CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4350 – Mingsoft MCMS search.do cross site scripting
https://notcve.org/view.php?id=CVE-2022-4350
08 Dec 2022 — A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/mingSoft/MCMS/issues/I5MT8Y • CWE-707: Improper Neutralization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36599
https://notcve.org/view.php?id=CVE-2022-36599
16 Aug 2022 — Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists. Se ha detectado que Mingsoft MCMS versión 5.2.8, contiene una vulnerabilidad de inyección SQL en /mdiy/model/delete URI por medio de models Lists. • https://gitee.com/mingSoft/MCMS/issues/I5I1P5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36272
https://notcve.org/view.php?id=CVE-2022-36272
16 Aug 2022 — Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter. Se ha detectado que Mingsoft MCMS versión 5.2.8, contiene una vulnerabilidad de inyección SQL en /mdiy/page/verify URI por medio del parámetro fieldName. • https://github.com/ming-soft/MCMS/issues/97 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31943
https://notcve.org/view.php?id=CVE-2022-31943
01 Jul 2022 — MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. Se ha detectado que MCMS versión v5.2.8, contiene una vulnerabilidad de carga de archivos arbitraria • https://github.com/ming-soft/MCMS/issues/95 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29647
https://notcve.org/view.php?id=CVE-2022-29647
31 May 2022 — An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. Se ha detectado un problema en MCMS versión 5.2.7. Se presenta una vulnerabilidad de tipo CSRF que puede añadir una cuenta de administrador por medio del archivo ms/basic/manager/save.do • https://gist.github.com/aaaahuia/f708c6c8a320e0f3afbb9247903c4670 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30506
https://notcve.org/view.php?id=CVE-2022-30506
27 May 2022 — An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file. Se ha detectado una vulnerabilidad de carga de archivos arbitraria en MCMS versión 5.2.7, que permite a un atacante ejecutar código arbitrario mediante un archivo ZIP diseñado • https://gitee.com/mingSoft/MCMS/issues/I56AID • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30048
https://notcve.org/view.php?id=CVE-2022-30048
11 May 2022 — Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI via orderBy parameter. Se ha detectado que Mingsoft MCMS versión 5.2.7, contiene una vulnerabilidad de inyección SQL en /mdiy/dict/list URI por medio del parámetro orderBy • https://gitee.com/mingSoft/MCMS/issues/I54VG0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30047
https://notcve.org/view.php?id=CVE-2022-30047
11 May 2022 — Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExcludeApp URI via orderBy parameter. Se ha detectado que Mingsoft MCMS versión v5.2.7, contiene una vulnerabilidad de inyección SQL en el URI /mdiy/dict/listExcludeApp por medio del parámetro orderBy • https://gitee.com/mingSoft/MCMS/issues/I54VLM • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27466
https://notcve.org/view.php?id=CVE-2022-27466
02 May 2022 — MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. Se ha detectado que MCMS versión v5.2.27, contiene una vulnerabilidad de inyección SQL en el parámetro orderBy en /dict/list.do • https://github.com/ming-soft/MCMS/issues/90 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27340
https://notcve.org/view.php?id=CVE-2022-27340
22 Apr 2022 — MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data. MCMS versión v5.2.7, contiene una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) por medio de el archivo /role/saveOrUpdateRole.do. Esta vulnerabilidad permite a atacantes escalar privilegios y modificar datos • https://github.com/UDKI11/vul/blob/main/Mcms%E8%B7%A8%E7%AB%99%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0.docx • CWE-352: Cross-Site Request Forgery (CSRF) •