18 matches found
CVE-2019-6127
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename...
CVE-2019-6127
CVE-2019-6127 affects XiaoCms 20141229. The vulnerability is a SQL injection in the admin/index.php?c=database table[] path, enabling an attacker to perform PHP code execution via INTO OUTFILE with a .php filename. The references confirm the same description across multiple sources, indicating a ...
XiaoCms cross-site scripting vulnerability (CNVD-2019-07016)
XiaoCms is a lightweight content management system CMS based on PHP and MySQL and capable of running on Linux, Windows and other platforms. A cross-site scripting vulnerability exists in XiaoCms version 20141229. A remote attacker can exploit this vulnerability to inject arbitrary web script or...
XiaoCms Cross-Site Scripting Vulnerability
XiaoCms is a lightweight content management system CMS based on PHP and MySQL and capable of running on Linux, Windows and other platforms. A cross-site scripting vulnerability exists in XiaoCms version 20141229, which can be exploited by remote attackers to inject arbitrary web script or HTML vi...
XiaoCms Information Disclosure Vulnerability
XiaoCms is a lightweight content management system CMS based on PHP and MySQL and capable of running on Linux, Windows and other platforms. A security vulnerability exists in /admin/index.php?c=database in XiaoCms version 20141229. The vulnerability can be exploited to obtain the full path with t...
CVE-2018-19192
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the datacontent parameter...
Design/Logic Flaw
An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types jpg, jpeg, bmp, png, gif, as demonstrated by an...
CVE-2018-19195
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\showproduct.html file...
Cross site request forgery (csrf)
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the datacontent parameter...
CVE-2018-19197
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths=../ directory traversal...
CVE-2018-19194
An issue was discovered in XiaoCms 20141229. /admin/index.php?c=database allows full path disclosure in a "failed to open stream" error message...
CVE-2018-19195
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\showproduct.html file...
CVE-2018-19192
CVE-2018-19192 : XiaoCms 20141229 contains a cross-site request forgery (CSRF) in admin/index.php?c=content&a=add&catid=3, demonstrated by submitting news via the data[content] parameter. The Red Hat/CNVD/CVE mirrors confirm CSRF as the underlying issue. Documented impact is limited to CSRF, enab...
CVE-2018-19193
An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen...
CVE-2018-19196
An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types jpg, jpeg, bmp, png, gif, as demonstrated by an...
CVE-2018-19197
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths=../ directory traversal...
CVE-2018-19194
Vulnerability summary: XiaoCms 20141229 contains a path disclosure flaw where accessing /admin/index.php?c=database can disclose the full filesystem path via a 'failed to open stream' error. This is consistently described across NVD, Red Hat, CNVD, EU and CVE records. Impact: information disclosu...
CVE-2018-19197
CVE-2018-19197 affects XiaoCms 20141229. The issue is in admin/controller/database.php, where an input parameter allows directory traversal via admin/index.php?c=database&a=import&paths[]=../, enabling arbitrary directory deletion. This is the explicit vulnerability described across multiple conn...