The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet...
6.1CVSS
5.9AI Score
0.001EPSS
The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module...
6.1CVSS
5.9AI Score
0.001EPSS
The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet...
6.1CVSS
5.9AI Score
0.001EPSS
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet...
6.1CVSS
5.9AI Score
0.001EPSS
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname...
6.1CVSS
5.9AI Score
0.001EPSS
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website...
9.8CVSS
9.3AI Score
0.006EPSS
6.1CVSS
5.9AI Score
0.001EPSS
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user...
6.1CVSS
5.9AI Score
0.001EPSS
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login...
6.1CVSS
5.9AI Score
0.001EPSS
In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not...
7.5CVSS
7.5AI Score
0.002EPSS
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in...
6.1CVSS
5.9AI Score
0.001EPSS
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's...
8.8CVSS
8.7AI Score
0.002EPSS
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>'...
6.1CVSS
6AI Score
0.001EPSS
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective...
9.8CVSS
9.5AI Score
0.002EPSS
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to...
9.8CVSS
9.3AI Score
0.008EPSS
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI...
6.1CVSS
6AI Score
0.001EPSS
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2...
6.1CVSS
6AI Score
0.001EPSS
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<'...
6.1CVSS
6AI Score
0.001EPSS
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to...
9.8CVSS
9.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to...
6.1CVSS
6.2AI Score
0.001EPSS
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to...
9.8CVSS
9.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to...
9.8CVSS
9.8AI Score
0.002EPSS
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval...
9.8CVSS
9.6AI Score
0.006EPSS
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images...
5.4CVSS
5AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name...
6.1CVSS
6AI Score
0.001EPSS
SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip...
8.8CVSS
9.1AI Score
0.001EPSS
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than...
6.1CVSS
6AI Score
0.001EPSS
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input...
9.8CVSS
9.6AI Score
0.015EPSS
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after...
9.8CVSS
9.6AI Score
0.004EPSS
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host...
6.5CVSS
6.4AI Score
0.001EPSS
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning...
6.1CVSS
6AI Score
0.001EPSS
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to...
6.1CVSS
5.9AI Score
0.001EPSS
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search...
6.1CVSS
5.9AI Score
0.001EPSS