CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20590
https://notcve.org/view.php?id=CVE-2018-20590
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID. Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 tiene Cross-Site Scripting (XSS) mediante el ID de usuario en Administrator/users.php. • https://github.com/nabby27/CMS/pull/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20568
https://notcve.org/view.php?id=CVE-2018-20568
Administrator/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. Administrator/index.php en Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 permite la inyección SQL para omitir la autenticación. • https://github.com/nabby27/CMS/pull/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20569
https://notcve.org/view.php?id=CVE-2018-20569
user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. user/index.php en Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 permite la inyección SQL para omitir la autenticación. • https://github.com/nabby27/CMS/pull/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17796
https://notcve.org/view.php?id=CVE-2018-17796
An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The WebParam.java file directly accepts the FIELD_T parameter in a request and uses it as a hash of SQL statements without filtering, resulting in a SQL injection vulnerability in getChannel() in the ChannelService.java file. Se ha descubierto un problema en MRCMS (también conocido como mushroom) hasta su versión 3.1.2. El archivo WebParam.java acepta directamente el parámetro FIELD_T en una petición y lo emplea como hash de instrucciones SQL sin filtrado, lo que resulta en una vulnerabilidad de inyección SQL en getChannel() en el archivo ChannelService.java. • https://github.com/wuweiit/mushroom/issues/16 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 2CVE-2013-7138 – Horizon QCMS 4.0 SQL Injection / Directory Traversal
https://notcve.org/view.php?id=CVE-2013-7138
Directory traversal vulnerability in lib/functions/d-load.php in Horizon Quick Content Management System (QCMS) 4.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the start parameter. Vulnerabilidad de recorrido de directorios en lib/functions/d-load.php de Horizon Quick Content Management System (QCMS) 4.0 y anteriores permite a atacantes remotos leer archivos de forma arbitraria a través de un .. (punto punto) en el parámetro start. Horizon QCMS version 4.0 suffers from remote SQL injection and directory traversal vulnerabilities. • http://www.securityfocus.com/bid/64717 https://www.htbridge.com/advisory/HTB23191 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •