Thinkadmin Security Vulnerabilities and Issues — Thinkadmin CVE List

ThinkadminThinkadmin

9 matches found

CVE•added 2020/09/14 12:22 p.m.•109 views

CVE-2020-25540

ThinkAdmin v6 is affected by a directory traversal/local file inclusion vulnerability (CVE-2020-25540). An unauthorized attacker can read arbitrary files on the remote server via a crafted GET request (parameter encode). Connected references describe PoCs and public exploits, including reading /e...

7.5CVSS7.3AI score0.93767EPSS

Web

CVE•added 2024/11/04 12:31 a.m.•72 views

CVE-2024-10749

ThinkAdmin (up to version 6.1.67) contains a deserialization vulnerability in /app/admin/controller/api/Plugs.php, caused by manipulating the uptoken argument. This enables remote exploitation and is described as a critical issue; exploitability is noted as difficult, but the attack is possible r...

8.1CVSS5.6AI score0.00256EPSS

Web

CVE•added 2020/12/01 4:55 p.m.•51 views

CVE-2020-29315

CVE-2020-29315 corresponds to a stored XSS vulnerability in ThinkAdmin (versions v1–v6). The core issue is a stored script/HTML injection that can be executed in the context of the affected web app. Documented references consistently describe ThinkAdmin v1/v6 as vulnerable and note remote attacke...

5.4CVSS5.2AI score0.00201EPSS

CVE•added 2021/01/13 5:47 p.m.•48 views

CVE-2020-23653

CVE-2020-23653 : ThinkAdmin versions 4.x–6.x contain an insecure unserialize vulnerability in two files, app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution. The Red Hat and GHSA entries concur on the vulnerable components ...

9.8CVSS9.7AI score0.11196EPSS

CVE•added 2019/04/08 8:37 p.m.•37 views

CVE-2019-11018

ThinkAdmin V4.0 contains a vulnerability in the file application/admin/controller/User.php where administrator cookie-based credentials remain valid after a password change. The affected software/version is ThinkAdmin 4.0; root cause is improper invalidation of existing login cookies upon passwor...

9.8CVSS9.5AI score0.00348EPSS

CVE•added 2021/03/03 3:4 p.m.•37 views

CVE-2020-35296

ThinkAdmin v6 contains default administrator credentials that enable attackers to gain unrestricted access to the administrator dashboard. The CVE entry notes unrestricted admin access as the impact. Public references corroborate default-credential risk, but exploit details are not provided in th...

7.5CVSS7.6AI score0.01102EPSS

CVE•added 2023/12/04 12:0 a.m.•33 views

CVE-2023-48966

CVE-2023-48966 affects ThinkAdmin v6.1.53. The vulnerability exists in the /admin/api.upload/file component, allowing arbitrary file uploads and remote code execution via a crafted ZIP file. Documented impact is high (CVSSv3.1 8.8, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Primary sources (NVD/CNVD/G...

8.8CVSS8.8AI score0.00198EPSS

Web

CVE•added 2023/06/15 12:0 a.m.•32 views

CVE-2023-34833

CVE-2023-34833 describes an arbitrary file upload vulnerability in ThinkAdmin v6 at the /api/upload.php endpoint, enabling attackers to run arbitrary code via a crafted file. Affected product: ThinkAdmin v6; vulnerable component: /api/upload.php. Underlying issue: arbitrary file upload without pr...

6.1CVSS6.6AI score0.00177EPSS

CVE•added 2023/12/04 12:0 a.m.•31 views

CVE-2023-48965

ThinkAdmin v6.1.53 contains an issue in the component /admin/api.plugs/script that allows an attacker to obtain a shell by requesting a crafted URL which downloads a malicious PHP file. Public sources in the connected records confirm the vulnerability is tied to ThinkAdmin v6.1.53, with the NVD e...

8.8CVSS8.4AI score0.00239EPSS