CVE-2020-29233 – WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29233
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload. WonderCMS versión 3.1.3, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en el componente Page description. Esta vulnerabilidad puede permitir a un atacante inyectar una carga útil de tipo XSS en la Page description y cada vez que un usuario visita el sitio web, el XSS se desencadena y el atacante puede ser capaz de robar la cookie de acuerdo a la carga útil diseñada. • https://www.exploit-db.com/exploits/49085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-29469 – WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29469
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload. WonderCMS versión 3.1.3, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en el componente Menu. Esta vulnerabilidad puede permitir a un atacante inyectar una carga útil de tipo XSS en el Menu Setting y cada vez que un usuario visita el directorio del sitio web, el XSS se desencadena y el atacante puede ser capaz de robar la cookie de acuerdo a la carga útil diseñada. • https://www.exploit-db.com/exploits/49164 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-29247
https://notcve.org/view.php?id=CVE-2020-29247
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload. WonderCMS versión 3.1.3, está afectado por una vulnerabilidad de tipo cross-site scripting (XSS) en el Panel Admin. Un atacante puede inyectar la carga útil XSS en las palabras clave de la Página y cada vez que algún usuario visita el sitio web, activa el ataque XSS y el atacante es capaz de robar la cookie de acuerdo con la carga útil diseñada • http://wondercms.com https://systemweakness.com/cve-2020-29247-wondercms-3-1-3-page-persistent-cross-site-scripting-3dd2bb210beb https://www.exploit-db.com/exploits/49102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-5956
https://notcve.org/view.php?id=CVE-2019-5956
Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allows remote attackers to delete arbitrary files via unspecified vectors. Una vulnerabilidad de salto de directorio en WonderCMS versión 2.6.0 y anteriores, permite a atacantes remotos eliminar archivos arbitrarios por medio de vectores no especificados. • http://jvn.jp/en/vu/JVNVU93628467/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-14387
https://notcve.org/view.php?id=CVE-2018-14387
An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can access the user's account through the active session. The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in. • https://github.com/robiso/wondercms/issues/64 https://www.wondercms.com/whatsnew • CWE-384: Session Fixation •