1599 matches found
CVE-2019-9910
The kingcomposer plugin 2.7.6 for WordPress has wp-admin/admin.php?page=kc-mapper id XSS...
CVE-2019-9646
The Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cpadminintedition.inc.php in the "custom edition area."...
Cross site request forgery (csrf)
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds...
CVE-2019-9598
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds...
CVE-2019-9598
The CVE-2019-9598 entry describes a CSRF vulnerability in Cscms 4.1.0, specifically in the admin.php/pay flow, that allows an attacker to change the payment account and redirect funds. Documents confirm affected software (Cscms 4.1.0) and the vulnerability class (CSRF) with the underlying impact ...
Unrestricted file upload
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
CVE-2019-9572
SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...
Cross site scripting
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
CVE-2019-9551
An issue was discovered in DOYO aka doyocms 2.3 through 2015-05-06. It has admin.php XSS...
Cross site scripting
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS...
CVE-2019-9550
CVE-2019-9550 affects DhCms (DhCms through 2017-09-18) with an XSS in admin.php?r=admin/Index/index. The root cause is a stored/reflected XSS in the admin backend, enabling an attacker to potentially obtain cookie information (per CNVD-2019-08720). Multiple sources (NVD, Red Hat, CNVD) report the...
CVE-2019-9181
CVE-2019-9181 affects SchoolCMS v2.3.1. The issue arises in the logo upload feature (admin.php?m=admin&c=site&a=save): an attacker can upload a file with a .jpg extension, set Content-Type to image/php, and append PHP code after the JPEG data, enabling arbitrary PHP code execution on the server. ...
CVE-2019-9052
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI...
CVE-2019-9048
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme aka topic via a /admin.php?action=themedelete&var1= URI...
CVE-2019-9051
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI...
Sql injection
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...
CVE-2019-7587
CVE-2019-7587 affects Bo-blog Wind through 1.6.0-r. The vulnerability is a SQL Injection in the admin.php/comments/batchdel/ comID parameter, caused by mishandling in the mode/admin.mode.php delBlockedBatch function. The connected sources corroborate the issue and describe it as a SQL injection v...
Cross site scripting
An issue was discovered in Waimai Super Cms 20150505. admin.php?m=Member&a=adminaddsave has XSS via the username or password parameter...