This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Ispconfig First view 2015-06-15
Product Ispconfig Last view 2023-10-27
Version 3.0.5.4 Type Application
Update rc1  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:ispconfig:ispconfig

Activity : Overall

Related : CVE

  Date Alert Description
7.2 2023-10-27 CVE-2023-46818

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.

9.8 2021-01-05 CVE-2021-3021

ISPConfig before 3.2.2 allows SQL injection.

9.8 2020-02-25 CVE-2020-9398

ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.

7.8 2018-10-04 CVE-2018-17984

An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.

8.8 2017-12-07 CVE-2017-17384

ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job.

6.8 2015-06-15 CVE-2015-4119

Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php.

6.5 2015-06-15 CVE-2015-4118

SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2.

CWE : Common Weakness Enumeration

%idName
42% (3) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
14% (1) CWE-352 Cross-Site Request Forgery (CSRF)
14% (1) CWE-269 Improper Privilege Management
14% (1) CWE-185 Incorrect Regular Expression
14% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')