CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12990
https://notcve.org/view.php?id=CVE-2018-12990
phpwcms 1.8.9 allows remote attackers to discover the installation path via an invalid csrf_token_value field. phpwcms 1.8.9 permite que atacantes remotos descubran la ruta de instalación mediante un campo csrf_token_value inválido. • https://3xpl01tc0d3r.blogspot.com/2018/06/information-disclosure-internal-path.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15872
https://notcve.org/view.php?id=CVE-2017-15872
phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field. phpwcms 1.8.9 tiene Cross-Site Scripting (XSS) en include/inc_tmpl/admin.edituser.tmpl.php y include/inc_tmpl/admin.newuser.tmpl.php mediante el campo username (conocido como new_login). • https://github.com/slackero/phpwcms/commit/62c7c4a7a7de5effa0a82c89e77e53795a82e11d https://github.com/slackero/phpwcms/commit/90ee94a474b37919161f8112f9e36c53ad70492f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •