26 matches found
CVE-2020-36052
Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter...
CVE-2019-9603
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891...
CVE-2019-9603
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891...
CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
CVE-2018-18892
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...
Code injection
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...
Authentication flaw
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
Path traversal
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
CVE-2018-18890
MiniCMS 1.10 contains an information-disclosure vulnerability. Due to handling of the delete parameter in /mc-admin/post.php, an invalid filename can cause full path disclosure. This is documented across CVE-2018-18890 entries (NVD, Red Hat, OSV, CVE lists). Exploitation details are not provided ...
CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-16298
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request...
CVE-2018-16298
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request...
CVE-2018-16298
MiniCMS 1.10 is affected by a cross-site scripting (XSS) vulnerability in the admin endpoint mc-admin/post.php?tag= where requests with state=delete, state=draft, or state=publish can inject script or HTML. The flaw is triggered via the tag parameter and is present in the public CVE entries acros...
CVE-2018-15899
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability...
Spoofing
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability...
CVE-2018-10424
mc-admin/post-edit.php in MiniCMS 1.10 allows full path disclosure via a modified id field...
Path traversal
mc-admin/post-edit.php in MiniCMS 1.10 allows full path disclosure via a modified id field...
MiniCMS 1.10 - Cross-Site Request Forgery
test document.forms0.submit;...