Filtered by vendor Opendocman
Subscribe
Total
13 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-45834 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution. | |||||
CVE-2015-5625 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in OpenDocMan before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via the redirection parameter. | |||||
CVE-2014-4853 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in odm-init.php in OpenDocMan before 1.2.7.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name of an uploaded file. | |||||
CVE-2014-2317 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 6.8 MEDIUM | N/A |
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the table parameter. NOTE: some of these details are obtained from third party information. | |||||
CVE-2014-1946 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
OpenDocMan 1.2.7 and earlier does not properly validate allowed actions, which allows remote authenticated users to bypass an intended access restrictions and assign administrative privileges to themselves via a crafted request to signup.php. | |||||
CVE-2014-1945 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7.2 allows remote attackers to execute arbitrary SQL commands via the add_value parameter. | |||||
CVE-2011-3764 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 5.0 MEDIUM | N/A |
OpenDocMan 1.2.6-svn-2011-01-21 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by User_Perms_class.php and certain other files. | |||||
CVE-2009-3801 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmpass (aka Password) parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
CVE-2009-3789 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php. | |||||
CVE-2009-3788 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmuser (aka Username) parameter. | |||||
CVE-2008-2788 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the redirection parameter. | |||||
CVE-2008-2787 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in out.php in OpenDocMan 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the last_message parameter. | |||||
CVE-2006-5655 | 1 Opendocman | 1 Opendocman | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in index.php in OpenDocMan 1.2p3 allows remote attackers to execute arbitrary SQL commands via the username parameter. |