114 matches found
CVE-2019-19900
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute...
CVE-2025-35939
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...
CVE-2025-35939
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Sitecore CMS and Experience Platform XP contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter CSRFTOKEN...
CVE-2025-27412 REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting XSS on the page of AddOns. This vulnerability is fixed in 5.18.3...
CVE-2021-37626
Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...
PT-2025-1671 · Progress · Sitefinity
Name of the Vulnerable Software and Affected Versions: Progress Sitefinity versions 4.0 through 14.4.8142 Progress Sitefinity versions 15.0.8200 through 15.0.8229 Progress Sitefinity versions 15.1.8300 through 15.1.8327 Progress Sitefinity versions 15.2.8400 through 15.2.8421 Description: The iss...
Craft CMS Unauthenticated Remote Code Execution Vulnerability
Craft CMS is a user-friendly, web-based content management system for creating and managing website content. Craft CMS has a security vulnerability due to the opening of registerargcargv in the PHP configuration, which can be exploited by an attacker to execute arbitrary code and take control of...
CVE-2024-54149
Winter CMS has a sandbox bypass in Twig templates that affects versions prior to 1.2.7, 1.1.11, and 1.0.476. If an attacker has backend access with cms.manage_layouts, cms.manage_pages, or cms.manage_partials, they can modify or delete theme resources and potentially manipulate model data passed ...
PT-2024-95: Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting (XSS) in Netcat CMS (module netshop)
The vulnerability was identified in Netcat CMS module netshop, version 6.4 Extra. The vulnerability is related to cross-site request forgery. The discovered vulnerability allows an authorized attacker with the administrator role to execute arbitrary JavaScript code in the browser of the attacked...
October CMS safe mode bypass using Page template injection
Impact An authenticated backend user with the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safemode being enabled can craft a special request to include PHP code in the CMS...
Information stealer compromises legitimate sites to attack other sites
Security researchers at Akamai have published a blog about a new Magecart-alike web skimming campaign that uses compromised legitimate sites as command and control C2 servers. A web skimmer is a piece of malicious code embedded in web payment pages to steal personally identifiable information PII...
Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)
Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting XSS Exploit Author: Sinem Şahin Date: 2022-10-08 Vendor Homepage: https://www.csphere.eu/ Version: 2011.4 Tested on: Windows & XAMPP == Tutorial http://HOST/index.php?mod=buddys&action=create&id=925872 2- Write XSS Payload into th...
CVE-2022-43687
Concrete CMS formerly concrete5 below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+...
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
!/usr/bin/env python3 Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery SSRF Authenticated Exploit Author: cheshireca7 Vendor Homepage: https://www.navigatecms.com/ Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download Version:...
CVE-2022-29287
Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights default is Administrator to export the user options of any user, even ones with higher privileges like Global Administrators than the current user. The exported XML...
CVE-2022-23043
Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server...
CVE-2021-22953
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"...
CVE-2021-39459
CVE-2021-39459 affects Redaxo CMS (Yakamara) in version 5.12.1, where an authenticated CMS user can trigger remote code execution through a module containing malicious PHP code in the modules component. The Red Hat entry corroborates the issue as a remote code execution vulnerability in Redaxo 5....
Cross site scripting
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack...