21 matches found
CVE-2017-11198
CVE-2017-11198 is an XSS vulnerability in FineCMS, affecting the file /application/lib/ajax/get_image.php. The issue allows remote attackers to inject arbitrary web script or HTML by manipulating the folder, id, or name parameters in FineCMS releases up to 2017-07-12. Impact is described as cross...
CVE-2017-14195
The CVE-2017-14195 entry describes an XSS vulnerability in dayrui FineCms 5.0.11, specifically in the call_msg function of controllers/Form.php. The issue is triggered by the Referer HTTP header (noted for Internet Explorer) and is described across multiple sources as cross-site scripting, with p...
CVE-2017-14193
The CVE-2017-14193 entry concerns dayrui FineCms 5.0.11, where the oauth function in controllers/member/api.php is vulnerable to cross-site scripting via the Referer HTTP header when accessed from Internet Explorer. This is the explicit vulnerable component and vector described in the connected d...
CVE-2017-10968
CVE-2017-10968 affects FineCMS versions up to 2017-07-07. The issue occurs in application/core/controller/template.php , where an attacker can achieve remote PHP code execution by placing code after the opening tag "
CVE-2017-14192
The CVE-2017-14192 entry concerns dayrui FineCms 5.0.11, where the checktitle function in controllers/member/api.php is vulnerable to cross-site scripting (XSS) related to the module field. The available connected sources confirm the affected project and file, but do not provide executable exploi...
CVE-2017-9252
Vulnerability context: CVE-2017-9252 affects FineCMS up to 2017-05-28. It is a reflected Cross-Site Scripting (XSS) in the search page, exploitable via the text-search parameter to index.php with route=search. What’s affected: FineCMS’s search functionality (versions prior to or including 2017-05...
CVE-2017-11179
CVE-2017-11179 affects FineCMS up to 2017-07-11. The vulnerability is a stored XSS in two routes: route=admin (modifying user information) and route=register (registering a user account). The documents do not provide root-cause specifics beyond the XSS description, nor do they include remediation...
CVE-2017-11201
The CVE-2017-11201 entry affects FineCMS, specifically the application/core/controller/images.php logic. The vulnerability allows XSS by uploading an image via route=images, exploited by remote authenticated admins. Affected versions are FineCMS up to 2017-07-12. The root cause is improper handli...
CVE-2017-14194
The CVE-2017-14194 entry concerns dayrui FineCms version 5.0.11, where the out function in controllers/member/Login.php is reported to have an XSS vulnerability related to the Referer HTTP header in Internet Explorer. Multiple connected records (NVD, Red Hat, CNVD, CVE list mirrors, and regional ...
CVE-2017-6511
Affected software: andrzuk/FineCMS (versions before 2017-03-06). Vulnerability: reflected XSS in index.php due to missing validation of the action parameter in application/classes/application.php. Impact (as stated): allows reflected XSS, with no other impacts detailed in the provided documents. ...
CVE-2017-1000429
Summary: CVE-2017-1000429 affects the CMS finecms 5.0.10 via a reflected XSS in the file Weixin.php . The vulnerability stems from insecure handling of input that is reflected back in the response, enabling arbitrary script injection. Multiple connected records (NVD/NVD-derived entries and nation...
CVE-2017-11178
CVE-2017-11178 affects FineCMS up to 2017-07-11. The vulnerability is in application/core/controller/style.php where route=style accepts contents and filename parameters, enabling remote attackers to write to arbitrary files. Because file extensions are not checked, a PHP file could be overwritte...
CVE-2017-11180
CVE-2017-11180 affects FineCMS up to 2017-07-11; the issue is a stored XSS in the logging functionality. The payloads demonstrated involve (1) the User-Agent header of HTTP requests and (2) the username entered on the login screen. The root cause is that log processing allows XSS content to be st...
CVE-2017-13697
CVE-2017-13697 affects Dayrui FineCMS 5.0.11 via an XSS flaw in controllers/member/api.php related to the dirname variable. The vulnerability allows injection of arbitrary scripts/HTML in contexts that reflect the input, enabling potential user‑level execution or social engineering. Exploitation ...
CVE-2017-12774
CVE-2017-12774 affects FineCMS 1.9.5, with a vulnerability in the file controllers/member/ContentController.php that allows remote attackers to manipulate the website database. Multiple connected sources describe an SQL injection risk in this controller, enabling unauthorized database operations....
CVE-2017-9251
FineCMS prior to 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter of admin.php. The vulnerability is confirmed across multiple sources; the root cause is unsanitized input reflected in the sitename field. Impact is XSS (arbitrary script/HTML execution) in affected pages. Expl...
CVE-2017-10973
FineCMS before 2017-07-06 is affected by a server-side request forgery (SSRF) in application/lib/ajax/get_image_data.php, related to processing requests for non-image files with a modified HTTP Host header. Root cause appears to be improper handling of user-controlled Host header leading to unint...
CVE-2017-11167
CVE-2017-11167 affects FineCMS 2.1.0. The vulnerability allows remote attackers to execute arbitrary PHP code by abusing the URL Manager’s “Add Site” action: entering code after a ', sequence in a domain name, demonstrated with ',phpinfo()'. Connected CNVD/CNVD-2017-15550 and NVD entries corrobor...
CVE-2017-11202
CVE-2017-11202 refers to a FineCMS vulnerability up to 2017-07-12 where XSS is possible in visitors.php because JavaScript in visited URLs is not restricted during logging or when reading logs. This is described as a different vulnerability from CVE-2017-11180. Connected sources confirm broader X...
CVE-2017-11200
CVE-2017-11200 is a SQL injection vulnerability in FineCMS, present through 2017-07-12, exploitable via the visitor_ip parameter in application/core/controller/excludes.php. Public records (NVD and related CVE lists) indicate a high-severity impact (CVSS-3 base score 8.8) with network access, low...
CVE-2017-10967
Affected software: FineCMS (before 2017-07-06). Vulnerable component: application/core/controller/config.php. Vulnerability type: Cross-site scripting (XSS). Affected parameters: key_name, key_value, and meaning. Root cause / details: The available descriptions indicate that FineCMS allows XSS vi...