Robbie Mackay

8 exploits Active since Aug 2012
CVE-2012-3469 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - SQL Injection via Messages Admin or Location API
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.
CVE-2012-3468 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - SQL Injection via Alerts Verify, Settings Save, or Timeline Media Type
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the verify function in application/controllers/alerts.php, (2) the save_all function in application/models/settings.php, or (3) the media type to the timeline function in application/controllers/json.php.
CVE-2012-3469 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - SQL Injection via Messages Admin or Location API
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.
CVE-2012-3468 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - SQL Injection via Alerts Verify, Settings Save, or Timeline Media Type
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the verify function in application/controllers/alerts.php, (2) the save_all function in application/models/settings.php, or (3) the media type to the timeline function in application/controllers/json.php.
CVE-2012-3469 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - SQL Injection via Messages Admin or Location API
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.
CVE-2012-3473 WRITEUP WRITEUP
Ushahidi Platform < 2.5 - Unauthenticated Report Creation and Comment Organization via API
The (1) reports API and (2) administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions.
CVE-2012-3475 WRITEUP WRITEUP
Ushahidi Platform <2.5 - Privilege Escalation
The installer in the Ushahidi Platform before 2.5 omits certain calls to the exit function, which allows remote attackers to obtain administrative privileges via unspecified vectors.
CVE-2013-2025 WRITEUP WRITEUP
Ushahidi Platform 2.5.x-2.6.1 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x through 2.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.