CVE-2017-14521 – Wonder CMS 2.3.1 - Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2017-14521
In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload. En WonderCMS 2.3.1, la funcionalidad de subida acepta extensiones de aplicación aleatorias y conduce a la subida de archivos maliciosa. Wonder CMS version 2.3.1 suffers from an unrestricted file upload vulnerability. • https://www.exploit-db.com/exploits/43963 https://securitywarrior9.blogspot.in/2018/01/vulnerability-in-wonder-cms-leading-to.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2017-14523 – Wonder CMS 2.3.1 - 'Host' Header Injection
https://notcve.org/view.php?id=CVE-2017-14523
WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack ** EN DISPUTA ** WonderCMS 2.3.1 es vulnerable a un ataque de inyección de cabeceras de host HTTP. Emplea valores introducidos por el usuario para redireccionar páginas. NOTA: el fabricante reporta que es improbable explotar esta vulnerabilidad debido a que el ataque solo puede venir desde un equipo local o desde el administrador como un autoataque. • https://www.exploit-db.com/exploits/43964 https://securitywarrior9.blogspot.in/2018/01/host-header-injection-in-wonder-cms.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2017-7951
https://notcve.org/view.php?id=CVE-2017-7951
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context. WonderCMS en versiones anteriores a 2.0.3 tiene CSRF debido a la falta de un token en un contexto no especificado. • https://github.com/robiso/wondercms/releases/tag/2.0.3 https://www.wondercms.com/forum/viewtopic.php?f=8&p=1684 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-5317
https://notcve.org/view.php?id=CVE-2011-5317
Cross-site scripting (XSS) vulnerability in editText.php in WonderCMS before 0.4 allows remote attackers to inject arbitrary web script or HTML via the content parameter. Vulnerabilidad de XSS en editText.php en WonderCMS anterior a 0.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro content. • https://www.htbridge.com/advisory/HTB22759 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •