Skip to main content

B2Evolution

14 CVEs product

Monthly

CVE-2022-30935 CRITICAL PATCH Act Now

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass B2Evolution
NVD GitHub
CVSS 3.1
9.1
EPSS
1.1%
CVE-2021-28242 HIGH POC This Week

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP B2Evolution
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
5.0%
CVE-2017-5553 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP B2Evolution
NVD GitHub VulDB
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-5539 CRITICAL PATCH Act Now

The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal B2Evolution
NVD GitHub VulDB
CVSS 3.0
9.1
EPSS
7.4%
CVE-2016-7150 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
CVSS 3.0
5.4
EPSS
0.4%
CVE-2016-7149 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
CVSS 3.0
6.1
EPSS
0.6%
CVE-2017-5494 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-5480 HIGH This Week

Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Microsoft PHP B2Evolution
NVD GitHub VulDB
CVSS 3.0
8.1
EPSS
0.3%
CVE-2016-9479 HIGH PATCH This Week

The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass B2Evolution
NVD GitHub
CVSS 3.0
7.5
EPSS
0.8%
CVE-2014-9599 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP B2Evolution
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2013-7352 MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP SQLi B2Evolution
NVD VulDB
CVSS 2.0
6.8
EPSS
0.3%
CVE-2013-2945 MEDIUM POC PATCH This Month

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

CSRF PHP SQLi B2Evolution
NVD Exploit-DB VulDB
CVSS 2.0
6.5
EPSS
1.7%
CVE-2012-5911 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS B2Evolution
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2012-5910 MEDIUM This Month

SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi B2Evolution
NVD
CVSS 2.0
6.5
EPSS
0.6%
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass B2Evolution
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC This Week

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP B2Evolution
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP B2Evolution
NVD GitHub VulDB
EPSS 7% CVSS 9.1
CRITICAL PATCH Act Now

The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal B2Evolution
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS B2Evolution
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Microsoft PHP +1
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass B2Evolution
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP B2Evolution
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP SQLi +1
NVD VulDB
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

CSRF PHP SQLi +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS B2Evolution
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi B2Evolution
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy