10 matches found
CVE-2024-12901
FoxCMS up to version 1.2 is affected by a critical issue in the API Endpoint, specifically in /app/api/controller/Site.php, where manipulating the password argument leads to improper authorization. The vulnerability enables remote exploitation, and the exploit has been publicly disclosed. Multipl...
CVE-2025-6094
FoxCMS (versions up to 1.2.5) contains a SQL injection in the batchCope function of app/admin/controller/Download.php, triggered by manipulating the ids parameter. The vulnerability allows remote exploitation and has publicly disclosed exploits. Publicly available advisories (e.g., PT-2025-25506)...
CVE-2025-2653
FoxCMS 1.25 is affected by CVE-2025-2653, which is described as an improper authorization vulnerability that can be exploited remotely. The connected sources consistently reference FoxCMS 1.25 and indicate a remote-attack vector with unknown details about the exact vulnerable component or entry p...
CVE-2025-45238
FoxCMS v1.2.5 is affected by an arbitrary file deletion vulnerability via the delRestoreSerie method. The issue stems from the delRestoreSerie functionality and can lead to deletion of arbitrary files, as described across multiple sources (including Red Hat and PT Security advisories). The vulner...
CVE-2025-45239
FoxCMS v2.0.6 contains a vulnerability in the restores method of DataBackup.php that allows a directory traversal attack. The issue stems from improper handling in the restores logic, enabling access to filesystem paths beyond the intended directory. Documented impact is limited to information ex...
CVE-2025-45240
FoxCMS v1.2.5 contains a SQL injection vulnerability in the executeCommand method of DataBackup.php (CVE-2025-45240). Affects foxcms 1.2.5; impact described as likely SQL injection with low to moderate confidentiality/integity impact and no availability impact per CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:...
CVE-2024-12900
FoxCMS CVE-2024-12900 affects the Configuration File Handler’s /install/installdb.php. The root cause is manipulation of the database password argument, enabling code injection. The vulnerability is exploitable remotely and has public disclosures. Affected versions are FoxCMS up to 1.2; PT-Securi...
CVE-2025-51650
FoxCMS v1.2.6 has an arbitrary file upload vulnerability in the /controller/PicManager.php component that allows code execution via a crafted template file. The CVE is CVE-2025-51650. A PoC is indicated in the vulnerability metrics, suggesting exploit guidance exists. Impact is limited to remote ...
CVE-2025-7568
FoxCMS up to version 1.2.5 is affected by a SQL injection in the batchCope function of app/admin/controller/Video.php. The vulnerability arises from manipulating the ids argument, allowing remote exploitation. The issue has been publicly disclosed and is not confirmed as fixed; vendor response st...
CVE-2025-11306
FoxCMS (qianfox) up to version 1.2 contains a cross-site scripting flaw in the Search Page component, specifically in /index.php/Search where manipulation of the keyword parameter enables remote exploitation. Multiple sources (NVD, Red Hat, EUVD, CVE lists, and vendor/information aggregators) con...