CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11554
https://notcve.org/view.php?id=CVE-2018-11554
05 Jun 2018 — The forgotten-password feature in index.php/member/reset/reset_email.html in YzmCMS v3.2 through v3.7 has a Response Discrepancy Information Exposure issue and an unexpectedly long lifetime for a verification code, which makes it easier for remote attackers to hijack accounts via a brute-force approach. La funcionalidad de contraseña olvidada en index.php/member/reset/reset_email.html en YzmCMS, de la versión v3.2 hasta la v3.7 tiene un problema de exposición de información por discrepancia en la respuesta ... • https://github.com/littleheary/-YzmCMS-User-Traversal-Vulnerability/blob/master/README.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-8078
https://notcve.org/view.php?id=CVE-2018-8078
13 Mar 2018 — YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html. YzmCMS 3.7 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro title en advertisement/adver/edit.html. • https://github.com/Jx0n0/YZMCMSxss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2018-7653 – YzmCMS 3.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7653
04 Mar 2018 — In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. En YzmCMS 3.6, index.php tiene Cross-Site Scripting (XSS) mediante los parámetros "a", "c" o "m". YzmCMS version 3.6 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7579
https://notcve.org/view.php?id=CVE-2018-7579
01 Mar 2018 — \application\admin\controller\update_urls.class.php in YzmCMS 3.6 has SQL Injection via the catids array parameter to admin/update_urls/update_category_url.html. \application\admin\controller\update_urls.class.php en YzmCMS 3.6 tiene inyección SQL mediante el parámetro del array catids en admin/update_urls/update_category_url.html. • http://www.atksec.com/article/yzmcms-v3.6-sqli/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2018-7479
https://notcve.org/view.php?id=CVE-2018-7479
26 Feb 2018 — YzmCMS 3.6 allows remote attackers to discover the full path via a direct request to application/install/templates/s1.php. YzmCMS 3.6 permite que atacantes remotos descubran la ruta completa mediante una petición directa a application/install/templates/s1.php. • https://github.com/kongxin520/YzmCMS/blob/master/YzmCMS_3.6_bug.md • CWE-668: Exposure of Resource to Wrong Sphere •