163 matches found
CVE-2019-9611
CVE-2019-9611 affects OFCMS prior to 1.1.3. The issue enables a directory traversal via the admin/cms/template/getTemplates.html?res_path=res parameter, allowing ../ in dir to write arbitrary content (file_content) to an arbitrary file (file_name). Root cause: save function in TemplateController....
CVE-2019-9615
CVE-2019-9615 affects OFCMS prior to 1.1.3. The backend SQL injection is reachable via admin/system/generate/create?sql= and is attributed to SystemGenerateController.java. The vulnerability allows injection through the SQL parameter, enabling a attacker-controlled query that could impact data in...
CVE-2019-9616
The CVE-2019-9616 issue affects OFCMS prior to version 1.1.3. The vulnerability arises from blocking of .jsp and .jspx files not accounting for file.jsp::$DATA in the admin/ueditor/uploadScrawl URI, enabling a remote attacker to execute arbitrary code. Affected component: OFCMS backend upload han...