1593 matches found
CVE-2018-19853
An issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability that allows control over the whole web site via the admin.php/user/add URI because a storekeeper account which is supposed to have only privileges for commodity management can add an...
CVE-2018-19853
An issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability that allows control over the whole web site via the admin.php/user/add URI because a storekeeper account which is supposed to have only privileges for commodity management can add an...
CVE-2018-19853
CVE-2018-19853 describes an elevation-of-privilege flaw in hitshop (through 2014-07-15) where a storekeeper account can add an administrator via admin.php/user/add, gaining control of the whole site. Affected component: the web application’s user/add workflow; root cause: storekeeper privileges c...
Design/Logic Flaw
An issue was discovered in tp5cms through 2017-05-25. admin.php/system/set.html has XSS via the title parameter...
CVE-2018-19693
An issue was discovered in tp5cms through 2017-05-25. admin.php/system/set.html has XSS via the title parameter...
Cross site request forgery (csrf)
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account...
CVE-2018-19561
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account...
CVE-2018-19561
Affected software: sikcms version 1.1. Vulnerability: Cross-Site Request Forgery (CSRF) in admin.php?m=Admin&c=Users&a=userAdd that allows an attacker to add an administrator account. Root cause/impact: CSRF enables unauthorized privilege escalation by creating an admin account. Exploitation deta...
Code injection
Discuz! X3.4 allows XSS via admin.php because admincp/admincpsetting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code...
CVE-2018-19464
Discuz! X3.4 allows XSS via admin.php because admincp/admincpsetting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code...
CVE-2018-19464
The vulnerability concerns Discuz! X3.4 where an XSS flaw can be triggered via admin.php due to improper handling of the statcode field in admincp/admincp_setting.php and template\default\common\footer.htm. The root cause is mishandling of third-party stats code, enabling injection of arbitrary w...
CVE-2018-19464
Discuz! X3.4 allows XSS via admin.php because admincp/admincpsetting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code...
Cross site request forgery (csrf)
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account...
CVE-2018-19318
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account...
Cross site request forgery (csrf)
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges...
CVE-2018-19318
The CVE-2018-19318 issue affects SRCMS 3.0.0 and is a CSRF vulnerability that can be exploited via admin.php?m=Admin&c=manager&a=update to alter the super administrator’s username and password. Root cause: CSRF on the admin update endpoint allows unauthorized change of credentials. Impact: compro...
CVE-2018-19319
SRCMS 3.0.0 contains a CSRF vulnerability that allows an attacker to change product prices via admin.php?m=Admin&c=gifts&a=update, exploiting the super administrator’s privileges. The issue arises from lack of proper CSRF protection for admin actions, enabling unauthorized price modification. Doc...
CVE-2018-19318
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account...
CVE-2018-18380
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session...
CVE-2018-18380
CVE-2018-18380 affects BigTree (Bigtree) CMS prior to 4.2.24. The admin.php flow accepts a user-supplied PHP session ID after login instead of regenerating a new one, enabling session hijacking (session fixation). Documents indicate this is fixed in 4.2.24; remediation is to upgrade to 4.2.24 or ...