CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-17607
https://notcve.org/view.php?id=CVE-2019-17607
16 Oct 2019 — HongCMS 3.0.0 has XSS via the install/index.php servername parameter. HongCMS versión 3.0.0, presenta una vulnerabilidad de tipo XSS por medio del parámetro servername del archivo install/index.php. • https://cdn1.imggmi.com/uploads/2019/10/13/94ef1b084a074ffd9ef63408529aed17-full.png • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16867
https://notcve.org/view.php?id=CVE-2019-16867
25 Sep 2019 — HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.) HongCMS versión 3.0.0, permite la eliminación de archivos arbitrarios por medio de un ../ en el parámetro file en admin/index.php/database/ajax?action=delete, un problema similar a CVE-2018-16774. • https://github.com/Neeke/HongCMS/issues/12 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8407
https://notcve.org/view.php?id=CVE-2019-8407
17 Feb 2019 — HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI. HongCMS 3.0.0 permite las operaciones de lectura y escritura de archivos arbitrarios mediante un ../ en el parámetro filename en el URI admin/index.php/language/edit. • https://github.com/Neeke/HongCMS/issues/7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16774
https://notcve.org/view.php?id=CVE-2018-16774
10 Sep 2018 — HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/language/ajax?action=delete. HongCMS 3.0.0 permite la eliminación de archivos arbitrarios mediante un ../ en el parámetro file en admin/index.php/language/ajax?action=delete. • https://github.com/Neeke/HongCMS/issues/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13021
https://notcve.org/view.php?id=CVE-2018-13021
29 Jun 2018 — An issue was discovered in HongCMS 3.0.0. There is an Arbitrary Script File Upload issue that can result in PHP code execution via the admin/index.php/template/upload URI. Se ha descubierto un problema en HongCMS 3.0.0. Hay un problema de carga de archivos de scripts arbitrarios que puede resultar en la ejecución de código PHP a través del URI admin/index.php/template/upload. • https://github.com/Neeke/HongCMS/issues/5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12912 – HongCMS 3.0.0 - (Authenticated) SQL Injection
https://notcve.org/view.php?id=CVE-2018-12912
27 Jun 2018 — An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI. Se ha descubierto un problema en admin\controllers\database.php en HongCMS 3.0.0. Hay una vulnerabilidad de inyección SQL mediante un URI admin/index.php/database/operate? • https://www.exploit-db.com/exploits/44953 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12266
https://notcve.org/view.php?id=CVE-2018-12266
13 Jun 2018 — system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that triggers a 404 HTTP status code. system\errors\404.php en HongCMS 3.0.0 tiene Cross-Site Scripting (XSS) mediante entradas manipuladas que desencadenan un código de estado HTTP 404. • https://github.com/lzlzh2016/CVE/blob/master/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10422
https://notcve.org/view.php?id=CVE-2018-10422
26 Apr 2018 — An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field. Se ha descubierto un problema en HongCMS 3.0.0. La característica post news tiene Cross-Site Scripting (XSS) persistente mediante el campo content. • https://github.com/Neeke/HongCMS/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10265
https://notcve.org/view.php?id=CVE-2018-10265
21 Apr 2018 — An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI. Se ha descubierto un problema en HongCMS v3.0.0. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta admin mediante el URI admin/index.php/users/save. • https://github.com/Neeke/HongCMS/issues/1 • CWE-352: Cross-Site Request Forgery (CSRF) •