6 matches found
CVE-2020-25557
CMSUno 1.6.2 is affected by a code-injection vulnerability where an attacker can inject PHP code via the username field while changing their username/password. When the attacker logs in, the injected code executes, enabling an authenticated user to run commands on the server. Public advisories (e...
CVE-2020-25538
CMSUno 1.6.2 contains CVE-2020-25538: an authenticated attacker can inject malicious code into the lang parameter of /uno/central.php, causing PHP code execution in the web page and potentially taking over the server. This is a documented remote code execution vulnerability affecting CMSUno 1.6.2...
CVE-2021-36654
CMSuno 1.7 (and earlier) is affected by an authenticated stored cross-site scripting (XSS) vulnerability. The flaw occurs in the theme update flow when the attacker can modify the filename parameter (tgo) during a template image name submission, injecting payloads via the tgo parameter to trigger...
CVE-2020-15600
CVE-2020-15600 affects CMSUno versions prior to 1.6.1. The vulnerability is a cross-site request forgery in uno.php that allows an attacker to change the admin password. Several connected sources corroborate the issue and point to exposure in CMSUno before 1.6.1, with PoC examples and references ...
CVE-2021-40889
CMSUno 1.7.2 is affected by a PHP code execution vulnerability. The sauvePass action in {webroot}/uno/central.php writes the username to password.php via file_put_contents() after a password change, allowing an attacker to inject PHP code into password.php and trigger code execution through login...
CVE-2018-15567
CMSUno before 1.5.3 is vulnerable to a cross-site scripting (XSS) issue in the title field. The vulnerability is described as XSS via the title field, affecting versions prior to 1.5.3. Exploitation details, impacted components beyond the title field, and remediation steps are not provided in the...