CVE-2018-16237

An issue was discovered in damiCMS V6.0.1. There is Directory Traversal via '|' characters in the s parameter to admin.php, as demonstrated by an admin.php?s=Tpl/Add/id/c:|windows|win.ini URI...

CVE-2018-16238

An issue was discovered in damiCMS V6.0.1. Remote code execution can occur via PHP code in a multipart/form-data POST to the admin.php?s=/Tpl/Update.html URI. For example, this can update the Web/Tpl/default/head.html file...

Command injection

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainviewactivitymonitor&tab=activitytools request...

CVE-2018-15570

In waimai Super Cms 20150505, there is stored XSS via the /admin.php/Foodcat/editsave fcname parameter...

CVE-2018-15568

tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html...

CVE-2018-15566

tp5cms through 2017-05-25 has XSS via the admin.php/article/index.html q parameter...

Cross site scripting

In waimai Super Cms 20150505, there is stored XSS via the /admin.php/Foodcat/editsave fcname parameter...

CVE-2018-15568

The CVE-2018-15568 issue affects tp5cms (ThinkPHP-based CMS) through 2017-05-25, with a Cross-Site Request Forgery (CSRF) vulnerability exposed via the admin.php/category/delete.html page. The vulnerability allows CSRF to cause deletion actions (notably “type items”) when an attacker entices an a...

CVE-2018-15570

The CVE refers to CVE-2018-15570 affecting waimai Super Cms 20150505, with a stored XSS in the /admin.php/Foodcat/editsave fcname parameter. The available connected sources confirm the vulnerability type (stored XSS) and the affected component/parameter, but do not provide explicit patch/version ...

CVE-2018-15566

CVE-2018-15566 affects tp5cms prior to or on 2017-05-25. The vulnerability is a Cross-Site Scripting (XSS) flaw exploitable via the q parameter in admin.php/article/index.html, enabling injection of arbitrary script/HTML. Affected component is tp5cms’s admin article listing functionality; root ca...

CVE-2018-15198

An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user...

CVE-2018-15198

CVE-2018-15198 affects OneThink v1.1. A CSRF in admin.php?s=/User/add.html can add a user. Exploitation context and impact are described (CVSS2/3: base scores 6.8/8.8; network vector, no auth, user interaction required). No remediation/patch details are provided in the connected documents; no add...

CVE-2018-15197

CVE-2018-15197 affects OneThink v1.1. A CSRF in admin.php?s=/AuthManager/addToGroup.html could grant administrator privileges, enabling privilege escalation. The issue is described across multiple feeds (NVD/Red Hat/CVEs) as allowing an attacker to endow admin rights; no public exploit details or...

CVE-2018-15197

An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges...

blog.seniorennet.nl XSS vulnerability

Open Bug Bounty ID: OBB-648249 Description| Value ---|--- Affected Website:| blog.seniorennet.nl Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

CVE-2018-14069

SRCMS V2.3.1 contains a CSRF flaw that allows an attacker to add a user account via admin.php?m=Admin&c=member&a=add. The affected component is the user-management functionality; the root cause is a CSRF vulnerability in the request handling for adding members. Impact statements in the sources in...

CVE-2018-13031

DamiCMS v6.0.0 aand 6.1.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account...

CVE-2018-13031

DamiCMS CVE-2018-13031 affects versions 6.0.0 and 6.1.0 . The vulnerability is a Cross-Site Request Forgery (CSRF) on the endpoint admin.php?s=/Admin/doadd, allowing an attacker to add an administrator account. The root cause is insufficient CSRF protection on that admin action; the impact is the...

DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)

DAMICMS 6.0.0 - Cross-Site Request Forgery Add Admin history.pushState'', '', '/'...

CVE-2018-13001

An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the admin.php file of the ./cpshop/ module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability...