CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7657 – Gila CMS HTTP POST Request page cross site scripting
https://notcve.org/view.php?id=CVE-2024-7657
11 Aug 2024 — A vulnerability classified as problematic was found in Gila CMS 1.10.9. This vulnerability affects unknown code of the file /cm/update_rows/page?id=2 of the component HTTP POST Request Handler. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. • https://vuldb.com/?ctiid.274114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-7551 – juzaweb CMS Theme Editor default path traversal
https://notcve.org/view.php?id=CVE-2024-7551
06 Aug 2024 — A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as problematic. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor. The manipulation leads to path traversal. It is possible to launch the attack remotely. • https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7300 – Bolt CMS Showcase Creation showcases cross site scripting
https://notcve.org/view.php?id=CVE-2024-7300
31 Jul 2024 — A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Affected is an unknown function of the file /bolt/editcontent/showcases of the component Showcase Creation Handler. The manipulation of the argument textarea leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.273168 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7299 – Bolt CMS Entry Preview page cross site scripting
https://notcve.org/view.php?id=CVE-2024-7299
31 Jul 2024 — A vulnerability was found in Bolt CMS 3.7.1. It has been rated as problematic. This issue affects some unknown processing of the file /preview/page of the component Entry Preview Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. • https://vuldb.com/?ctiid.273167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7106 – Spina CMS media_folders cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7106
25 Jul 2024 — A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/topsky979/Security-Collections/blob/main/cve3/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41800 – Craft CMS Allows TOTP Token To Stay Valid After Use
https://notcve.org/view.php?id=CVE-2024-41800
25 Jul 2024 — Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3. • https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38 • CWE-287: Improper Authentication •
CVSS: 6.9EPSS: 0%CPEs: 19EXPL: 1CVE-2024-7065 – Spina CMS cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7065
24 Jul 2024 — A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. • https://github.com/topsky979/Security-Collections/blob/main/1700810/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 1.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36119 – Password confirmation stored in plain text via registration form in statamic/cms
https://notcve.org/view.php?id=CVE-2024-36119
30 May 2024 — Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the following conditions: 1. Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week), 2. • https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 4CVE-2024-3311 – Dreamer CMS ThemesController.java ZipUtils.unZipFiles path traversal
https://notcve.org/view.php?id=CVE-2024-3311
04 Apr 2024 — A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. • https://github.com/FaLLenSKiLL1/CVE-2024-33113 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-3118 – Dreamer CMS Attachment permission
https://notcve.org/view.php?id=CVE-2024-3118
31 Mar 2024 — A vulnerability, which was classified as critical, has been found in Dreamer CMS up to 4.1.3. This issue affects some unknown processing of the component Attachment Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/sweatxi/BugHub/blob/main/dreamer_Excessive_authority.pdf • CWE-275: Permission Issues •