CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zomplog : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2007-5278 264 1 +Info 2007-10-08 2008-09-05
4.3
None Remote Medium Not required Partial None None
Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable.
2 CVE-2007-5231 20 2007-10-05 2008-09-05
4.6
None Remote High Single system Partial Partial Partial
Unrestricted file upload vulnerability in admin/upload_files.php in Zomplog 3.8.1 and earlier allows remote authenticated administrators to upload and execute arbitrary .php files by sending a modified MIME type. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2007-5230.
3 CVE-2007-5230 264 Exec Code 2007-10-05 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for administrative credentials, which allows remote attackers to perform administrative actions via a direct request. NOTE: this can be leveraged for code execution by exploiting CVE-2007-5231.
4 CVE-2007-2773 1 Exec Code Sql 2007-05-21 2012-11-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in plugins/mp3playlist/mp3playlist.php in Zomplog 3.8 and earlier allows remote attackers to execute arbitrary SQL commands via the speler parameter.
5 CVE-2007-2157 1 Dir. Trav. 2007-04-19 2008-11-13
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in upload/force_download.php in Zomplog 3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
6 CVE-2007-1524 1 Dir. Trav. 2007-03-20 2009-10-14
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then be included via themes/default/.
7 CVE-2005-3309 Exec Code Sql 2005-10-25 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Zomplog 3.4 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in detail.php and the catid parameter in (2) get.php and (3) index.php.
8 CVE-2005-3308 XSS 2005-10-25 2008-09-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Zomplog 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) comment parameter in detail.php, (3) the username parameter in get.php, and (4) the search parameter in index.php.
Total number of vulnerabilities : 8   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.