282 matches found
CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-18892
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...
Code injection
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...
CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-18892
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...
CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename...
CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late...
CVE-2018-18891
MiniCMS 1.10 is affected by CVE-2018-18891. The vulnerability arises because authentication is checked too late in the request flow, enabling file deletion via /mc-admin/post.php?state=delete&delete=. The Red Hat page reiterates the same issue. The provided documents do not specify vulnerable ver...
CVE-2018-18890
MiniCMS 1.10 contains an information-disclosure vulnerability. Due to handling of the delete parameter in /mc-admin/post.php, an invalid filename can cause full path disclosure. This is documented across CVE-2018-18890 entries (NVD, Red Hat, OSV, CVE lists). Exploitation details are not provided ...
CVE-2018-18892
The CVE-2018-18892 entry concerns MiniCMS 1.10, where the install.php sitename parameter can be manipulated to execute arbitrary PHP code, affecting the site_name field in mc_conf.php. The vulnerability is a code execution flaw rooted in input handling and file configuration, with CVSS metrics in...
Cross site scripting
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $SERVER'REQUESTURI' is mishandled...
CVE-2018-17039
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $SERVER'REQUESTURI' is mishandled...
CVE-2018-17039
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $SERVER'REQUESTURI' is mishandled...
CVE-2018-17039
CVE-2018-17039 affects MiniCMS 1.10. The issue is a cross-site scripting (XSS) vulnerability when Internet Explorer is used, caused by mishandling of $_SERVER['REQUEST_URI'] when processing a crafted URI. The connected documents confirm the vulnerability details and affected component, but do not...
CVE-2018-17039
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $SERVER'REQUESTURI' is mishandled...
Design/Logic Flaw
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request...
CVE-2018-16298
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request...
CVE-2018-16298
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request...