CVE-2019-17431

An issue was discovered in fastadmin 1.0.0.20190705beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability...

CVE-2019-17105

The token generator in index.php in Centreon Web before 2.8.27 is predictable...

CVE-2019-17105

Centreon Web prior to 2.8.27 is affected by CVE-2019-17105 where the token generator in index.php is predictable. The issue is documented as a predictable token generator, enabling potential token guessing that could enable unauthorized access or session-related abuse. Connected sources also desc...

Remote code execution

Ilch 2.1.22 allows remote code execution because php is listed under "Allowed files" on the index.php/admin/media/settings/index page...

CVE-2019-17046

CVE-2019-17046 affects Ilch 2.1.22. The vulnerability arises because PHP is listed under “Allowed files” on the index.php/admin/media/settings/index page, enabling remote code execution. The issue is documented across multiple feeds (NVD, Red Hat, CNVD, osv.dev, CVE listings) as a remote code exe...

CVE-2019-16867

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. If the attacker deletes config.php and visits install/index.php, they can reinstall the product...

CVE-2019-16867

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. If the attacker deletes config.php and visits install/index.php, they can reinstall the product...

CVE-2019-16867

HongCMS 3.0.0 is affected by a path-traversal vulnerability allowing arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete (and similar CVE-2018-16774 path). Root cause is insufficient validation of the file path, enabling deletion of critical file...

CVE-2019-16659

TuziCMS 2.0.6 has index.php/manage/link/doadd CSRF...

CVE-2019-16664

An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter...

Design/Logic Flaw

An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group&ac=comment&ts=do&js=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element...

Cross site request forgery (csrf)

TuziCMS 2.0.6 has index.php/manage/link/doadd CSRF...

Design/Logic Flaw

An issue was discovered in ThinkSAAS 2.91. There is XSS via the index.php?app=group&ac=create&ts=do groupname parameter...

Cross site request forgery (csrf)

TuziCMS 2.0.6 has index.php/manage/notice/doadd CSRF...

CVE-2019-16664

ThinkSAAS 2.91 is affected by CVE-2019-16664: an XSS via the parameter groupname in index.php?app=group&ac=create&ts=do. Root cause described across sources is insufficient sanitization of the groupname input, enabling cross-site scripting. Affected product/version: ThinkSAAS 2.91. The Red Hat ad...

CVE-2019-16658

TuziCMS 2.0.6 is affected by a CSRF vulnerability in the endpoint index.php/manage/notice/do_add . The provided documents identify the root cause as a CSRF issue at that endpoint. No exploitation specifics or remediation steps are given in the sources. If present, check for interim mitigations; o...

CVE-2019-16659

The connected sources confirm CVE-2019-16659 affects TuziCMS 2.0.6, describing a CSRF issue in index.php/manage/link/do_add. The root cause is a Cross-Site Request Forgery vulnerability in that endpoint, enabling unauthorized state-changing requests from a logged-in user. Exploit details, affecte...

CVE-2019-16644

App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring...

Sql injection

App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring...

CVE-2019-16642

CVE-2019-16642 affects TuziCMS 2.0.6. Affected component: App\Mobile\Controller\ZhuantiController.class.php, vulnerable to SQL injection via the index.php/Mobile/Zhuanti/group?id= parameter. Root cause described as unsafe handling of user input in ZhuantiController; impact includes data exposure ...