CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10026
https://notcve.org/view.php?id=CVE-2018-10026
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php. El módulo WeChat en YzmCMS 3.7.1 tiene Cross-Site Scripting (XSS) reflejado a través del parámetro echostr en admin/module/init.html. Esto está relacionado con la función valid en application/wechat/controller/index.class.php. • https://github.com/SukaraLin/Drops/blob/master/YZMCMSxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8756
https://notcve.org/view.php?id=CVE-2018-8756
Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request. Inyección eval en yzmphp/core/function/global.func.php en YzmCMS v3.7.1 permite que atacantes remotos logren la ejecución de código arbitrario mediante código PHP en los datos POST de una petición index.php?m=memberc=member_contenta=init. • https://github.com/guiciwushuang/yzmcms/blob/master/yzmcms_eval_injection_chinese.pdf https://github.com/guiciwushuang/yzmcms/blob/master/yzmcms_eval_injection_english.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •