MidnightBSD

Advisories for csphere

CVE-2010-1865 HIGH

Multiple SQL injection vulnerabilities in ClanSphere 2009.0.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the IP address to the cs_getip function in generate.php in the Captcha module, or (2) the s_email parameter to the cs_sql_select function in the MySQL database driver (mysql.php).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
csphere clansphere 2008.2.1
csphere clansphere 2007.2
csphere clansphere 2009.0.1
csphere clansphere 2007.4.1
csphere clansphere 2007.0
csphere clansphere 2007.1
csphere clansphere 2007.4.4
csphere clansphere *
csphere clansphere 2008.0
csphere clansphere 2007.4.2
csphere clansphere 2008.1
csphere clansphere 2009.0
csphere clansphere 2007
csphere clansphere 2007.4
csphere clansphere 2008.2
csphere clansphere 2007.3
csphere clansphere 2007.4.3
csphere clansphere 2007.3.1
csphere clansphere 2009.0.2
csphere clansphere 2007.2.1
CVE-2011-3714 MEDIUM

ClanSphere 2010.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by mods/board/attachment.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
csphere clansphere 2010.0
CVE-2012-10034

ClanSphere 2011.3 is vulnerable to a local file inclusion (LFI) flaw due to improper handling of the cs_lang cookie parameter. The application fails to sanitize user-supplied input, allowing attackers to traverse directories and read arbitrary files outside the web root. The vulnerability is further exacerbated by null byte injection (%00) to bypass file extension checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
csphere clansphere 2011.3
CVE-2014-100010 MEDIUM

Cross-site scripting (XSS) vulnerability in ClanSphere 2011.4 allows remote attackers to inject arbitrary web script or HTML via the where parameter in a list action to index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
csphere clansphere 2011.4
CVE-2021-27309 MEDIUM

Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "module" parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
csphere clansphere 2011.4
CVE-2021-27310 MEDIUM

Clansphere CMS 2011.4 allows unauthenticated reflected XSS via "language" parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
csphere clansphere 2011.4
CVE-2022-43119

A cross-site scripting (XSS) vulnerability in Clansphere CMS v2011.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
csphere clansphere 2011.4