Design/Logic Flaw

An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the admin.php file of the ./cpshop/ module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability...

CVE-2018-13001

Sandoba CP:Shop v2016.1 contains a cross-site scripting (XSS) vulnerability in the cpshop/admin.php module. The CVE describes a non-persistent XSS that can be triggered via GET parameters (path, search, rename, or dir) and injected into client-side code. Connected sources corroborate the issue ac...

CVE-2018-13001

An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the admin.php file of the ./cpshop/ module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability...

CVE-2018-12603

Cross-site request forgery CSRF vulnerability in admin.php in LFCMS 3.7.0 allows remote attackers to hijack the authentication of unspecified users for requests that add administrator users via the s parameter, a related issue to CVE-2018-12114...

CVE-2018-12114

Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts...

CVE-2018-12114

CVE-2018-12114 affects MacCMS 10. A CSRF vulnerability allows an attacker to add administrator user accounts via the request targeting admin.php/admin/admin/info.html. The issue is demonstrated in public references and exploit entries, including an explicit POST form example used to create a new ...

Cross site request forgery (csrf)

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker via spear phishing/social engineering, the attacker can change the plugin settings. The function...

CVE-2018-11018

PbootCMS v1.0.7 contains a Cross‑Site Request Forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php that enables remote attackers to add administrator accounts via admin.php/role/add.html. Affected software: PbootCMS 1.0.7. Root cause: CSRF in role management workflow al...

CVE-2018-10132

PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter...

CVE-2018-10133

PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php/About/6.html or admin.php/Site/index.html, related to the parserIfLabel function in \apps\home\controller\ParserController.php...

Code injection

PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php/About/6.html or admin.php/Site/index.html, related to the parserIfLabel function in \apps\home\controller\ParserController.php...

CVE-2018-10132

CVE-2018-10132 affects PbootCMS v0.9.8. The vulnerability is described as a cross‑site request forgery (CSRF) in admin.php/Message/mod/id/19.html?backurl=/index.php that can cause PHP code injection in the recontent parameter. Connected sources consistently reference the same description. No conc...

Sandoba CP:Shop CMS 2016.1 Cross Site Scripting

Document Title: =============== Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2122 Release Date: ============= 2018-03-02 Vulnerability Laboratory ID VL-ID:...

Design/Logic Flaw

The management panel in Piwigo 2.9.3 has stored XSS via the virtualname parameter in a /admin.php?page=catlist request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible...

CVE-2018-7723

CVE-2018-7723 affects Piwigo 2.9.3: a stored XSS in the admin panel via the virtual_name parameter in /admin.php?page=cat_list (distinct from CVE-2017-9836). The description notes CSRF exploitation may be possible, related to CVE-2017-10681. CVSS vectors are provided (3.5/LOW for CVSS2, 5.4/MEDIU...

Sandoba CP:Shop CMS v2016.1 - Multiple XSS Vulnerabilities

Document Title: =============== Sandoba CP:Shop CMS v2016.1 - Multiple XSS Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2122 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13001 CVE-ID: ======= CVE-2018-13001 Release Date:...

Cross site scripting

controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting XSS via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xssclean protection mechanism is defeated by crafted input that lacks a '' character...

Sql injection

Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator...

Cross site request forgery (csrf)

application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request...

CVE-2018-7219

application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request...