1596 matches found
CVE-2019-9598
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds...
CVE-2019-9598
The CVE-2019-9598 entry describes a CSRF vulnerability in Cscms 4.1.0, specifically in the admin.php/pay flow, that allows an attacker to change the payment account and redirect funds. Documents confirm affected software (Cscms 4.1.0) and the vulnerability class (CSRF) with the underlying impact ...
CVE-2019-9572
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
Unrestricted file upload
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
Cross site scripting
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
Cross site scripting
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
CVE-2019-9550 affects DhCms (DhCms through 2017-09-18) with an XSS in admin.php?r=admin/Index/index. The root cause is a stored/reflected XSS in the admin backend, enabling an attacker to potentially obtain cookie information (per CNVD-2019-08720). Multiple sources (NVD, Red Hat, CNVD) report the...
CVE-2019-9181
CVE-2019-9181 affects SchoolCMS v2.3.1. The issue arises in the logo upload feature (admin.php?m=admin&c=site&a=save): an attacker can upload a file with a .jpg extension, set Content-Type to image/php, and append PHP code after the JPEG data, enabling arbitrary PHP code execution on the server. ...
CVE-2019-9048
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme aka topic via a /admin.php?action=themedelete&var1= URI...
CVE-2019-9052
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI...
CVE-2019-9051
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI...
Sql injection
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...
CVE-2019-7587
CVE-2019-7587 affects Bo-blog Wind through 1.6.0-r. The vulnerability is a SQL Injection in the admin.php/comments/batchdel/ comID parameter, caused by mishandling in the mode/admin.mode.php delBlockedBatch function. The connected sources corroborate the issue and describe it as a SQL injection v...
CVE-2019-7570
A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI...
Cross site scripting
An issue was discovered in Waimai Super Cms 20150505. admin.php?m=Member&a=adminaddsave has XSS via the username or password parameter...
CVE-2019-7569
An issue was discovered in DOYO aka doyocms 2.320140425 update. There is a CSRF vulnerability that can add a super administrator account via admin.php?c=aadminuser&a=add&run=1...
CVE-2019-7569
DOYO (doyocms) 2.3 (20140425 update) contains a CSRF vulnerability that can add a super administrator account via admin.php?c=a_adminuser&a=add&run=1. The affected component is the web admin interface; the issue enables privilege elevation by creating a new admin user. The connected documents con...