10 matches found
CVE-2013-7474
Windu CMS 2.2 is affected by a Cross-Site Scripting (XSS) vulnerability. The flaw allows injection via the name parameter in admin/content/edit or admin/content/add, or via the username parameter in admin/users. The NVD records show a CVSS base score of 4.3 (CS: Partial integrity impact, Network ...
CVE-2013-7473
Windu CMS 2.2 is affected by a CSRF vulnerability that allows an attacker to add an admin account via admin/users/?mn=admin.message.error. The connected sources confirm the scenario but do not provide a concrete remediation or patched version in the provided documents. Exploitation status or in-t...
CVE-2025-59112
Windu CMS is vulnerable to Cross-Site Request Forgery (CSRF) in the user editing feature. An attacker could lure a victim to visit a crafted site that issues a forged POST request to delete a user (CSRF token of another user can bypass protections). Only version 4.1 was tested and confirmed vulne...
CVE-2025-59110
CVE-2025-59110: Windu CMS is affected by a Cross-Site Request Forgery in the user editing functionality. The fix relies on CSRF protection, but the protection can be bypassed using a CSRF token from another user. Open registration means attacker possibilities may be broader. Affected: Windu CMS v...
CVE-2025-59113
Windu CMS vulnerability CVE-2025-59113 affects the 4.1 line. The issue stems from weak client-side brute-force protection that relies on a loginError parameter, with no server-side tracking of attempts or timeouts. This allows bypass of protection, enabling brute-force attempts. Affected: Windu C...
CVE-2025-59114
Windu CMS is affected by a Cross-Site Request Forgery vulnerability in the file uploading functionality. The issue allows an attacker to trigger a victim’s browser to send a malicious file upload request, potentially elevating impact to the server when authenticated. Only version 4.1 was tested a...
CVE-2025-59116
Windu CMS (v4.1) is vulnerable to User Enumeration during login, where login-response differences enable brute-force validation of usernames. Only v4.1 was tested as vulnerable; fix is available in v4.1 build 2250. Affected components, root cause (message-based distinction on login) and impact (f...
CVE-2025-59111
CVE-2025-59111 : Windu CMS is affected by Broken Access Control in the user editing functionality. A privileged attacker can issue a GET request to delete Super Admins, an action not possible via the GUI. The issue has been tested only on version 4.1 and is fixed in version 4.1 build 2250. Other ...
CVE-2025-59117
Windu CMS is affected by multiple Stored XSS vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. The flaws can be exploited by a privileged user and may affect users with higher privileges. This CVE entry pertains to Windu CMS 4.1, with tests confirming vulnerability in ...
CVE-2025-59115
Windu CMS (affected: version 4.1) is vulnerable to Stored Cross-Site Scripting on the logon page due to input data lacking proper validation. A malicious actor can inject arbitrary HTML/JS that executes when an admin visits the logs page. Only version 4.1 was tested; fix is available in 4.1 build...