4 matches found
CVE-2021-37393
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
Cross site scripting
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...
Design/Logic Flaw
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...
CVE-2021-37394
RPCMS (v1.8 and earlier) contains an API-level flaw that allows attackers to alter the user role parameter to admin via the API, enabling admin account registration. The connected sources consistently describe this as a role-parameter manipulation vulnerability affecting RPCMS v1.8 and below, lea...