4 matches found
CVE-2025-50234
MCCMS v2.7.0 has an SSRF vulnerability located in the index method of the sys\apps\controllers\api\Gf.php file, where the pic parameter is processed. The pic parameter is decrypted using the sysauth$pic, 1 function, which utilizes a hard-coded key McEncryptionKey bD2voYwPpNuJ7B8, defined in the...
CVE-2025-50234
Summary: MCCMS v2.7.0 contains an SSRF vulnerability in the index() method of sys/apps/controllers/api/Gf.php where the pic parameter is decrypted via sys_auth($pic,1) using a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8) defined in db.php. The decrypted URL is passed to geturl(), which uses...
CVE-2025-51651
An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request...
CVE-2025-51651
An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request...