8 matches found
CVE-2024-24399
CVE-2024-24399 affects LEPTON v7.0.0: an arbitrary file upload vulnerability allows an authenticated attacker to upload PHP code via the backend/languages/index.php languages area, enabling execution of arbitrary code with high impact (C/H, I/H, A/H per CVSS). The Connected documents corroborate ...
CVE-2020-29240
CVE-2020-29240 concerns Lepton-CMS 4.7.0, where a cross-site scripting (XSS) vulnerability exists in the admin UI. The vulnerability allows an attacker to inject an XSS payload via the URL field accessed from the Menu-Pages-Pages Overview section; every time an admin visits that page, the payload...
CVE-2020-12705
LeptonCMS is affected by multiple cross-site scripting (XSS) vulnerabilities in versions before 4.6.0. The root cause is inadequate validation of client-side data by the web application, enabling attackers to inject and execute code in a user’s browser. Impact described in the sources includes th...
CVE-2024-29514
CVE-2024-29514 affects Lepton v7.1.0. The vulnerability is a file-upload flaw that allows a remote, authenticated attacker to execute arbitrary PHP code by uploading a crafted file. Impact is high (remote code execution, authenticated access). Affected software is LeptonCMS/Lepton v7.1.0, with th...
CVE-2024-29515
The CVE is for LeptonCMS v7.1.0 (Lepton) and describes a File Upload vulnerability that enables a remote authenticated attacker to execute arbitrary PHP code by uploading crafted files to the save.php and config.php components. The root cause, as reflected across multiple sources, is improper han...
CVE-2024-24520
CVE-2024-24520 affects Lepton CMS v7.0.0. The issue is a local arbitrary-code execution via the upgrade.php file in the languages place, enabling a local attacker to compromise the system. According to Red Hat and CNNVD records, the vulnerability exists in Lepton CMS 7.0.0. The Red Hat entry and ...
CVE-2020-24872
CVE-2020-24872 is a cross-site scripting vulnerability in Lepton-CMS 4.7.0, stemming from lack of proper filtering/escaping in backend/pages/modify.php. The issue allows remote attackers to inject and execute arbitrary web scripts or HTML when a user views or submits crafted data, with the CVSS i...
CVE-2025-56704
LeptonCMS 7.3.0 is affected by an arbitrary file upload vulnerability caused by insufficient validation of uploaded files. An authenticated attacker can upload a crafted ZIP/PHP file to execute arbitrary code. Affected software: LeptonCMS 7.3.0. Root cause: lack of proper validation during file u...