CVE-2018-19196

An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types jpg, jpeg, bmp, png, gif, as demonstrated by an...

CVE-2018-19192

An issue was discovered in XiaoCms 20141229. admin/index.php?c=content=add=3 has CSRF, as demonstrated by entering news via the datacontent parameter...

CVE-2018-19193

An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen...

EUVD-2018-6253

Malware in sbrugna...

EUVD-2018-10904

Malware in sbrugna...

EUVD-2018-10901

Malware in sbrugna...

EUVD-2018-10905

Malware in sbrugna...

CVE-2019-6127

An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename...

xiaoCMS Arbitrary File Upload Vulnerability

xiaoCMS is a PHP+MYSQL open source web application for publishing news, building corporate, personal portals. xiaoCMS has an arbitrary file upload vulnerability due to lax program filtering. Allowing an attacker to exploit the vulnerability can upload php type webshell, and then control the serve...