Below are all the vulnerabilities that have been discovered during October 2012 for WordPress, Joomla! and Drupal. Please do update or patch your application.
Joomla! MijoFTP Component Unspecified Vulnerability
Application: Joomla!
Affected Version: versions prior to 1.1.0.
Vendor’s URL: MijoFTP Component
Bug Type: System Access
Risk Level: Critical
Solution: Update to version 1.1.0.
WordPress Spider Calendar Plugin Cross-Site Scripting and SQL Injection
Application: WordPress
Affected Version: versions 1.0.1 and other versions.
Vendor’s URL: Spider Calendar Plugin
Bug Type: #1 Cross Site Scripting and #2 SQL Injection
Risk Level: Critical
Solution: Update to version 1.1.0, which fixes vulnerability #2. No official solution is currently available for vulnerability #1.
WordPress Pinterest “Pin It” Button Lite Plugin Multiple Unspecified Vulnerabilities
Application: WordPress
Affected Version: versions prior to 1.4.0.
Vendor’s URL: Pinterest “Pin It” Button Lite Plugin
Bug Type: -
Risk Level: Critical
Solution: Update to version 1.4.0.
Joomla! AceFTP Component Unspecified Directory Traversal Vulnerability
Application: Joomla!
Affected Version: version 1.0.2 and prior versions.
Vendor’s URL: AceFTP Component
Bug Type:
Risk Level: Critical
Solution: Upgrade to version 2.0.0.
Drupal Basic webmail Module Multiple Vulnerabilities
Application: Drupal
Affected Version: 6.x-1.x versions prior to 6.x-1.2.
Vendor’s URL: Basic webmail Module
Bug Type: Cross Site Scripting
Risk Level: Critical
Solution: Update to version 6.x-1.2.
WordPress eShop Magic Plugin “file” Arbitrary File Disclosure Vulnerability
Application: WordPress
Affected Version: version 0.1.
Vendor’s URL: eShop Magic Plugin
Bug Type: File Disclosure
Risk Level: Critical
Solution: Update to version 0.2.
WordPress Crayon Syntax Highlighter Plugin “wp_load” Remote File Inclusion Vulnerability
Application: WordPress
Affected Version: version 1.12.1 and prior versions.
Vendor’s URL: Crayon Syntax Highlighter Plugin
Bug Type: File Inclusion
Risk Level: Critical
Solution: Update to version 1.13.
PBBoard “PowerBB_username” Cookie SQL Injection
Application: PBBoard
Affected Version: version 3.0 and other versions.
Vendor’s URL: PBBoard
Bug Type: SQL Injection
Risk Level: Critical
Solution: No official solution is currently available.
WordPress Download Shortcode Plugin “file” Arbitrary File Disclosure
Application: WordPress
Affected Version: version 0.1.
Vendor’s URL: Download Shortcode Plugin
Bug Type: File Disclosure
Risk Level: Critical
Solution: Update to version 0.2.1.
Joomla! Freestyle Support Component “prodid” SQL Injection
Application: Joomla!
Affected Version: version 1.9.1.1400 and other versions.
Vendor’s URL: Freestyle Support Component
Bug Type: SQL Injection
Risk Level: Critical
Solution: Update to version 1.9.2.1484.
Magento Unirgy uStoreLocator Extension SQL Injection
Application: Magento
Affected Version: versions 2.0.0 and prior.
Vendor’s URL: Unirgy uStoreLocator Extension
Bug Type: SQL Injection
Risk Level: Critical
Solution: Update to version 2.0.1 or later.
WordPress UnGallery Plugin “search” Arbitrary Command Execution
Application: WordPress
Affected Version: version 2.1.5 and other versions.
Vendor’s URL: UnGallery Plugin
Bug Type: System access
Risk Level: Critical
Solution: Update to version 2.1.6 or later.
WordPress Cimy User Manager Plugin “cimy_um_filename” Arbitrary File Disclosure
Application: WordPress
Affected Version: version 1.4.2 and other versions.
Vendor’s URL: Cimy User Manager Plugin
Bug Type: File Disclosure
Risk Level: Critical
Solution: No official solution is currently available.
Joomla! Commedia Component “id” SQL Injection
Application: Joomla!
Affected Version: version 3.1 and prior versions.
Vendor’s URL: Commedia Component
Bug Type: SQL Injection
Risk Level: Critical
Solution: Update to version 3.2.
WordPress FireStorm Professional Real Estate Plugin SQL Injection
Application: WordPress
Affected Version: version 2.05.01 and other versions.
Vendor’s URL: FireStorm Professional Real Estate Plugin
Bug Type: SQL Injection
Risk Level: Critical
Solution: Update to version 2.06.03
WordPress Poll Plugin Multiple SQL Injection
Application: WordPress
Affected Version: version 33.5 and prior versions.
Vendor’s URL: Poll Plugin
Bug Type: SQL Injection
Risk Level: Critical
Solution: Update to version 33.6.
Tiki Wiki CMS/Groupware “unserialize()” PHP Code Execution
Application: Tiki Wiki CMS/Groupware
Affected Version: versions prior to 6.8 and 9.2.
Vendor’s URL: Tiki Wiki CMS/Groupware
Bug Type: Code Execution
Risk Level: Critical
Solution: Update to version 6.8 or 9.2.
WordPress GRAND FlAGallery Plugin Multipe Vulnerabilities
Application: WordPress
Affected Version: version 2.00 and other versions.
Vendor’s URL: GRAND FlAGallery Plugin
Bug Type: SQL Injection, System Access
Risk Level: Critical
Solution: No official solution is currently available.
Related Articles:
0 Responses to “October 2012 Security Updates for WordPress, Drupal and Joomla!”