Input validation

An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with ?php content, because of insufficient input validation in...

CVE-2018-16974

An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters for bypassing the...

CVE-2018-16975

An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with ?php content, because of insufficient input validation in...

CVE-2018-16974

An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters for bypassing the...

CVE-2018-16975

An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with ?php content, because of insufficient input validation in...

CVE-2018-16388

e107web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type...

CVE-2018-16388

e107web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type...

Monstra CMS Arbitrary PHP Code Execution Vulnerability (CNVD-2019-03475)

Monstra CMS is a lightweight PHP-based content management system CMS developed by Ukrainian software developer Sergey Romanenko. The system is easy to install and use, scalable and so on. An arbitrary PHP code execution vulnerability exists in Monstra CMS version 3.0.4, which stems from the...

Code injection

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=editsnippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a ?php substring...

CVE-2018-15886

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=editsnippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a ?php substring...

CVE-2018-15886

Monstra CMS 3.0.4 is affected by a PHP code execution vulnerability via modified Snippet content, enabling arbitrary PHP code execution (e.g., via selecting admin/snippets edit and appending code after a

CVE-2018-16771

Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php...

CVE-2018-16771

Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php...

Sql injection

Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php...

CVE-2018-16771

Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php...

Remote code execution

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution...

CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution...

CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution...

CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution...

CVE-2018-16763

Summary (CVE-2018-16763) : Fuel CMS version 1.4.1 is vulnerable to a pre-auth Remote Code Execution via PHP code evaluation. The flaw is triggered through unsafe handling of user-controlled data in the pages/select/ filter parameter or the preview/ data parameter, allowing arbitrary PHP execution...