72 matches found
CVE-2022-41475
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily add an administrator account...
CVE-2022-41474
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily change the password of any account...
SQL Injection Vulnerability in RPCMS (CNVD-2022-64528)
RPCMS is a lightweight content management/blogging system based on PHP MYSQL. RPCMS suffers from a SQL injection vulnerability. An attacker can exploit the vulnerability to obtain sensitive database information...
SQL injection vulnerability exists in RPCMS (CNVD-2022-64953)
RPCMS is a lightweight content management/blogging system based on PHP MYSQL.RPCMS is vulnerable to SQL injection, which can be exploited by attackers to obtain sensitive database information...
SQL injection vulnerability exists in RPCMS (CNVD-2022-61944)
RPCMS is a lightweight content management/blogging system based on PHP MYSQL.RPCMS is vulnerable to SQL injection, which can be exploited by attackers to obtain sensitive database information...
RPCMS has information leakage vulnerability
RPCMS is a lightweight content management/blogging system based on PHP MYSQL.RPCMS has an information disclosure vulnerability that can be exploited by attackers to obtain sensitive information...
RPCMS Cross-Site Scripting Vulnerability (CNVD-2021-61418)
RPCMS is a software application, a web CMS system. RPCMS suffers from a cross-site scripting vulnerability that stems from a failure to properly clean up the nickname variable before it is displayed on a page in RPCMS v1.8 versions and below. With the API functionality turned on, an attacker can...
CVE-2021-37392
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will...
CVE-2021-37392
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will...
CVE-2021-37393
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
CVE-2021-37393
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
CVE-2021-37394
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...
Design/Logic Flaw
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...
Cross site scripting
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
Cross site scripting
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will...
CVE-2021-37394
RPCMS (v1.8 and earlier) contains an API-level flaw that allows attackers to alter the user role parameter to admin via the API, enabling admin account registration. The connected sources consistently describe this as a role-parameter manipulation vulnerability affecting RPCMS v1.8 and below, lea...
CVE-2021-37394
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...
CVE-2021-37393
CVE-2021-37393 affects RPCMS v1.8 and earlier: the nickname variable is not sanitized before display, enabling stored XSS via the update password function. Users viewing articles by the injected user trigger the XSS. No remediation/fix details are provided in the connected documents.
CVE-2021-37393
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
CVE-2021-37392
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will...