15 matches found
CVE-2019-17175
The CVE-2019-17175 vulnerability affects joyplus-cms version 1.6.0 and is caused by an absolute path traversal flaw in manager/admin_pic.php?rootpath=. This allows an attacker to access locations outside of a restricted directory. Metrics indicate a CVSS v2 base score of 5.0 (MEDIUM) with network...
CVE-2020-20636
The CVE-2020-20636 entry describes a SQL injection in Joyplus-cms v1.6.0, exploitable via the id parameter of the goodbad() function. Root cause is improper handling of user input leading to database access, enabling a remote attacker to access sensitive information. Public references indicate th...
CVE-2018-14388
Joyplus-cms 1.6.0 is vulnerable to cross-site scripting (XSS) via the can_search_device parameter sent to manager/admin_ajax.php. The root cause is unsanitized user input in that parameter, allowing arbitrary script execution in a user’s browser. Multiple sources (NVD, Red Hat, CNVD, CNVD, PRION,...
CVE-2018-14334
CVE-2018-14334 affects joyplus-cms 1.6.0. The issue is in manager/editor/upload.php, where the check for disallowed file extensions only sets $errm and does not alter control flow, allowing an attacker to upload and execute a PHP file (remote code execution). This is related to the similar CVE-20...
CVE-2018-14500
Joyplus-cms 1.6.0 contains a cross-site scripting (XSS) vulnerability in the writer/collect_vod_zhuiju.php endpoint where the keyword parameter can be injected with arbitrary script/HTML. Public disclosures across CVE/NVD/CNVD confirm XSS via the manager/collect/collect_vod_zhuiju.php keyword par...
CVE-2018-10096
Joyplus-cms 1.6.0 is affected by a cross-site scripting (XSS) vulnerability exploitable through the device_name parameter in manager/admin_ajax.php?action=save flag=add. The root cause is likely inadequate input sanitization of device_name, allowing injected scripts to be reflected in the applica...
CVE-2018-8766
Joyplus-CMS 1.6.0 is affected by an arbitrary file upload in manager/editor/upload.php (related to manager/admin_vod.php?action=add), enabling potential remote code execution due to insufficient validation of uploaded content. The vulnerability is described across multiple sources (including CVE-...
CVE-2018-10028
Affected software: Joyplus CMS 1.6.0. Vulnerability: Information disclosure via direct requests to the install/ or log/ URIs, enabling remote attackers to obtain sensitive information. Root cause / notes: Documented across multiple sources (NVD, Red Hat, CNVD) with identical description; no expli...
CVE-2018-14389
Joyplus-cms 1.6.0 is affected by a SQL Injection vulnerability in the manager/admin_ajax.php val parameter. The CVE-2018-14389 entry notes an injection that could impact backend data, with CVSSv3.0 base score 9.8 (CRITICAL) and CVSSv2.0 7.5 (HIGH). Connected records consistently identify joyplus-...
CVE-2020-22124
Summary of CVE-2020-22124 : The vulnerability affects Joyplus-CMS v1.6, specifically the {{inc\config.php}} component. The connected records consistently describe an information disclosure vulnerability allowing attackers to access sensitive data. The exact root cause, vulnerable code paths, affe...
CVE-2018-8767
Joyplus-cms 1.6.0 is affected by a cross-site scripting (XSS) vulnerability in manager/admin_ajax.php?action=save&tab={pre}vod_type, exploitable via the t_name parameter. Root cause: insufficient input sanitization that allows injected script/HTML. Impact: can inject arbitrary scripts into the vi...
CVE-2018-12905
Joyplus-CMS 1.6.0 contains a cross-site scripting (XSS) vulnerability in admin_player.php, related to manager/index.php “system manage” and “add” actions. Multiple sources (NVD, Red Hat, CNVD, CNVD CNVD, CVE lists) confirm the same issue; root cause described as XSS in the admin interface. Exploi...
CVE-2018-8717
CVE-2018-8717 affects joyplus-cms 1.6.0 and is a cross-site request forgery (CSRF) vulnerability. The issue is demonstrated by a CSRF request to manager/admin_ajax.php?action=save&tab={pre}manager that can result in adding an administrator account. The connected sources confirm the vulnerability ...
CVE-2018-10073
The CVE-2018-10073 entry applies to joyplus-cms 1.6.0, where a cross-site scripting vulnerability exists in manager/admin_vod.php via the keyword parameter. Root cause is improper handling of the keyword input leading to XSS. Documents state the affected software and vulnerable parameter but do n...
CVE-2018-12039
Joyplus-CMS version 1.6.0 is affected by a Remote Code Execution vulnerability in manager/index.php caused by an Arbitrary SQL command execution issue that relies on using a "/!select/" substring in place of a select substring. This is documented across multiple sources (NVD/Red Hat/CNVD) and ind...