CVE-2019-16660
https://notcve.org/view.php?id=CVE-2019-16660
joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CSRF. joyplus-cms versión 1.6.0, presenta una vulnerabilidad de tipo CSRF de admin_ajax.php?action=savexml&tab=vodplay. • https://github.com/joyplus/joyplus-cms/issues/440 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-14501
https://notcve.org/view.php?id=CVE-2018-14501
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring. manager/admin_ajax.php en joyplus-cms 1.6.0 tiene una inyección SQL, tal y como queda demostrado con datos POST manipulados con una subcadena que comienza por "m_id=1 AND SLEEP(5)". • https://github.com/joyplus/joyplus-cms/issues/432 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-14500
https://notcve.org/view.php?id=CVE-2018-14500
joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.php keyword parameter. joyplus-cms 1.6.0 tiene Cross-Site Scripting (XSS) en manager/collect/collect_vod_zhuiju.php mediante el parámetro keyword. • https://github.com/joyplus/joyplus-cms/issues/431 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-14388
https://notcve.org/view.php?id=CVE-2018-14388
joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_device array parameter. joyplus-cms 1.6.0 tiene Cross-Site Scripting (XSS) en manager/admin_ajax.php mediante el parámetro del array can_search_device. • https://github.com/joyplus/joyplus-cms/issues/429 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-14389
https://notcve.org/view.php?id=CVE-2018-14389
joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter. joyplus-cms 1.6.0 tiene una inyección SQL en manager/admin_ajax.php mediante el parámetro val. • https://github.com/joyplus/joyplus-cms/issues/430 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •