GHSA-3FH5-Q6FG-W28Q Prototype pollution in Snowboard framework

Impact The Snowboard framework in affected versions is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. Patches This issue has been patched in https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1 for 1.2 and...

Input validation

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...

CVE-2022-23655 Missing server signature validation in OctoberCMS

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...

Authenticated remote code execution in October CMS

Impact An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safemode / cms.enableSafeMode in order to execute arbitrary code. - This issue only affects admin panels that rely on safe mode and restricted permissions. - T...

CVE-2020-18449

Cross Site Scripting XSS vulnerability exists in UKCMS v1.1.10 via data in the index function in Single.php...

Cross site scripting

Cross Site Scripting XSS vulnerability exists in UKCMS v1.1.10 via data in the index function in Single.php...

CVE-2020-18449

CVE-2020-18449 : XSS vulnerability in UKCMS v1.1.10, triggered by data in the index function of Single.php. Root cause: inadequate input handling/sanitization in that function. Impact: user-visible cross-site scripting as described; exploitation details not provided in the supplied documents. Rem...

CVE-2020-18449

Cross Site Scripting XSS vulnerability exists in UKCMS v1.1.10 via data in the index function in Single.php...

Cross site request forgery (csrf)

A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html...

CVE-2019-10888

A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html...

CVE-2019-10888

UKcms v1.1.10 is affected by a cross-site request forgery (CSRF) vulnerability that can be exploited through admin.php/admin/role/add.html to add an administrator account. The issue stems from CSRF protection gaps on the role-management endpoint, enabling privilege escalation by creating an admin...