CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3950 – sanluan PublicCMS Tab dwz.min.js initLink cross site scripting
https://notcve.org/view.php?id=CVE-2022-3950
11 Nov 2022 — A vulnerability, which was classified as problematic, was found in sanluan PublicCMS. Affected is the function initLink of the file dwz.min.js of the component Tab Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is a972dc9b1c94aea2d84478bf26283904c21e4ca2. • https://github.com/sanluan/PublicCMS/commit/a972dc9b1c94aea2d84478bf26283904c21e4ca2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27693
https://notcve.org/view.php?id=CVE-2021-27693
02 Sep 2022 — Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage. Una vulnerabilidad de tipo Server-side Request Forgery (SSRF) en PublicCMS versiones anteriores a 4.0.202011.b, por medio de /publiccms/admin/ueditor cuando la acción es catchimage • https://github.com/sanluan/PublicCMS/commit/0f4c4872914b6a71305e121a7d9a19c07cde0338 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29784
https://notcve.org/view.php?id=CVE-2022-29784
03 Jun 2022 — PublicCMS V4.0.202204.a and below contains an information leak via the component /views/directive/sys/SysConfigDataDirective.java. PublicCMS versiones V4.0.202204.a y anteriores, contienen un filtrado de información por medio del componente /views/directive/sys/SysConfigDataDirective.java • https://github.com/JinYiTong/CVE-Req/blob/main/publiccms/publiccms.md •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23389
https://notcve.org/view.php?id=CVE-2022-23389
14 Feb 2022 — PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter. Se ha detectado que PublicCMS versión v4.0 contiene una vulnerabilidad de ejecución de código remota (RCE) por medio del parámetro cmdarray • https://github.com/sanluan/PublicCMS/issues/59 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40881
https://notcve.org/view.php?id=CVE-2021-40881
15 Sep 2021 — An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code. Un problema en los parámetros BAT file de PublicCMS versión v4.0, permite a atacantes ejecutar código arbitrario • https://github.com/sanluan/PublicCMS/issues/57 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-21333
https://notcve.org/view.php?id=CVE-2020-21333
09 Jul 2021 — Cross Site Scripting (XSS) vulnerability in PublicCMS 4.0 to get an admin cookie when the Administrator reviews submit case. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en PublicCMS versión 4.0, para obtener una cookie de administrador cuando el administrador revisa el envío de un caso • https://github.com/sanluan/PublicCMS/issues/27 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18927
https://notcve.org/view.php?id=CVE-2018-18927
04 Nov 2018 — An issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement. Se ha descubierto un problema en PublicCMS V4.0. Permite Cross-Site Scripting (XSS) modificando el atributo "attached" de page_list (que normalmente tiene 'class="icon-globe icon-large"' en su valor), tal y como queda demostrado con una instr... • https://github.com/sanluan/PublicCMS/issues/22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17368
https://notcve.org/view.php?id=CVE-2018-17368
23 Sep 2018 — An issue was discovered in PublicCMS V4.0.180825. For an invalid login attempt, the response length is different depending on whether the username is valid, which makes it easier to conduct brute-force attacks. Se ha descubierto un problema en PublicCMS V4.0.180825. Para un intento de inicio de sesión no válido, la longitud de la respuesta es diferente dependiendo de si el nombre de usuario es válido, lo que hace que sea más fácil realizar ataques de fuerza bruta. • https://github.com/sanluan/PublicCMS/issues/18 •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 1CVE-2018-12914
https://notcve.org/view.php?id=CVE-2018-12914
27 Jun 2018 — A remote code execution issue was discovered in PublicCMS V4.0.20180210. An attacker can upload a ZIP archive that contains a .jsp file with a directory traversal pathname. After an unzip operation, the attacker can execute arbitrary code by visiting a .jsp URI. Se ha descubierto un problema de ejecución remota de código en PublicCMS V4.0.20180210. Un atacante puede subir un archivo ZIP que contiene un archivo .jsp con un nombre de ruta con un salto de directorio. • https://github.com/sanluan/PublicCMS/issues/13 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12494
https://notcve.org/view.php?id=CVE-2018-12494
15 Jun 2018 — An issue was discovered in PublicCMS V4.0.20180210. There is a "Directory Traversal" and "Arbitrary file read" vulnerability via an admin/cmsTemplate/content.html?path=../ URI. Se ha descubierto un problema en PublicCMS V4.0.20180210. Hay vulnerabilidades de salto de directorio y lectura de archivos arbitrarios mediante un URI admin/cmsTemplate/content.html? • https://github.com/sanluan/PublicCMS/issues/12 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •