CVE-2024-48228

An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting XSS...

CVE-2024-48231

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \backend\controller\auth\Auth.php...

CVE-2024-48230

funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php...

CVE-2024-48229

funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin...

CVE-2024-48218

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/list...

CVE-2024-48222

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit...

CVE-2023-36097

funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install...

CVE-2023-24781

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\MemberLevel.php...

CVE-2023-24774

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \controller\auth\Auth.php...

CVE-2023-24773

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list...

CVE-2023-2477

A vulnerability was found in Funadmin up to 3.2.3. It has been declared as problematic. Affected by this vulnerability is the function tagLoad of the file Cx.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. The exploit has been disclos...

CVE-2023-24782

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit...

CVE-2023-24776

Funadmin v3.2.0 was discovered to contain a remote code execution RCE vulnerability via the component \controller\Addon.php...

CVE-2023-24780

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns...

CVE-2023-24777

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list...

CVE-2023-24775

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php...

Cross-Site Scripting (XSS)

funadmin/funadmin is vulnerable to Cross Site Scripting XSS. The vulnerability is due to the lack of input validation and filtering of parameters passed to the param variable in the selectfiles method of \backend\controller\sys\Attachh.php, allowing an attacker to inject malicious scripts into th...

SQL Injection

Funadmin is vulnerable to SQL Injection. The vulnerability is due to an arbitrary file read in the /curd/index/editfile endpoint...

SQL Injection

Funadmin is vulnerable to SQL injection. The vulnerability is due to improper input validation in curd/table/savefield, allowing malicious SQL code to be executed. Attackers can exploit this vulnerability to manipulate database queries, potentially gaining unauthorized access to or tampering with...

SQL Injection

Funadmin is vulnerable to SQL injection. The vulnerability is due to improper input validation in the Curd one-click command mode plugin, allowing user-supplied data to be directly included in SQL queries without sanitization. Attackers can exploit this to execute arbitrary SQL commands...