Navigatecms Security Vulnerabilities - 2020

CVE-2020-14067

The install_from_hash functionality in Navigate CMS 2.9 does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code, in check_upload in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php.

CVE-2020-23654

NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."

CVE-2020-23655

NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."

CVE-2020-23656

NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content."

CVE-2020-23657

NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."