An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI.
8.8CVSS
8.6AI Score
0.001EPSS
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
4.8CVSS
4.8AI Score
0.001EPSS
system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that triggers a 404 HTTP status code.
6.1CVSS
5.9AI Score
0.001EPSS
An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI.
7.2CVSS
7.3AI Score
0.002EPSS
An issue was discovered in HongCMS 3.0.0. There is an Arbitrary Script File Upload issue that can result in PHP code execution via the admin/index.php/template/upload URI.
7.2CVSS
7.3AI Score
0.001EPSS
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/language/ajax?action=delete.
7.5CVSS
6.5AI Score
0.001EPSS
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.)
6.5CVSS
6.8AI Score
0.001EPSS
6.1CVSS
6AI Score
0.002EPSS
6.1CVSS
6AI Score
0.002EPSS
6.1CVSS
6AI Score
0.002EPSS
6.1CVSS
6AI Score
0.002EPSS
6.1CVSS
6AI Score
0.002EPSS
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI.
6.5CVSS
6.4AI Score
0.001EPSS
Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax."
9.8CVSS
9.2AI Score
0.011EPSS
Cross Site Request Forgery vulnerability in Neeke HongCMS 3.0.0 allows a remote attacker to execute arbitrary code and escalate privileges via the updateusers parameter.
8.8CVSS
9AI Score
0.003EPSS
HongCMS v3.0 contains an arbitrary file read and write vulnerability in the component /admin/index.php/template/edit.
6.5CVSS
6.4AI Score
0.001EPSS
Cross Site Scripting (XSS) vulnerability in HongCMS 3.0 allows attackers to run arbitrary code via the callback parameter to /ajax/myshop.
6.1CVSS
6AI Score
0.001EPSS
HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.
8.1CVSS
8AI Score
0.001EPSS
An issue in the languages config file of HongCMS v3.0 allows attackers to getshell.
7.2CVSS
6.9AI Score
0.001EPSS
An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell.
7.2CVSS
6.9AI Score
0.001EPSS