This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Pligg First view 2009-08-26
Product Pligg Cms Last view 2014-11-26
Version 1.1.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:pligg:pligg_cms

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2014-11-26 CVE-2014-9096

Multiple SQL injection vulnerabilities in recover.php in Pligg CMS 2.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) n parameter.

7.5 2012-05-27 CVE-2012-2937

Multiple SQL injection vulnerabilities in Pligg CMS before 1.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) list parameter in a move action to admin/admin_index.php, (2) display parameter in a minimize action to admin/admin_index.php, (3) enabled[] parameter to admin/admin_users.php, or (4) msg_id to the module.php in the simple_messaging module.

4.3 2012-05-27 CVE-2012-2936

Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) page parameter to (a) admin/admin_comments.php or (b) admin/admin_links.php; or list parameter in a (3) move or (4) minimize action to (c) admin/admin_index.php.

4.3 2012-05-27 CVE-2012-2436

Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS before 1.2.2 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter in a move or (2) minimize action to admin/admin_index.php; (3) the karma_username parameter to module.php in the karma module; (4) q_1_low, (5) q_1_high, (6) q_2_low, or (7) q_2_high parameter in a configure action to module.php in the captcha module; or (8) the edit parameter to module.php in the admin_language module.

6.5 2012-05-27 CVE-2012-2435

Directory traversal vulnerability in the captcha module in Pligg CMS before 1.2.2 allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the captcha parameter to module.php, as demonstrated by cross-site request forgery (CSRF) attacks.

4.3 2011-11-03 CVE-2011-3986

Cross-site scripting (XSS) vulnerability in Pligg before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

7.5 2010-08-16 CVE-2010-3013

SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the role parameter, a different vulnerability than CVE-2010-2577.

7.5 2010-08-16 CVE-2010-2577

Multiple SQL injection vulnerabilities in Pligg before 1.1.1 allow remote attackers to execute arbitrary SQL commands via the title parameter to (1) storyrss.php or (2) story.php.

7.5 2009-08-26 CVE-2008-7091

Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to vote.php, which is not properly handled in libs/link.php; (2) id parameter to trackback.php; (3) an unspecified parameter to submit.php; (4) requestTitle variable in a query to story.php; (5) requestID and (6) requestTitle variables in recommend.php; (7) categoryID parameter to cloud.php; (8) title parameter to out.php; (9) username parameter to login.php; (10) id parameter to cvote.php; and (11) commentid parameter to edit.php.

7.8 2009-08-26 CVE-2008-7090

Multiple directory traversal vulnerabilities in Pligg 9.9 and earlier allow remote attackers to (1) determine the existence of arbitrary files via a .. (dot dot) in the $tb_url variable in trackback.php, or (2) include arbitrary files via a .. (dot dot) in the template parameter to settemplate.php.

4.3 2009-08-26 CVE-2008-7089

Cross-site scripting (XSS) vulnerability in Pligg 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in a search action to user.php and other unspecified vectors.

CWE : Common Weakness Enumeration

%idName
45% (5) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
36% (4) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
18% (2) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

Open Source Vulnerability Database (OSVDB)

id Description
77044 Pligg CMS Unspecified XSS (2011-3986)
67069 Pligg CMS groupadmin.php role Parameter SQL Injection
67068 Pligg CMS story.php title Parameter SQL Injection
67067 Pligg CMS storyrss.php title Parameter SQL Injection
50198 Pligg edit.php commentid Parameter SQL Injection
50197 Pligg cvote.php id Parameter SQL Injection
50196 Pligg login.php username Parameter SQL Injection
50195 Pligg out.php title Parameter SQL Injection
50194 Pligg cloud.php categoryID Parameter SQL Injection
50193 Pligg recommend.php Multiple Parameter SQL Injection
50192 Pligg story.php requestTitle Parameter SQL Injection
50191 Pligg submit.php Unspecified SQL Injection
50190 Pligg trackback.php id Parameter SQL Injection
50189 Pligg vote.php id Parameter SQL Injection
50188 Pligg settemplate.php template Parameter Local File Inclusion
50187 Pligg trackback.php tb_url Parameter File Enumeration
50186 Pligg user.php keyword Parameter XSS

OpenVAS Exploits

id Description
2010-08-16 Name : Pligg Multiple SQL Injection Vulnerabilities
File : nvt/gb_pligg_mult_sql_inj_vuln.nasl

Nessus® Vulnerability Scanner

id Description
2008-08-08 Name: The remote web server contains a PHP application that is affected by a local ...
File: pligg_cms_multiple_vulnerabilities.nasl - Type: ACT_ATTACK