10 matches found
CVE-2017-11198
CVE-2017-11198 is an XSS vulnerability in FineCMS, affecting the file /application/lib/ajax/get_image.php. The issue allows remote attackers to inject arbitrary web script or HTML by manipulating the folder, id, or name parameters in FineCMS releases up to 2017-07-12. Impact is described as cross...
CVE-2017-10968
CVE-2017-10968 affects FineCMS versions up to 2017-07-07. The issue occurs in application/core/controller/template.php , where an attacker can achieve remote PHP code execution by placing code after the opening tag "
CVE-2017-11179
CVE-2017-11179 affects FineCMS up to 2017-07-11. The vulnerability is a stored XSS in two routes: route=admin (modifying user information) and route=register (registering a user account). The documents do not provide root-cause specifics beyond the XSS description, nor do they include remediation...
CVE-2017-9252
Vulnerability context: CVE-2017-9252 affects FineCMS up to 2017-05-28. It is a reflected Cross-Site Scripting (XSS) in the search page, exploitable via the text-search parameter to index.php with route=search. What’s affected: FineCMS’s search functionality (versions prior to or including 2017-05...
CVE-2017-11201
The CVE-2017-11201 entry affects FineCMS, specifically the application/core/controller/images.php logic. The vulnerability allows XSS by uploading an image via route=images, exploited by remote authenticated admins. Affected versions are FineCMS up to 2017-07-12. The root cause is improper handli...
CVE-2017-11180
CVE-2017-11180 affects FineCMS up to 2017-07-11; the issue is a stored XSS in the logging functionality. The payloads demonstrated involve (1) the User-Agent header of HTTP requests and (2) the username entered on the login screen. The root cause is that log processing allows XSS content to be st...
CVE-2017-9251
FineCMS prior to 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter of admin.php. The vulnerability is confirmed across multiple sources; the root cause is unsanitized input reflected in the sitename field. Impact is XSS (arbitrary script/HTML execution) in affected pages. Expl...
CVE-2017-11200
CVE-2017-11200 is a SQL injection vulnerability in FineCMS, present through 2017-07-12, exploitable via the visitor_ip parameter in application/core/controller/excludes.php. Public records (NVD and related CVE lists) indicate a high-severity impact (CVSS-3 base score 8.8) with network access, low...
CVE-2017-11202
CVE-2017-11202 refers to a FineCMS vulnerability up to 2017-07-12 where XSS is possible in visitors.php because JavaScript in visited URLs is not restricted during logging or when reading logs. This is described as a different vulnerability from CVE-2017-11180. Connected sources confirm broader X...
CVE-2017-10967
Affected software: FineCMS (before 2017-07-06). Vulnerable component: application/core/controller/config.php. Vulnerability type: Cross-site scripting (XSS). Affected parameters: key_name, key_value, and meaning. Root cause / details: The available descriptions indicate that FineCMS allows XSS vi...