress class-floating-social-bar.php Multiple Action CSRF
120497 06/04/2015 All In One WP Security & Firewall Plugin for WordPress admin/wp-security-list-404.php Multiple Parameter Blind SQL Injection
120498 06/04/2015 All In One WP Security & Firewall Plugin for WordPress admin/wp-security-list-login-fails.php Multiple Parameter Blind SQL Injection
120499 06/04/2015 All In One WP Security & Firewall Plugin for WordPress admin/wp-security-list-acct-activity.php Multiple Parameter Blind SQL Injection
120500 06/04/2015 All In One WP Security & Firewall Plugin for WordPress admin/wp-security-list-locked-ip.php Multiple Parameter Blind SQL Injection
120520 06/04/2015 PHP Event Calendar Plugin for WordPress server/classes/cls_phpeventcal.php Remote File Upload
121267 06/04/2015 QAEngine Theme for WordPress class-ae-users.php Admin User Creation Remote Privilege Escalation
120302 04/04/2015 QRCodes Plugin for WordPress Unspecified XSS
120303 04/04/2015 Work The Flow File Upload Plugin for WordPress Unrestricted Remote File Upload
120315 03/04/2015 WP Super Cache Plugin for WordPress wp-cache.php Cache List Content Handling Stored XSS
120230 02/04/2015 Simple Ads Manager Plugin for WordPress sam-ajax.php Multiple Parameter SQL Injection
120233 02/04/2015 Simple Ads Manager Plugin for WordPress sam-ajax-admin.php path Parameter File Upload Remote Code Execution
120231 02/04/2015 Simple Ads Manager Plugin for WordPress sam-ajax-admin.php Multiple Parameter SQL Injection
120907 02/04/2015 Better WP Security Plugin for WordPress admin_tooltip_ajax() Function module Parameter Remote Code Execution
120306 02/04/2015 Events Manager Plugin for WordPress classes/em-object.php Multiple Parameter SQL Injection
121270 02/04/2015 WP Easy Slideshow Plugin for WordPress /includes/wss-images.php Image Deletion CSRF
121271 02/04/2015 WP Easy Slideshow Plugin for WordPress /includes/add_image.php File Upload CSRF Weakness
121441 02/04/2015 UpThemes Multiple Themes for WordPress admin/upload-file.php File Upload Remote Code Execution
120224 01/04/2015 Business Intelligence Lite Plugin for Wordpress view.php t Parameter SQL Injection
120310 01/04/2015 Favicon by RealFaviconGenerator Plugin for WordPress admin/class-favicon-by-realfavicongenerator-admin.php Favicon Installation CSRF