10 matches found
CVE-2019-17610
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
CVE-2019-17607
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17609
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17608
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17611
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.
CVE-2018-12266
system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that triggers a 404 HTTP status code.
CVE-2020-21643
Cross Site Scripting (XSS) vulnerability in HongCMS 3.0 allows attackers to run arbitrary code via the callback parameter to /ajax/myshop.
CVE-2020-21431
HongCMS v3.0 contains an arbitrary file read and write vulnerability in the component /admin/index.php/template/edit.
CVE-2019-16867
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.)
CVE-2019-8407
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI.