Finecms Security Vulnerabilities
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's...
8.8CVSS
7.7AI Score
0.002EPSS
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>'...
6.1CVSS
6.5AI Score
0.001EPSS
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective...
9.8CVSS
8AI Score
0.002EPSS
6.1CVSS
6.3AI Score
0.001EPSS
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to...
9.8CVSS
7.7AI Score
0.008EPSS
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI...
6.1CVSS
6.5AI Score
0.001EPSS
The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet...
6.1CVSS
6.4AI Score
0.001EPSS
The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module...
6.1CVSS
6.4AI Score
0.001EPSS
The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet...
6.1CVSS
6.4AI Score
0.001EPSS
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet...
6.1CVSS
6.4AI Score
0.001EPSS
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname...
6.1CVSS
6.4AI Score
0.001EPSS
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website...
9.8CVSS
7.5AI Score
0.006EPSS
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2...
6.1CVSS
6.5AI Score
0.001EPSS
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<'...
6.1CVSS
6.5AI Score
0.001EPSS
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to...
6.1CVSS
7.3AI Score
0.001EPSS
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to...
9.8CVSS
8.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to...
9.8CVSS
8.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to...
9.8CVSS
8.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval...
9.8CVSS
8.2AI Score
0.006EPSS
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images...
5.4CVSS
6.1AI Score
0.001EPSS
SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name...
6.1CVSS
6.3AI Score
0.001EPSS
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than...
6.1CVSS
6AI Score
0.001EPSS
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input...
9.8CVSS
8.3AI Score
0.015EPSS
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user...
6.1CVSS
6.2AI Score
0.001EPSS
In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not...
7.5CVSS
7.6AI Score
0.002EPSS
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login...
6.1CVSS
6AI Score
0.001EPSS
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after...
9.8CVSS
8.2AI Score
0.004EPSS
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host...
6.5CVSS
7.4AI Score
0.001EPSS
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning...
6.1CVSS
6.5AI Score
0.001EPSS
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to...
6.1CVSS
6.3AI Score
0.001EPSS
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search...
6.1CVSS
6.4AI Score
0.001EPSS
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in...
6.1CVSS
6.4AI Score
0.001EPSS