4 matches found
Cross site scripting
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/id Admin/Blog/BlogPostEdit/id. NOTE: the...
Thunderwind Movie CMS v3.3.0 SQL Injection Vulnerability in NewsController.class.php Page
Thunderwind Movie CMS is a PHP based THINKPHP3.2.3 framework development, suitable for all kinds of video, film and television websites, film and television content management program. Thunderwind Movie CMS v3.3.0 SQL injection vulnerability exists in NewsController.class.php page. Attackers can...
Sql injection
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed...
YXCMS1.2.6版本1处任意文件删除+6处越权操作
简要描述: YXCMS1.2.6版本1处任意文件删除+6处越权操作 详细说明: 经过简单的审计发现YXcms一处任意文件删除漏洞(不是wooyun上已经提交过的)和多处越权操作(只举出一例作为证明) 1. 任意文件删除漏洞 出这个漏洞的代码位于/protected/apps/member/controller/newsController.php的 delcover函数中: public function delcover //文件保存目录 $id=in$POST'id'; $pic=in$POST'pic'; $data'picture'= $this-nopic;...