CVE-2009-4224

The CVE affects SweetRice versions 0.5.4, 0.5.3 and earlier. It describes PHP remote file inclusion via a URL supplied in the root_dir parameter to two paths: _plugin/subscriber/inc/post.php and as/lib/news_modify.php, allowing arbitrary PHP code execution on affected systems. The connected docum...

CVE-2009-4231

CVE-2009-4231 describes a directory traversal in SweetRice (versions 0.5.3 and earlier) affecting as/lib/plugins.php. An attacker can trigger local file inclusion and execution by supplying .. in the plugin parameter, enabling arbitrary local file access and execution. The connected records confi...

CVE-2010-5318

CVE-2010-5318 affects SweetRice CMS prior to version 0.6.7.1. The vulnerability resides in the password-reset feature of as/index.php, where remote attackers can modify the administrator password by supplying the administrator’s email address in the email parameter. No exploit details are provide...

CVE-2010-5316

CVE-2010-5316 refers to a cross-site scripting (XSS) vulnerability in SweetRice CMS, affecting versions before 0.6.7.1. The issue lies in as/index.php, where an attacker can inject arbitrary web script or HTML via a top_height cookie. The connected records confirm the vulnerability vector and aff...

CVE-2010-5317

SweetRice CMS (PHP) contains multiple SQL injection vulnerabilities in index.php prior to version 0.6.7.1. The issues allow remote attackers to inject arbitrary SQL via: (1) file_name in an attachment action, (2) post in show_comment, (3) sys-name in rssfeed, and (4) sys-name in view. Exploitatio...

CVE-2011-3804

SweetRice 0.7.1 has an information disclosure vulnerability where remote attackers can cause an error message to reveal the installation path via a direct request to a PHP file (examples shown in _plugin/tiny_mce/plugins/advimage/images.php). The issue is documented across multiple sources (NVD, ...