18 matches found
CVE-2015-2679
CVE-2015-2679 affects MetalGenix GeniXCMS up to version 0.0.2. The issue is due to unsanitized inputs: the page parameter in index.php and the username parameter in gxadmin/login.php are used directly in SQL queries, enabling remote SQL injection. Exploits/public PoCs exist (e.g., Exploit-DB 3632...
CVE-2017-14765
CVE-2017-14765 corresponds to a cross-site scripting (XSS) issue in GeniXCMS 1.1.4. The vulnerability is reported as XSS via the Menu ID field in gxadmin/index.php when handling a page=menus request, indicating unsanitized input in that field. The connected advisories reference GeniXCMS 1.1.4/1.1...
CVE-2017-14231
GeniXCMS before 1.1.0 is vulnerable to denial of service (account blockage) caused by mishandling of certain username substring relationships (e.g., admin[removed] vs admin) in registration logic. The issue affects register.php, User.class.php, and Type.class.php, and can be triggered remotely to...
CVE-2017-14761
Technical details about CVE-2017-14761 are not publicly available in the provided connected documents. Monitor for updates.
CVE-2017-14762
In GeniXCMS 1.1.4, an XSS vulnerability exists in /inc/lib/Control/Backend/menus.control.php exploitable via the id parameter. The issue allows reflected/script-injected content in the affected page, as described by CVE-2017-14762. The provided documents do not specify the exact impact scope, exp...
CVE-2017-14763
GeniXCMS 1.1.4 is affected by CVE-2017-14763: remote authenticated users can trigger arbitrary PHP code execution through a .php file in a Theme ZIP during the Install Themes process. The issue arises from how theme archives are handled, enabling code execution from uploaded theme files. This is ...
CVE-2016-10096
GeniXCMS before 1.0.0 contains a SQL injection in register.php that can be triggered by the activation parameter to allow remote execution of arbitrary SQL. The issue is exposed in multiple references (e.g., CVE-2016-10096 and accompanying advisories) and is reported across NVD, CNVD, OSV, GHSA, ...
CVE-2017-14764
CVE-2017-14764 affects GeniXCMS 1.1.4. The vulnerability allows remote authenticated users to execute arbitrary PHP code by placing a .php file inside a ZIP archive of a module uploaded via the Upload Modules page. The underlying issue is improper handling of module ZIP contents during extraction...
CVE-2017-17431
GeniXCMS 1.1.5 is vulnerable to cross-site scripting (XSS) via multiple input parameters (from, id, lang, menuid, mod, q, status, term, to, or token). The CVE note indicates potential overlap with CVE-2017-14761/62/65. Connected advisories corroborate XSS in GeniXCMS 1.1.4/1.1.5 (e.g., via id par...
CVE-2015-2678
MetalGenix GeniXCMS before 0.0.2 is affected by multiple cross-site scripting (XSS) flaws. The vulnerability stems from unsanitized input in the cat parameter on gxadmin/index.php (for the categories page) and the page parameter on index.php, enabling remote attackers to inject arbitrary script/H...
CVE-2017-8827
CVE-2017-8827 affects GeniXCMS 1.0.2: the forgotpassword.php endpoint lacks rate limiting, enabling a remote attacker to cause login denial of service or potentially perform arbitrary user password reset attacks via repeated requests. The available connected documents corroborate the same descrip...
CVE-2017-14740
GeniXCMS 1.1.0 is affected by an XSS vulnerability that allows remote authenticated users to inject arbitrary web script or HTML via the Menu ID when adding a menu. The issue is documented across multiple sources (e.g., CVE-2017-14740 and related advisories) and is not described with a published ...
CVE-2017-8376
GeniXCMS 1.0.2 is reported to have an authenticated XSS vulnerability triggered by mishandling of a comment during a mouse operation by an administrator. The flaw affects the CMS when processing a comment in an authenticated context; no remediation or fix version is provided in the connected docu...
CVE-2017-5346
Summary: CVE-2017-5346 affects GeniXCMS 0.0.8. The vulnerability is in the file inc/lib/Control/Backend/posts.control.php and is exploitable via the id parameter to gxadmin/index.php. It allows remote authenticated administrators to execute arbitrary SQL commands, indicating a SQL injection flaw ...
CVE-2017-8377
CVE-2017-8377 affects GeniXCMS 1.0.2. The vulnerability is a SQL Injection in inc/lib/Control/Backend/menus.control.php via the menuid parameter, enabling an attacker to manipulate SQL queries. Several connected sources corroborate that GeniXCMS 1.0.2 contains a SQL injection in the backend menus...
CVE-2017-8388
GeniXCMS 1.0.2 is affected by a protection bypass vulnerability that allows remote attackers to bypass the alertDanger MSG_USER_EMAIL_EXIST protection via a register.php?act=edit&id=1 request. The issue is consistently described across multiple sources (NVD entry, GHSA/OSV entries, and related ad...
CVE-2017-8762
CVE-2017-8762 affects GeniXCMS 1.0.2. The vulnerability is an XSS condition triggered when an authenticated user submits a page, demonstrated by a crafted oncut attribute in a B element. The Connected documents corroborate this across multiple sources (Red Hat, GHSA, OSV, CVE lists) with the same...
CVE-2017-8780
GeniXCMS 1.0.2 is affected by a cross-site scripting (XSS) vulnerability triggered by a comment mishandled during an administrator publish operation, demonstrated by a malformed P element. Root cause and impact are described across multiple sources (NVD/NVD, Red Hat, GHSA, OSV, CNVD, CNVD). The d...