12 matches found
CVE-2020-14067
The install_from_hash functionality in Navigate CMS 2.9 does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code, in check_upload in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php.
CVE-2020-23242
Cross Site Scripting (XSS) vulnerability in NavigateCMS 2.9 when performing a Create or Edit via the Tools feature.
CVE-2020-23243
Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature.
CVE-2021-37478
In NavigateCMS version 2.9.4 and below, function block is vulnerable to sql injection on parameter block-order, which results in arbitrary sql query execution in the backend database.
CVE-2021-37475
In NavigateCMS version 2.9.4 and below, function in templates.php is vulnerable to sql injection on parameter template-properties-order, which results in arbitrary sql query execution in the backend database.
CVE-2021-37473
In NavigateCMS version 2.9.4 and below, function in product.php is vulnerable to sql injection on parameter products-order through a post request, which results in arbitrary sql query execution in the backend database.
CVE-2021-37477
In NavigateCMS version 2.9.4 and below, function in structure.php is vulnerable to sql injection on parameter children_order, which results in arbitrary sql query execution in the backend database.
CVE-2021-37476
In NavigateCMS version 2.9.4 and below, function in product.php is vulnerable to sql injection on parameter id through a post request, which results in arbitrary sql query execution in the backend database.
CVE-2020-23655
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
CVE-2020-23657
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
CVE-2020-23654
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."
CVE-2020-23656
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content."