CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10505 – wuzhicms block.php edit code injection
https://notcve.org/view.php?id=CVE-2024-10505
30 Oct 2024 — A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. • https://github.com/wuzhicms/wuzhicms/issues/209 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32206
https://notcve.org/view.php?id=CVE-2024-32206
19 Apr 2024 — A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter. Una vulnerabilidad de Cross Site Scripting (XSS) almacenadas en el componente \affiche\admin\index.php de WUZHICMS v4.1.0 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado inyectado en el parámetro $formdata. • http://wuzhicms.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31008
https://notcve.org/view.php?id=CVE-2024-31008
03 Apr 2024 — An issue was discovered in WUZHICMS version 4.1.0, allows an attacker to execute arbitrary code and obtain sensitive information via the index.php file. Se descubrió un problema en la versión 4.1.0 de WUZHICMS que permite a un atacante ejecutar código arbitrario y obtener información confidencial a través del archivo index.php. • https://github.com/majic-banana/vulnerability/blob/main/POC/WUZHICMS4.1.0-Captcha%20bypass%20%28logic%20vulnerability%29.md • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52064
https://notcve.org/view.php?id=CVE-2023-52064
10 Jan 2024 — Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter at /core/admin/copyfrom.php. Se descubrió que Wuzhicms v4.1.0 contenía una vulnerabilidad de inyección SQL a través del parámetro $keywords en /core/admin/copyfrom.php. • https://gist.github.com/n0Sleeper/544b38c95715b13efadab329692c8aea • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-46482
https://notcve.org/view.php?id=CVE-2023-46482
01 Nov 2023 — SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component. Vulnerabilidad de inyección SQL en wuzhicms v.4.1.0 permite a un atacante remoto ejecutar código arbitrario a través de la funcionalidad de copia de seguridad de la base de datos en el componente coreframe/app/database/admin/index.php. • https://github.com/XTo-o1/PHP/blob/main/wuzhicms/WUZHI%20CMS%20v4.1.0%20SQL%20Injection%20Vulnerability%20in%20Database%20Backup%20Functionality.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36037
https://notcve.org/view.php?id=CVE-2020-36037
11 Aug 2023 — An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php. • https://github.com/wuzhicms/wuzhicms/issues/192 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20413
https://notcve.org/view.php?id=CVE-2020-20413
20 Jun 2023 — SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php. • https://github.com/SuperSalsa20/WUZHICMS-SQL-Injection/blob/master/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2020-21325
https://notcve.org/view.php?id=CVE-2020-21325
20 Jun 2023 — An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file. • https://github.com/wuzhicms/wuzhicms/issues/188 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31860
https://notcve.org/view.php?id=CVE-2023-31860
23 May 2023 — Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system. • https://github.com/wuzhicms/b2b/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30123
https://notcve.org/view.php?id=CVE-2023-30123
28 Apr 2023 — wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings. • https://github.com/wuzhicms/wuzhicms/issues/205#issue-1635153937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •