149 matches found
CVE-2022-40849
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting XSS. An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's...
CVE-2022-40489
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery CSRF vulnerability that allows a Super Administrator user to be injected into administrative users...
CVE-2020-20601
An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet...
CVE-2020-18151
Cross Site Request Forgery CSRF vulnerability in ThinkCMF v5.1.0, which can add an admin account...
CVE-2020-25915
Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...
CVE-2019-7580
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admincategory/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection...
CVE-2018-19895
ThinkCMF X2.2.2 has SQL Injection via the function editpost in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action...
Unrestricted Upload Of File With Dangerous Type
thinkcmf/thinkcmf vulnerable to Unrestricted Upload of File with Dangerous Type. The vulnerability is due to insufficient validation of file extensions during the upload process in UeditorController.php. This flaw allows an attacker to execute arbitrary code via uploaded malicious files...
CVE-2024-31615
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php...
CVE-2024-31615
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php...
PT-2024-24155 · Thinkcmf · Thinkcmf
Name of the Vulnerable Software and Affected Versions: ThinkCMF version 6.0.9 Description: The issue concerns a file upload vulnerability via the UeditorController.php. Recommendations: For ThinkCMF version 6.0.9, consider disabling the file upload functionality via UeditorController.php until a...
CVE-2024-31615
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php...
CVE-2024-31615
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php...
CVE-2024-31615
ThinkCMF 6.0.9 is vulnerable to an Unrestricted Upload of File with Dangerous Type via UeditorController.php. The issue allows uploading arbitrary files, enabling potential remote code execution; impact is described as high (CVE-2024-31615) with no explicit exploit details provided in the initial...
ThinkCMF 安全漏洞
ThinkCMF is a CMS Content Management System based on ThinkPHP. A security vulnerability exists in ThinkCMF version 6.0.9, which stems from a file upload vulnerability in UeditorController.php...
Stored Cross-Site Scripting (XSS)
thinkcmf/thinkcmf is vulnerable to Cross-Site Scripting XSS attacks. The vulnerability is due to a lack of sanitization in the userlogin parameter in the /admin/user/addpost endpoint, allowing an attacker to inject and execute malicious javascript on a victim's browser...
ThinkCMF Cross-Site Scripting Vulnerability
ThinkCMF is a CMS Content Management System based on ThinkPHP. A cross-site scripting vulnerability exists in ThinkCMF version 5.1.5, which stems from the lack of effective filtering and escaping of user-supplied data in the file UserController.php, and can be exploited by an attacker to execute...
GHSA-4847-GQXX-V9XP ThinkCMF Cross-site Scripting Vulnerability
Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...
ThinkCMF Cross-site Scripting Vulnerability
Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...
CVE-2020-25915
Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...