CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46054
https://notcve.org/view.php?id=CVE-2023-46054
21 Oct 2023 — Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and before allows a remote attacker to escalate privileges via a crafted script to the website_footer parameter in the admin/settings/save.php component. Vulnerabilidad de Cross Site Scripting (XSS) en WBCE CMS v.1.6.1 y anteriores permite a un atacante remoto escalar privilegios a través de un script manipulado al parámetro website_footer en el componente admin/settings/save.php. • https://github.com/aaanz/aaanz.github.io/blob/master/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45012
https://notcve.org/view.php?id=CVE-2022-45012
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Modify Page module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Source field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo Modificar página de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Source. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45013
https://notcve.org/view.php?id=CVE-2022-45013
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Show Advanced Option module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Section Header field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo Show Advanced Option de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Encabezado de sección. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45014
https://notcve.org/view.php?id=CVE-2022-45014
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Results Header field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo de configuración de búsqueda de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Results Header. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45015
https://notcve.org/view.php?id=CVE-2022-45015
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Results Footer field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo de configuración de búsqueda de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Pie de página de resultados. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45016
https://notcve.org/view.php?id=CVE-2022-45016
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Footer field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo de configuración de búsqueda de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Pie de página. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45017
https://notcve.org/view.php?id=CVE-2022-45017
21 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo de configuración de la página de descripción general de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Post Loop. • https://github.com/WBCE/WBCE_CMS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 17%CPEs: 1EXPL: 3CVE-2021-3817 – SQL Injection in wbce/wbce_cms
https://notcve.org/view.php?id=CVE-2021-3817
09 Dec 2021 — wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command wbce_cms es vulnerable a una Neutralización Inadecuada de Elementos Especiales usados en un Comando SQL WBCE CMS versions 1.5.1 and below suffer from an administrative password reset vulnerability. • https://www.exploit-db.com/exploits/50609 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17575
https://notcve.org/view.php?id=CVE-2019-17575
14 Oct 2019 — A file-rename filter bypass exists in admin/media/rename.php in WBCE CMS 1.4.0 and earlier. This can be exploited by an authenticated user with admin privileges to rename a media filename and extension. (For example: place PHP code in a .jpg file, and then change the file's base name to filename.ph and change the file's extension to p. Because of concatenation, the name is then treated as filename.php.) At the result, remote attackers can execute arbitrary PHP code. • https://github.com/kbgsft/vuln-wbce/wiki/Arbitrary-file-upload-vulnerbility-in-WBCE-CMS-1.4.0 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2120
https://notcve.org/view.php?id=CVE-2017-2120
28 Apr 2017 — SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en WBCE CMS 1.1.10 y anteriores permite a un atacante con privilegios de administrador ejecutar comandos SQL a través de vectores no especificados. • http://jvn.jp/en/jp/JVN73083905/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •