Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945.

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body.

SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter.