Page 23 of 201 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database. Se presenta una vulnerabilidad de inyección SQL en Victor CMS versión V1.0, en el parámetro cat_id del archivo category.php. Este parámetro puede ser usado por sqlmap para conseguir información de datos en la base de datos • https://github.com/VictorAlagwu/CMSsite/issues/14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.6EPSS: 1%CPEs: 2EXPL: 1

The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328. • https://github.com/inunosinsi/soycms/pull/15 https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4 https://youtu.be/ffvKH3gwyRE • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1

KandNconcepts Club CMS 1.1 and 1.2 has cross site scripting via the 'team.php,player.php,club.php' id parameter. KandNconcepts Club CMS versiones 1.1 y 1.2, presenta una vulnerabilidad de tipo cross site scripting por medio del parámetro id de los archivos "team.php, player.php, club.php" • https://packetstormsecurity.com/files/157049/KandNconcepts-Club-CMS-1.1-1.2-Cross-Site-Scripting-SQL-Injection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

KandNconcepts Club CMS 1.1 and 1.2 has SQL Injection via the 'team.php,player.php,club.php' id parameter. KandNconcepts Club CMS versiones 1.1 y 1.2, presenta una inyección SQL por medio del parámetro id de los archivos "team.php, player.php, club.php" • https://packetstormsecurity.com/files/157049/KandNconcepts-Club-CMS-1.1-1.2-Cross-Site-Scripting-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

There is stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field). Se presenta una vulnerabilidad de tipo cross site scripting (XSS) almacenado en Galileo CMS versión v0.042. Los usuarios autenticados remotos pueden inyectar script web o HTML arbitrario por medio de la función $page_title en la biblioteca /lib/Galileo/files/templates/page/show.html.ep (también se conoce como el Campo PAGE TITLE). • https://github.com/jberger/Galileo/pull/55/files https://metacpan.org/changes/distribution/Galileo https://metamorfosec.com/Files/Advisories/METS-2020-002-A_Stored_XSS_Vulnerability_in_Galileo_CMS_v0.042.txt https://metamorfosec.com/Files/Commits/METC-2020-002-Escape_banner_in_Galileo_CMS_v0.042.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •