5 matches found
CVE-2017-16920
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYSKEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php...
Design/Logic Flaw
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYSKEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php...
CVE-2017-16920
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYSKEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php...
Cross site scripting
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting XSS in core/MController.php via the DRURI field...
CVE-2017-16866
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting XSS in core/MController.php via the DRURI field...