Metinfo Security Vulnerabilities and Issues — Metinfo CVE List

Lucene search

MetinfoMetinfo

53 matches found

CVE•added 2022/02/14 9:15 p.m.•174 views

CVE-2022-23335

Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.

9.8CVSS9.8AI score0.00513EPSS

CVE•added 2019/10/10 1:6 a.m.•116 views

CVE-2019-17418

An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.

7.2CVSS7.3AI score0.92932EPSS

Web

CVE•added 2019/10/10 1:6 a.m.•108 views

CVE-2019-17419

An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.

7.2CVSS7.4AI score0.00274EPSS

Web

CVE•added 2019/09/30 1:15 p.m.•103 views

CVE-2019-16996

In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter.

7.2CVSS7.3AI score0.92323EPSS

Web

CVE•added 2022/02/14 9:15 p.m.•103 views

CVE-2022-22295

Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.

9.8CVSS9.7AI score0.00513EPSS

CVE•added 2019/09/30 1:15 p.m.•94 views

CVE-2019-16997

In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.

7.2CVSS7.2AI score0.92932EPSS

Web

CVE•added 2019/07/19 6:15 a.m.•89 views

CVE-2019-13969

Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.

8.8CVSS9.1AI score0.00257EPSS

Web

CVE•added 2022/12/07 3:15 a.m.•69 views

CVE-2022-44849

A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.

8.8CVSS8.7AI score0.0009EPSS

CVE•added 2021/08/03 10:15 p.m.•61 views

CVE-2020-19305

An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.

9.8CVSS9.4AI score0.00959EPSS

Web

CVE•added 2021/07/08 4:15 p.m.•60 views

CVE-2020-20585

A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta allows attackers to access sensitive database information.

7.5CVSS7.8AI score0.00849EPSS

Web

CVE•added 2021/08/03 10:15 p.m.•52 views

CVE-2020-19304

An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.

7.5CVSS7.4AI score0.00839EPSS

CVE•added 2021/05/24 6:15 p.m.•51 views

CVE-2020-20907

MetInfo 7.0 beta is affected by a file modification vulnerability. Attackers can delete and modify ini files in app/system/language/admin/language_general.class.php and app/system/include/function/file.func.php.

9.1CVSS9.1AI score0.00883EPSS

CVE•added 2017/07/17 1:18 p.m.•46 views

CVE-2017-11347

Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a remote authenticated attacker to generate a PHP script with the content of a malicious image, related to admin/include/common.inc.php and admin/app/physical/physical.php.

8.8CVSS8.4AI score0.01489EPSS

Web

CVE•added 2019/05/10 3:29 p.m.•46 views

CVE-2017-12789

Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state.

8.8CVSS8.5AI score0.00141EPSS

CVE•added 2019/05/09 5:29 p.m.•46 views

CVE-2017-12790

Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state.

6.5CVSS6.4AI score0.00157EPSS

CVE•added 2021/09/15 5:15 p.m.•45 views

CVE-2020-21127

MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.

9.8CVSS9.8AI score0.00546EPSS

Web

CVE•added 2021/12/22 11:15 p.m.•43 views

CVE-2020-20600

MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.

5.4CVSS5.2AI score0.00291EPSS

Web

CVE•added 2017/09/17 9:29 p.m.•42 views

CVE-2017-14513

Directory traversal vulnerability in MetInfo 5.3.17 allows remote attackers to read information from any ini format file via the f_filename parameter in a fingerprintdo action to admin/app/physical/physical.php.

5.3CVSS5.1AI score0.0014EPSS

Web

CVE•added 2018/06/18 2:29 p.m.•42 views

CVE-2018-12530

An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.

6.5CVSS6.5AI score0.00459EPSS

Web

CVE•added 2018/02/21 12:29 a.m.•42 views

CVE-2018-7271

An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.

9.3CVSS9.2AI score0.00882EPSS

CVE•added 2021/07/30 2:15 p.m.•42 views

CVE-2020-18175

SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.

9.8CVSS9.8AI score0.00508EPSS

CVE•added 2017/07/20 10:29 p.m.•41 views

CVE-2017-11500

A directory traversal vulnerability exists in MetInfo 5.3.17. A remote attacker can use ..\ to delete any .zip file via the filenames parameter to /admin/system/database/filedown.php.

7.5CVSS7.5AI score0.00332EPSS

Web

CVE•added 2017/07/19 12:29 p.m.•40 views

CVE-2017-9764

Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in a para action.

6.1CVSS6AI score0.00223EPSS

Web

CVE•added 2019/10/14 1:15 p.m.•40 views

CVE-2019-17553

An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.

9.8CVSS9.8AI score0.00683EPSS

Web

CVE•added 2018/12/03 7:29 p.m.•39 views

CVE-2018-19836

In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such...

6.1CVSS6AI score0.0024EPSS

Web

CVE•added 2021/07/12 1:15 p.m.•39 views

CVE-2020-21133

SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.

9.8CVSS9.8AI score0.00546EPSS

Web

CVE•added 2019/05/09 3:29 p.m.•38 views

CVE-2017-12788

Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in Metinfo 5.3.18 allows remote attackers to inject arbitrary web script or HTML via the (1) class1 parameter or the (2) anyid parameter.

6.1CVSS6AI score0.00223EPSS

Web

CVE•added 2017/03/27 3:59 p.m.•38 views

CVE-2017-6878

Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remote authenticated users to inject arbitrary web script or HTML via the name_2 parameter to admin/column/delete.php.

5.4CVSS5AI score0.00291EPSS

Web

CVE•added 2018/10/15 2:29 a.m.•38 views

CVE-2018-18296

MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.

6.1CVSS5.9AI score0.0024EPSS

Web

CVE•added 2018/04/10 6:29 a.m.•38 views

CVE-2018-9928

Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter.

6.1CVSS6AI score0.00223EPSS

CVE•added 2018/04/10 6:29 p.m.•38 views

CVE-2018-9985

The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2018/07/20 1:29 a.m.•36 views

CVE-2018-14419

MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.

4.8CVSS4.8AI score0.00235EPSS

CVE•added 2018/07/20 1:29 a.m.•36 views

CVE-2018-14420

MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

8.8CVSS8.5AI score0.00177EPSS

Web

CVE•added 2018/09/17 4:29 a.m.•35 views

CVE-2018-17129

MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.

4.9CVSS5.8AI score0.00243EPSS

Web

CVE•added 2018/10/16 1:29 a.m.•35 views

CVE-2018-18374

XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.

5.4CVSS5.2AI score0.00206EPSS

Web

CVE•added 2018/04/10 7:29 a.m.•35 views

CVE-2018-9934

The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.

8.8CVSS8.4AI score0.0042EPSS

CVE•added 2019/02/11 4:29 a.m.•35 views

CVE-2019-7718

An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=

8.1CVSS8.2AI score0.00336EPSS

Web

CVE•added 2018/06/29 5:29 p.m.•34 views

CVE-2018-13024

Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.

7.2CVSS7.2AI score0.00787EPSS

Web

CVE•added 2018/12/03 7:29 p.m.•34 views

CVE-2018-19835

Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter.

6.1CVSS5.9AI score0.0024EPSS

Web

CVE•added 2018/12/26 7:29 p.m.•34 views

CVE-2018-20486

MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php url_array[] parameter.

6.1CVSS6AI score0.0028EPSS

Web

CVE•added 2021/07/30 2:15 p.m.•34 views

CVE-2020-18157

Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.

8.8CVSS8.7AI score0.00112EPSS

Web

CVE•added 2021/07/12 1:15 p.m.•34 views

CVE-2020-21132

SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.

9.8CVSS9.8AI score0.00546EPSS

CVE•added 2018/06/18 2:29 p.m.•33 views

CVE-2018-12531

An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.

9.8CVSS8.2AI score0.00994EPSS

CVE•added 2019/10/17 1:15 p.m.•32 views

CVE-2019-17676

app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.

8.8CVSS8.4AI score0.00148EPSS

Web

CVE•added 2020/09/30 6:15 p.m.•32 views

CVE-2020-20800

An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI.

9.8CVSS9.9AI score0.00546EPSS

Web

CVE•added 2021/08/12 3:15 p.m.•32 views

CVE-2020-20981

A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information.

7.5CVSS7.8AI score0.00606EPSS

Web

CVE•added 2021/06/21 3:15 p.m.•32 views

CVE-2020-21517

Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php.

6.1CVSS6AI score0.00264EPSS

CVE•added 2018/11/07 4:29 a.m.•30 views

CVE-2018-19051

MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter.

6.1CVSS6AI score0.0024EPSS

Web

CVE•added 2011/11/01 10:55 p.m.•29 views

CVE-2010-4976

Cross-site scripting (XSS) vulnerability in search/search.php in MetInfo 3.0 allows remote attackers to inject arbitrary web script or HTML via the searchword parameter (aka Search Box field). NOTE: some of these details are obtained from third party information.

4.3CVSS5.9AI score0.07386EPSS

Web

CVE•added 2021/09/15 5:15 p.m.•29 views

CVE-2020-21126

MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.

8.8CVSS8.8AI score0.00202EPSS

Web

Total number of security vulnerabilities53