Page 2 of 10 results (0.007 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID. Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 tiene Cross-Site Scripting (XSS) mediante el ID de usuario en Administrator/users.php. • https://github.com/nabby27/CMS/pull/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Administrator/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. Administrator/index.php en Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 permite la inyección SQL para omitir la autenticación. • https://github.com/nabby27/CMS/pull/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. user/index.php en Ivan Cordoba Generic Content Management System (CMS) hasta el 2018-04-28 permite la inyección SQL para omitir la autenticación. • https://github.com/nabby27/CMS/pull/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The WebParam.java file directly accepts the FIELD_T parameter in a request and uses it as a hash of SQL statements without filtering, resulting in a SQL injection vulnerability in getChannel() in the ChannelService.java file. Se ha descubierto un problema en MRCMS (también conocido como mushroom) hasta su versión 3.1.2. El archivo WebParam.java acepta directamente el parámetro FIELD_T en una petición y lo emplea como hash de instrucciones SQL sin filtrado, lo que resulta en una vulnerabilidad de inyección SQL en getChannel() en el archivo ChannelService.java. • https://github.com/wuweiit/mushroom/issues/16 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 2

Directory traversal vulnerability in lib/functions/d-load.php in Horizon Quick Content Management System (QCMS) 4.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the start parameter. Vulnerabilidad de recorrido de directorios en lib/functions/d-load.php de Horizon Quick Content Management System (QCMS) 4.0 y anteriores permite a atacantes remotos leer archivos de forma arbitraria a través de un .. (punto punto) en el parámetro start. Horizon QCMS version 4.0 suffers from remote SQL injection and directory traversal vulnerabilities. • http://www.securityfocus.com/bid/64717 https://www.htbridge.com/advisory/HTB23191 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •