SB2017031707 - Multiple vulnerabilities in WonderCMS

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017031707

SB2017031707 - Multiple vulnerabilities in WonderCMS

Published: March 17, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017031707
Severity
High
Patch available
NO
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 40% Medium 40% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2014-8701)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password.


2) Information disclosure (CVE-ID: CVE-2014-8702)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Wonder CMS 2014 allows remote attackers to obtain sensitive information by logging into the application with an array for the password, which reveals the installation path in an error message.


3) Cross-site scripting (CVE-ID: CVE-2014-8703)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in Wonder CMS 2014. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Path traversal (CVE-ID: CVE-2014-8704)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in index.php in Wonder CMS 2014. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to include and execute arbitrary local files via a crafted theme.


5) Input validation error (CVE-ID: CVE-2014-8705)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References