CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNVD•added 2022/03/04 12:0 a.m.•10 views

BossCMS V1.1 Arbitrary File Download Vulnerability in Background

BossCMS is a safe, stable, good, permanent free open source, independent research and development of PHP framework for enterprise building system. BossCMS background arbitrary file download vulnerability, attackers can use the vulnerability to download any file in the server...

7.3AI score

Prion•added 2022/02/24 12:15 a.m.•11 views

Input validation

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...

2.6CVSS5.3AI score0.00142EPSS

CVE•added 2022/02/23 11:30 p.m.•128 views

CVE-2022-23655

CVE-2022-23655 affects Octobercms (Laravel-based) where affected versions did not validate gateway server signatures. This allows non-authoritative gateway servers to exfiltrate user private keys. The fix is available via upgrading to build 474 or v1.1.10, or applying the patch commit e3b455ad587...

5.3CVSS5.2AI score0.00142EPSS

Cvelist•added 2022/02/23 11:30 p.m.•12 views

CVE-2022-23655 Missing server signature validation in OctoberCMS

4.8CVSS5.6AI score0.00142EPSS

CVE•added 2022/02/23 7:0 p.m.•142 views

CVE-2022-21705

October CMS (Laravel-based) is vulnerable to an authenticated remote code execution due to improper sanitization of user input in admin pages, allowing bypass of cms.safe_mode/cms.enableSafeMode and arbitrary code execution. Affected builds were fixed in Build 474 (1.0.474) and 1.1.10; manual rem...

8.5CVSS7.2AI score0.70336EPSS

OSV•added 2022/02/23 7:0 p.m.•22 views

CVE-2022-21705 Authenticated remote code execution in octobercms

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safemode /...

7.2CVSS7AI score0.70336EPSS

Exploits0References4

CNVD•added 2022/02/21 12:0 a.m.•10 views

Command Execution Vulnerability in BossCMS of Wenzhou Huyin Information Technology Co. Ltd (CNVD-2022-20212)

BossCMS is a content management system based on self-developed PHP framework MySQL architecture developed by Wenzhou Huyin Information Technology Co. A command execution vulnerability exists in BossCMS, which can be exploited by attackers to gain server privileges...

7.5AI score

CNVD•added 2022/02/18 12:0 a.m.•19 views

XSS Vulnerability in BossCMS of Wenzhou Huyin Information Technology Co. Ltd (CNVD-2022-21727)

BossCMS is a content management system based on self-developed PHP framework MySQL architecture developed by Wenzhou Huyin Information Technology Co. There is an XSS vulnerability in BossCMS, which can be exploited by attackers to obtain sensitive information such as user cookies...

5.8AI score

CNVD•added 2022/02/18 12:0 a.m.•9 views

Arbitrary File Deletion Vulnerability in BossCMS of Wenzhou Huanxin Information Technology Company Limited (CNVD-2022-21723)

BossCMS is a content management system based on self-developed PHP framework MySQL architecture developed by Wenzhou Huyin Information Technology Co. BossCMS has an arbitrary file deletion vulnerability, which can be exploited to delete any file on the server...

7.2AI score

CNVD•added 2022/02/18 12:0 a.m.•14 views

Command Execution Vulnerability in BossCMS of Wenzhou Huyin Information Technology Co.

7.5AI score

CNVD•added 2022/02/16 12:0 a.m.•10 views

XSS Vulnerability in BossCMS of Wenzhou Huyin Information Technology Co.

5.8AI score

CNVD•added 2022/02/11 12:0 a.m.•13 views

Arbitrary File Deletion Vulnerability in BossCMS

BossCMS is a content management system based on self-developed PHP framework + MySQL architecture. BossCMS has an arbitrary file deletion vulnerability that can be exploited by an attacker to delete arbitrary files...

7.2AI score

Prion•added 2022/02/01 1:15 p.m.•10 views

Cross site request forgery (csrf)

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the...

6.8CVSS8.6AI score0.00173EPSS

Cvelist•added 2022/02/01 12:17 p.m.•12 views

CVE-2022-23601 CSRF token missing in Symfony

8.1CVSS8.9AI score0.00173EPSS

CVE•added 2022/02/01 12:17 p.m.•106 views

CVE-2022-23601

CVE-2022-23601 affects the Symfony form component (FrameworkBundle) where CSRF protection was not enabled by default after a configuration-loading change. This made applications vulnerable to CSRF attacks when the default was not explicitly enabled. The issue is resolved in patch versions; users ...

8.8CVSS8.3AI score0.00173EPSS

NVD•added 2022/01/14 3:15 p.m.•10 views

CVE-2021-32649

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in t...

8.8CVSS0.005EPSS

OSV•added 2022/01/14 3:15 p.m.•11 views

CVE-2021-32650

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents P...

8.8CVSS8.9AI score

Prion•added 2022/01/14 3:15 p.m.•16 views

Code injection

6.5CVSS8.7AI score0.005EPSS