Mywebland: >> Mybloggie >> 2.1.1 Security Vulnerabilities
index.php in myWebland myBloggie 2.1.4 and earlier allows remote attackers to obtain sensitive information via a query that only specifies the viewdate mode, which reveals the table prefix in a SQL error message.
CVSS Score
5.0
EPSS Score
0.006
Published
2006-08-09
PHP remote file inclusion vulnerability in MyBloggie 2.1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the mybloggie_root_path parameter to (1) admin.php or (2) scode.php. NOTE: this issue has been disputed in multiple third party followups, which say that the MyBloggie source code does not demonstrate the issue, so it might be the result of another module. CVE analysis as of 20060605 agrees with the dispute. In addition, scode.php is not part of the MyBloggie distribution
CVSS Score
7.5
EPSS Score
0.017
Published
2006-06-06
SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVSS Score
7.5
EPSS Score
0.008
Published
2005-09-07
index.php in myBloggie 2.1.1 allows remote attackers to obtain sensitive information via an invalid post_id parameter, which reveals the path in an error message.
CVSS Score
5.0
EPSS Score
0.004
Published
2005-05-11
Multiple cross-site scripting (XSS) vulnerabilities in myBloggie 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) year parameter in viewmode.php, or the (2) cat_id, (3) month_no, or (4) post_id parameter in index.php, which are not properly sanitized before they are displayed in an error message. NOTE: issues 2, 3, and 4 may be due to a problem in associated products rather than myBloggie itself.
CVSS Score
4.3
EPSS Score
0.05
Published
2005-05-11
delcomment.php in myBloggie 2.1.1 allows remote attackers to delete arbitrary comments by modifying the comment_id parameter.
CVSS Score
7.5
EPSS Score
0.017
Published
2005-05-11
Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the keyword parameter in search.php; or (2) the date_no parameter in viewdate mode, (3) the cat_id parameter in viewcat mode, the (4) month_no or (5) year parameter in viewmonth mode, or (6) post_id parameter in viewid mode to index.php. NOTE: item (1) was discovered to affect 2.1.3 as well.
CVSS Score
7.5
EPSS Score
0.013
Published
2005-05-11
Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments.
CVSS Score
4.3
EPSS Score
0.003
Published
2005-04-15