MidnightBSD

Advisories for refbase

CVE-2015-6007 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-6008 HIGH

install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-6009 HIGH

Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issue than CVE-2015-7382.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-6010 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to inject arbitrary web script or HTML via the (1) errorNo or (2) errorMsg parameter to error.php; the (3) viewType parameter to duplicate_manager.php; the (4) queryAction, (5) displayType, (6) citeOrder, (7) sqlQuery, (8) showQuery, (9) showLinks, (10) showRows, or (11) queryID parameter to query_manager.php; the (12) sourceText or (13) sourceIDs parameter to import.php; or the (14) typeName or (15) fileName parameter to modify.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-6011 MEDIUM

Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allows remote attackers to conduct XML injection attacks via (1) the id parameter to unapi.php or (2) the stylesheet parameter to sru.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-6012 MEDIUM

Multiple open redirect vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the referrer parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-7381 HIGH

Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-7382 HIGH

SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
refbase refbase *
CVE-2015-7383 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge through 2015-04-28 allow remote attackers to inject arbitrary web script or HTML via the (1) adminUserName, (2) pathToMYSQL, (3) databaseStructureFile, or (4) pathToBibutils parameter to install.php or the (5) adminUserName parameter to update.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
refbase refbase *