20 matches found
CVE-2022-25574
CVE-2022-25574 describes a stored XSS in the upload function /admin/show.php, affecting DouPHP (and related DouPhp/DouShell references in the connected entries). The root cause is insufficient input validation/escaping in the image upload pathway, allowing crafted image files to execute arbitrary...
CVE-2022-24131
CVE-2022-24131 affects DouPHP v1.6 Release 20220121. The issue is a Cross Site Scripting (XSS) vulnerability in the backend via /admin/login.php that can lead to JavaScript code execution. Exploitation details, affected versions beyond the stated release, and remediation steps are not provided in...
CVE-2024-7917
DouPHP 1.7 Release 20220822 is affected in the Favicon Handler, specifically /admin/system.php where the site_favicon parameter enables unrestricted file upload. The issue is exploitable remotely and documented as a full unrestricted upload vulnerability, implying risk of arbitrary file upload on...
CVE-2022-46438
The CVE-2022-46438 vulnerability affects DouPHP v1.7 (build 20221118) in the /admin/article_category.php component. It enables cross-site scripting (XSS) by injecting a crafted payload into the description parameter of the affected function, allowing execution of arbitrary web scripts/HTML in a u...
CVE-2018-20564
CVE-2018-20564 affects DouCo DouPHP 1.5 20181221. The issue is a cross-site scripting (XSS) vulnerability in admin/product_category.php?rec=update via the bidirectional cat_name parameter. The root cause is improper handling of input in that parameter, leading to script injection and potential cl...
CVE-2021-3370
DouPHP v1.6 contains a cross-site scripting (XSS) vulnerability in the /admin/cloud.php path. The issue stems from lack of proper data validation/escaping in user-supplied data, enabling injection of JavaScript into the client side. The affected component is the admin cloud page of DouPHP; CVE-20...
CVE-2018-20560
The CVE-2018-20560 entry concerns DouCo DouPHP 1.5 (build 20181221). The vulnerability is a Cross-Site Scripting (XSS) flaw in admin/show.php?rec=update, exploitable via the show_name parameter. The Red Hat/CNVD/CVE cross-referenced entries corroborate the same issue. The available sources do not...
CVE-2024-57599
CVE-2024-57599 affects DouPHP v1.8 Release 20231203. The vulnerability arises from improper handling of the description parameter in /admin/article.php, allowing an attacker to inject a crafted payload that leads to cross-site scripting and arbitrary code execution. Affected component: descriptio...
CVE-2018-20562
Vulnerability summary (CVE-2018-20562): DouCo DouPHP 1.5 (build 20181221) contains a cross-site scripting flaw in admin/article_category.php?rec=update, exploitable through the cat_name parameter. The issue is that user-supplied input can be reflected in the page without proper sanitization, enab...
CVE-2018-20563
DouPHP 1.5 (build 20181221) is affected by a Cross-Site Scripting (XSS) vulnerability in admin/mobile.php?rec=system&act=update via the mobile_name parameter. This CVE-2018-20563 is consistently described across NVD, Red Hat, CNVD, CVE lists and related records as an XSS issue; no patch/remediati...
CVE-2019-12564
CVE-2019-12564 affects DouCo DouPHP v1.5 Release 20190516. The issue allows remote attackers to view database backups by brute-forcing filenames data/backup/DyyyymmddThhmmss.sql, leading to partial/backup data exposure. Connected Red Hat and NVD entries corroborate the vulnerability description; ...
CVE-2018-20567
CVE-2018-20567 affects DouCo DouPHP 1.5 (20181221). The issue resides in install\index.php, allowing a reload of the product in opportunistic scenarios when install.lock cannot be read. The vulnerability description does not provide exploit details or affected sub-components beyond this path and ...
CVE-2018-20561
CVE-2018-20561 affects DouCo DouPHP 1.5 20181221. The vulnerability is a stored/reflected XSS in admin/article.php?rec=update via the title parameter, enabling injection of arbitrary script/HTML as described in multiple sources. Affected component is the admin interface (article update logic) and...
CVE-2018-20566
CVE-2018-20566 affects DouCo DouPHP 1.5 20181221. A crafted installation page can trigger a Smarty error: unable to read resource, leading to full path disclosure. The issue is documented across multiple sources (NVD, Red Hat, CNVD, CVE lists) with the same symptom, but the provided documents do ...
CVE-2018-20558
CVE-2018-20558 affects DouCo DouPHP 1.5 (20181221). The vulnerability is a Cross-Site Scripting (XSS) flaw in admin/system.php?rec=update, exploitable via the site_name parameter . This could allow an attacker to inject arbitrary web script/HTML that is rendered by a user’s browser; CVSS scores i...
CVE-2018-20559
The CVE-2018-20559 entry affects DouCo DouPHP 1.5 (build 20181221). The vulnerability is an XSS flaw in admin/product.php?rec=update that is exploitable via the name parameter, enabling injection of arbitrary script/HTML. Underlying cause: insufficient input sanitization on the name field. Docume...
CVE-2018-20565
DouCo DouPHP 1.5 (20181221) is affected by a Cross-Site Scripting (XSS) in admin/nav.php?rec=update via the nav_name parameter. The vulnerability could allow injection of arbitrary web script or HTML in the admin context. No exploit details or definitive remediation are provided in the connected ...
CVE-2018-20419
CVE-2018-20419 affects DouCo DouPHP 1.5. The flaw arises from a CSRF in the upload/admin/manager.php?rec=insert endpoint, which can be used to incrementally add an administrator account. According to the NVD entry, the vulnerability has a CMS-level impact across confidentiality, integrity, and av...
CVE-2018-20557
DouCo DouPHP 1.5 (build 20181221) is affected by a stored/reflected cross-site scripting vulnerability in admin/page.php?rec=edit via the page_name parameter. The issue arises from improper handling of input, permitting injection of arbitrary web script or HTML. Public writeups (CNVD/NVD) describ...
CVE-2026-2226
CVE-2026-2226 affects DouPHP up to 1.9, targeting the ZIP File Handler component. The issue arises from manipulating the argument sql_filename in the file /admin/file.php, leading to unrestricted upload. The vulnerability can be exploited remotely, and the exploit has been disclosed publicly. The...