3 matches found
CVE-2018-10236
POSCMS 3.2.18 is affected by a remote PHP code execution in the diy\dayrui\controllers\admin\Syscontroller.php add function, where an attacker can set $data['name'] without restrictions and its value is written to FCPATH.$file. This allows arbitrary PHP code execution on vulnerable servers. The C...
CVE-2018-10235
Summary: CVE-2018-10235 affects POSCMS 3.2.10, allowing remote arbitrary PHP code execution via the diy\module\member\controllers\admin\Setting.php (index) by controlling $cache['setting']['ucssocfg'] in diy\module\member\models\Member_model.php and writing the code into api/ucsso/config.php. Mul...
CVE-2024-22569
POSCMS v4.6.2 contains a Stored XSS vulnerability. A crafted payload to /index.php?c=install&m=index&step=2&is_install_db=0 can cause arbitrary code execution. The connected PT-2024-19489 advisory notes a workaround to restrict access to that endpoint until a patch is available; no patch/version ...