Search criteria
9 vulnerabilities found for kohana by kohanaframework
FKIE_CVE-2019-8979
Vulnerability from fkie_nvd - Published: 2019-02-21 05:29 - Updated: 2024-11-21 04:50
Severity ?
Summary
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/huzr2018/orderby_SQLi | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/huzr2018/orderby_SQLi | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kohanaframework | kohana | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kohanaframework:kohana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C73EEA18-FAD5-4CEF-8E18-A12D5FDB4AE8",
"versionEndIncluding": "3.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled."
},
{
"lang": "es",
"value": "Kohana, hasta la versi\u00f3n 3.3.6, tiene una inyecci\u00f3n SQL cuando el par\u00e1metro order_by() puede controlarse."
}
],
"id": "CVE-2019-8979",
"lastModified": "2024-11-21T04:50:44.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-21T05:29:00.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8684
Vulnerability from fkie_nvd - Published: 2017-09-19 19:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2014/May/54 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/kohana/core/pull/492 | Third Party Advisory | |
| cve@mitre.org | https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2014/May/54 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kohana/core/pull/492 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| codeigniter | codeigniter | * | |
| kohanaframework | kohana | 3.2.3 | |
| kohanaframework | kohana | 3.3.0 | |
| kohanaframework | kohana | 3.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8B5FE05-C0B7-4F4A-B959-89452F801CA2",
"versionEndIncluding": "2.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kohanaframework:kohana:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "17E340FE-7CC7-4275-9170-6B06F33F7A8D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kohanaframework:kohana:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D691FEB7-52FD-4D87-B96E-29EBC7BB1A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kohanaframework:kohana:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "11116DC5-4351-493F-8E49-89E6AE5DCC43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes."
},
{
"lang": "es",
"value": "CodeIgniter antes de la versi\u00f3n 3.0 y Kohana 3.2.3 y anteriores y en versiones 3.3.x hasta la 3.3.2 facilita que los atacantes remotos suplanten cookies de sesi\u00f3n y lleven a cabo ataques de inyecci\u00f3n de objetos PHP. Esto se realizar\u00eda por medio de operadores est\u00e1ndar de comparaci\u00f3n de strings para comparar hashes criptogr\u00e1ficos."
}
],
"id": "CVE-2014-8684",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-19T19:29:00.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-10510
Vulnerability from fkie_nvd - Published: 2017-08-31 20:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kohanaframework | kohana | * | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kohanaframework:kohana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "524BCE3A-200E-4184-8961-B61D736D25CD",
"versionEndIncluding": "3.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el componente de seguridad de Kohana en versiones anteriores a la 3.3.6 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios al omitir el mecanismo de protecci\u00f3n de strip_image_tags en system/classes/Kohana/Security.php."
}
],
"id": "CVE-2016-10510",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-31T20:29:00.323",
"references": [
{
"source": "cve@mitre.org",
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-8979 (GCVE-0-2019-8979)
Vulnerability from cvelistv5 – Published: 2019-02-21 05:00 – Updated: 2024-08-04 21:31
VLAI?
Summary
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:31:37.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-08T17:27:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-8979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/huzr2018/orderby_SQLi",
"refsource": "MISC",
"url": "https://github.com/huzr2018/orderby_SQLi"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-8979",
"datePublished": "2019-02-21T05:00:00",
"dateReserved": "2019-02-20T00:00:00",
"dateUpdated": "2024-08-04T21:31:37.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8684 (GCVE-0-2014-8684)
Vulnerability from cvelistv5 – Published: 2017-09-19 19:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-19T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection",
"refsource": "MISC",
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"name": "https://github.com/kohana/core/pull/492",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/core/pull/492"
},
{
"name": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8684",
"datePublished": "2017-09-19T19:00:00",
"dateReserved": "2014-11-09T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10510 (GCVE-0-2016-10510)
Vulnerability from cvelistv5 – Published: 2017-08-31 20:00 – Updated: 2024-08-06 03:21
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T19:19:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"name": "https://github.com/kohana/kohana/releases/tag/v3.3.6",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"name": "https://github.com/kohana/kohana/issues/107",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"name": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/",
"refsource": "MISC",
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2016-4451",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10510",
"datePublished": "2017-08-31T20:00:00",
"dateReserved": "2017-08-31T00:00:00",
"dateUpdated": "2024-08-06T03:21:52.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-8979 (GCVE-0-2019-8979)
Vulnerability from nvd – Published: 2019-02-21 05:00 – Updated: 2024-08-04 21:31
VLAI?
Summary
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:31:37.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-08T17:27:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/huzr2018/orderby_SQLi"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-8979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/huzr2018/orderby_SQLi",
"refsource": "MISC",
"url": "https://github.com/huzr2018/orderby_SQLi"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-8979",
"datePublished": "2019-02-21T05:00:00",
"dateReserved": "2019-02-20T00:00:00",
"dateUpdated": "2024-08-04T21:31:37.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8684 (GCVE-0-2014-8684)
Vulnerability from nvd – Published: 2017-09-19 19:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-19T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/core/pull/492"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-8684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection",
"refsource": "MISC",
"url": "https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection"
},
{
"name": "20140512 CodeIgniter \u003c= 2.1.4 and Kohana \u003c= 3.2.3, 3.3.2 - Timing Attacks and Object Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/May/54"
},
{
"name": "https://github.com/kohana/core/pull/492",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/core/pull/492"
},
{
"name": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-8684",
"datePublished": "2017-09-19T19:00:00",
"dateReserved": "2014-11-09T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10510 (GCVE-0-2016-10510)
Vulnerability from nvd – Published: 2017-08-31 20:00 – Updated: 2024-08-06 03:21
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-08-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T19:19:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20180114 [SECURITY] [DLA 1241-1] libkohana2-php security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00015.html"
},
{
"name": "https://github.com/kohana/kohana/releases/tag/v3.3.6",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/kohana/releases/tag/v3.3.6"
},
{
"name": "https://github.com/kohana/kohana/issues/107",
"refsource": "CONFIRM",
"url": "https://github.com/kohana/kohana/issues/107"
},
{
"name": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/",
"refsource": "MISC",
"url": "https://www.checkmarx.com/advisories/cross-site-scripting-xss-vulnerability-in-kohana/"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2016-4451",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2016-4451"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10510",
"datePublished": "2017-08-31T20:00:00",
"dateReserved": "2017-08-31T00:00:00",
"dateUpdated": "2024-08-06T03:21:52.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}