150 matches found
Design/Logic Flaw
joyplus-cms 1.6.0 has XSS via the manager/collect/collectvodzhuiju.php keyword parameter...
Sql injection
manager/adminajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "mid=1 AND SLEEP5" substring...
CVE-2018-14501
manager/adminajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "mid=1 AND SLEEP5" substring...
CVE-2018-14500
joyplus-cms 1.6.0 has XSS via the manager/collect/collectvodzhuiju.php keyword parameter...
CVE-2018-14501
CVE-2018-14501 affects joyplus-cms 1.6.0, where manager/admin_ajax.php is vulnerable to SQL injection via crafted POST data starting with m_id=1 AND SLEEP(5). The vulnerability arises from unsanitized input passed to SQL queries in that endpoint, enabling an attacker to execute arbitrary SQL comm...
CVE-2018-14500
Joyplus-cms 1.6.0 contains a cross-site scripting (XSS) vulnerability in the writer/collect_vod_zhuiju.php endpoint where the keyword parameter can be injected with arbitrary script/HTML. Public disclosures across CVE/NVD/CNVD confirm XSS via the manager/collect/collect_vod_zhuiju.php keyword par...
joyplus-cms cross-site scripting vulnerability (CNVD-2018-17480)
joyplus-cms joy video is an open source video backend management system based on PHP and MySQL. The system has a video resource acquisition , user feedback management , automatic address resolution and message push management and other functions . A cross-site scripting vulnerability exists in...
joyplus-cms SQL Injection Vulnerability
joyplus-cms joy video is an open source video backend management system based on PHP and MySQL. The system has a video resource acquisition , user feedback management , automatic address resolution and message push management and other functions . A SQL injection vulnerability exists in joyplus-c...
CVE-2018-14389
joyplus-cms 1.6.0 has SQL Injection via the manager/adminajax.php val parameter...
Design/Logic Flaw
joyplus-cms 1.6.0 has XSS via the manager/adminajax.php cansearchdevice array parameter...
CVE-2018-14388
joyplus-cms 1.6.0 has XSS via the manager/adminajax.php cansearchdevice array parameter...
Sql injection
joyplus-cms 1.6.0 has SQL Injection via the manager/adminajax.php val parameter...
CVE-2018-14389
joyplus-cms 1.6.0 has SQL Injection via the manager/adminajax.php val parameter...
CVE-2018-14388
joyplus-cms 1.6.0 has XSS via the manager/adminajax.php cansearchdevice array parameter...
CVE-2018-14389
joyplus-cms 1.6.0 has SQL Injection via the manager/adminajax.php val parameter...
CVE-2018-14389
Joyplus-cms 1.6.0 is affected by a SQL Injection vulnerability in the manager/admin_ajax.php val parameter. The CVE-2018-14389 entry notes an injection that could impact backend data, with CVSSv3.0 base score 9.8 (CRITICAL) and CVSSv2.0 7.5 (HIGH). Connected records consistently identify joyplus-...
CVE-2018-14388
Joyplus-cms 1.6.0 is vulnerable to cross-site scripting (XSS) via the can_search_device parameter sent to manager/admin_ajax.php. The root cause is unsanitized user input in that parameter, allowing arbitrary script execution in a user’s browser. Multiple sources (NVD, Red Hat, CNVD, CNVD, PRION,...
CVE-2018-14334
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766...
Design/Logic Flaw
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766...
CVE-2018-14334
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766...