53 matches found
CVE-2018-17035
The vulnerability CVE-2018-17035 affects UCMS 1.4.6, where an SQL injection can occur during installation via the install/index.php mysql_dbname parameter. Affected component is UCMS (PHP-based CMS); root cause is unsafely handled mysql_dbname input during setup, enabling potential SQL command ex...
CVE-2018-17034
UCMS 1.4.6 contains a Cross-Site Scripting (XSS) vulnerability controllable via the mysql_dbname parameter in install/index.php. Multiple connected sources (NVD entry CVE-2018-17034 and CNVD/CVE listings) confirm an XSS flaw capable of injecting arbitrary scripts/HTML in affected users’ browsers....
CVE-2018-10570
Frog CMS 0.9.5 has XSS in /install/index.php via the 'config''adminusername' field...
CVE-2017-16514
Multiple persistent stored Cross-Site-Scripting XSS vulnerabilities in the files /wb/admin/admintools/tool.php Droplet Description and /install/index.php Site Title in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to users in multiple areas in t...
Cross site scripting
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php step parameter...
CVE-2017-6478
MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter) as CVE-2017-6478. Connected sources show PoCs and exploits targeting MaNGOSWebV4 4.0.6/4.0.8-era builds, including references to reflected XSS proofs of concept and related injections (SQL/XML/host-hea...
zzcms Product version \install\index.php re-installation vulnerability
No description provided by source...
CVE-2014-7987
Cross-site scripting XSS vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php...
CVE-2014-7985
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the action parameter to install/index.php...
ThinkSAAS 2.2 GET型CSRF到Getshell
简要描述: 后台Getshell本想在XSS漏洞里一起提交的。。。结果我给忘了。 不过后来发现这个洞是Get型的CSRF,利用方便,老少咸宜,在社区CMS中可以说威力无限呀。 详细说明: /app/system/action/plugin.php 83行: case "delete": $apps = $GET'apps'; $pname = $GET'pname'; delDir'plugins/'.$apps.'/'.$pname; qiMsg'删除成功!'; break; 获得了GET到的值以后拼接成路径以后传入delDir函数。delDir函数: / 删除文件夹和文件夹下所有的文...
CVE-2014-5106
The CVE-2014-5106 entry describes a cross-site scripting (XSS) vulnerability in Invision Power IP.Board (IPB) 3.4.x through 3.4.6. An attacker could inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php. This applies to IPB 3.4.x–3.4.6; no exploitation details...
Kleeja Upload Center Script CRLF Injection
Exploit Title : Kleeja Upload Center Script CRLF injection Author:Ashiyane Digital Security Team home: http://ashiyane.org/forums version:1.0.1 software link: www.Kleeja.com Date:Sunday - 2012 25 November Google Dork: intext:Kleeja © 2007-2012. All rights reserved Type: CRLF injection Tested...
WebCalendar 1.2.4 - Remote Code Execution
?php / ----------------------------------------------------------------------- WebCalendar = 1.2.4 install/index.php Remote Code Executionn Exploit ----------------------------------------------------------------------- author..........: Egidio Romano aka EgiX mail............:...