CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40546
https://notcve.org/view.php?id=CVE-2024-40546
12 Jul 2024 — An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. • https://gitee.com/sanluan/PublicCMS/issues/IAAKYP • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40544
https://notcve.org/view.php?id=CVE-2024-40544
12 Jul 2024 — PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/#maintenance_sysTask/edit. • https://gitee.com/sanluan/PublicCMS/issues/IAAIX8 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40552
https://notcve.org/view.php?id=CVE-2024-40552
12 Jul 2024 — PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java. • https://gitee.com/sanluan/PublicCMS/issues/IAAMMU •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31759
https://notcve.org/view.php?id=CVE-2024-31759
16 Apr 2024 — An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function. Un problema en sanluan PublicCMS v.4.0.202302.e permite a un atacante escalar privilegios mediante la función de cambio de contraseña. • https://1drv.ms/v/s%21AmTWEcd1YDpUjgoJ8lkA8pN8zYEJ?e=gIlbGf • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-51252
https://notcve.org/view.php?id=CVE-2023-51252
10 Jan 2024 — PublicCMS 4.0 is vulnerable to Cross Site Scripting (XSS). Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing. PublicCMS 4.0 es vulnerable a Cross Site Scripting (XSS). Debido a que se pueden cargar archivos y se proporciona la función de vista previa en línea, se cargan archivos pdf y archivos html que contienen código malicioso, y se crea una ventana emergente XSS a t... • https://github.com/sanluan/PublicCMS/issues/79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46990
https://notcve.org/view.php?id=CVE-2023-46990
20 Nov 2023 — Deserialization of Untrusted Data in PublicCMS v.4.0.202302.e allows a remote attacker to execute arbitrary code via a crafted script to the writeReplace function. La deserialización de datos no confiables en PublicCMS v.4.0.202302.e permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado para la función writeReplace. • https://github.com/sanluan/PublicCMS/issues/76#issue-1960443408 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48204
https://notcve.org/view.php?id=CVE-2023-48204
15 Nov 2023 — An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component. Un problema en PublicCMS v.4.0.202302.e permite a un atacante remoto obtener información confidencial a través del parámetro appToken y Parameters del componente api/method/getHtml. • https://github.com/sanluan/PublicCMS/issues/77 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34852
https://notcve.org/view.php?id=CVE-2023-34852
15 Jun 2023 — PublicCMS <=V4.0.202302 is vulnerable to Insecure Permissions. Las versiones anteriores a v4.0.202302 inclusive, de PublicCMS, son vulnerables a permisos inseguros. • https://github.com/funny-kill/CVE-2023-34852 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20915
https://notcve.org/view.php?id=CVE-2020-20915
04 Apr 2023 — SQL Injection vulnerability found in PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via sql parameter of the the SysSiteAdminControl. • https://github.com/sanluan/PublicCMS/issues/29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20914
https://notcve.org/view.php?id=CVE-2020-20914
04 Apr 2023 — SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter. • https://github.com/sanluan/PublicCMS/issues/29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •