ushahidi/Ushahidi_Web

GitHub

github.com

www.ushahidi.com

Releases48

Frequency1 month 1 week

Last Release almost 12 years ago

Stars904

Ushahidi v2. A platform that allows information collection, visualization and interactive mapping, allowing anyone to submit information through text messaging using a mobile phone, email or web form.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2012-5618 ↗	Feb 4, 2020Tuesday, 4 February 2020, 14:15	9.8 CRITICAL	5 MEDIUM
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens.
CVE-2013-2025 ↗	Apr 25, 2014Friday, 25 April 2014, 17:12	—	4.3 MEDIUM
Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x through 2.6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-3468 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	7.5 HIGH
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the verify function in application/controllers/alerts.php, (2) the save_all function in application/models/settings.php, or (3) the media type to the timeline function in application/controllers/json.php.
CVE-2012-3469 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	7.5 HIGH
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.
CVE-2012-3470 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	7.5 HIGH
Multiple SQL injection vulnerabilities in application/libraries/api/MY_Countries_Api_Object.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to _get_countries functions.
CVE-2012-3471 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	7.5 HIGH
Multiple SQL injection vulnerabilities in the edit functions in (1) application/controllers/admin/reports.php and (2) application/controllers/members/reports.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via an incident id.
CVE-2012-3472 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	6.4 MEDIUM
The email API in application/libraries/api/MY_Email_Api_Object.php in the Ushahidi Platform before 2.5 does not require authentication, which allows remote attackers to list, delete, or organize messages via a GET request.
CVE-2012-3473 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	6.4 MEDIUM
The (1) reports API and (2) administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions.
CVE-2012-3474 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	5 MEDIUM
The comments API in application/libraries/api/MY_Comments_Api_Object.php in the Ushahidi Platform before 2.5 allows remote attackers to obtain sensitive information about the e-mail address, IP address, and other attributes of the author of a comment via an API function call.
CVE-2012-3475 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	7.5 HIGH
The installer in the Ushahidi Platform before 2.5 omits certain calls to the exit function, which allows remote attackers to obtain administrative privileges via unspecified vectors.
CVE-2012-3476 ↗	Aug 12, 2012Sunday, 12 August 2012, 21:55	—	3.5 LOW
Multiple cross-site scripting (XSS) vulnerabilities in (1) application/views/admin/layout.php and (2) themes/default/views/header.php in the Ushahidi Platform before 2.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to a site name.