1594 matches found
CVE-2019-9572
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
Unrestricted file upload
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
Cross site scripting
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
Cross site scripting
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
CVE-2019-9550 affects DhCms (DhCms through 2017-09-18) with an XSS in admin.php?r=admin/Index/index. The root cause is a stored/reflected XSS in the admin backend, enabling an attacker to potentially obtain cookie information (per CNVD-2019-08720). Multiple sources (NVD, Red Hat, CNVD) report the...
CVE-2019-9181
CVE-2019-9181 affects SchoolCMS v2.3.1. The issue arises in the logo upload feature (admin.php?m=admin&c=site&a=save): an attacker can upload a file with a .jpg extension, set Content-Type to image/php, and append PHP code after the JPEG data, enabling arbitrary PHP code execution on the server. ...
CVE-2019-9052
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI...
CVE-2019-9048
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme aka topic via a /admin.php?action=themedelete&var1= URI...
CVE-2019-9051
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI...
Sql injection
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...
CVE-2019-7587
CVE-2019-7587 affects Bo-blog Wind through 1.6.0-r. The vulnerability is a SQL Injection in the admin.php/comments/batchdel/ comID parameter, caused by mishandling in the mode/admin.mode.php delBlockedBatch function. The connected sources corroborate the issue and describe it as a SQL injection v...
CVE-2019-7570
A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI...
Cross site scripting
An issue was discovered in Waimai Super Cms 20150505. admin.php?m=Member&a=adminaddsave has XSS via the username or password parameter...
CVE-2019-7569
An issue was discovered in DOYO aka doyocms 2.320140425 update. There is a CSRF vulnerability that can add a super administrator account via admin.php?c=aadminuser&a=add&run=1...
CVE-2019-7569
DOYO (doyocms) 2.3 (20140425 update) contains a CSRF vulnerability that can add a super administrator account via admin.php?c=a_adminuser&a=add&run=1. The affected component is the web admin interface; the issue enables privilege elevation by creating a new admin user. The connected documents con...
CVE-2019-7570
CVE-2019-7570 applies to PbootCMS v1.3.6, describing a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to delete user accounts via the admin.php/User/del/ucode/ endpoint. The connected sources confirm the affected product/version and the targeted action, with no additional...
Cross site request forgery (csrf)
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links...