8 matches found
CVE-2019-6127
CVE-2019-6127 affects XiaoCms 20141229. The vulnerability is a SQL injection in the admin/index.php?c=database table[] path, enabling an attacker to perform PHP code execution via INTO OUTFILE with a .php filename. The references confirm the same description across multiple sources, indicating a ...
Cross site request forgery (csrf)
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the datacontent parameter...
CVE-2018-19197
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths=../ directory traversal...
Design/Logic Flaw
An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types jpg, jpeg, bmp, png, gif, as demonstrated by an...
CVE-2018-19195
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\showproduct.html file...
CVE-2018-19192
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the datacontent parameter...
CVE-2018-19197
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths=../ directory traversal...
CVE-2018-19194
An issue was discovered in XiaoCms 20141229. /admin/index.php?c=database allows full path disclosure in a "failed to open stream" error message...