CVE-2018-18892
https://notcve.org/view.php?id=CVE-2018-18892
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php. MiniCMS 1.10 permite la ejecución de código PHP arbitrario mediante el parámetro sitename en install.php, que afecta al campo site_name en mc_conf.php. • https://github.com/AvaterXXX/MiniCms/blob/master/Command%20Execution.md https://www.patec.cn/newsshow.php?cid=24&id=135 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-18891
https://notcve.org/view.php?id=CVE-2018-18891
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late. MiniCMS 1.10 permite la eliminación de archivos mediante /mc-admin/post.php?state=deletedelete= debido a que la comprobación de autenticación ocurre demasiado tarde. • https://github.com/AvaterXXX/MiniCms/blob/master/Authentication%20and%20Information%20Exposure.md#authentication-vulnerability https://www.patec.cn/newsshow.php?cid=24&id=135 • CWE-287: Improper Authentication •
CVE-2018-18890
https://notcve.org/view.php?id=CVE-2018-18890
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename. MiniCMS 1.10 permite la divulgación total de la ruta mediante /mc-admin/post.php?state=deletedelete= con un nombre de archivo inválido. • https://github.com/AvaterXXX/MiniCms/blob/master/Authentication%20and%20Information%20Exposure.md#information-exposure https://www.patec.cn/newsshow.php?cid=24&id=135 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-17039
https://notcve.org/view.php?id=CVE-2018-17039
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $_SERVER['REQUEST_URI'] is mishandled. MiniCMS 1.10, cuando se emplea Internet Explorer, permite Cross-Site Scripting (XSS) mediante un URI manipulado denido a que $_SERVER['REQUEST_URI'] se gestiona de manera errónea. • https://github.com/bg5sbk/MiniCMS/issues/24 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-16298
https://notcve.org/view.php?id=CVE-2018-16298
An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php?tag= XSS vulnerability for a state=delete, state=draft, or state=publish request. Se ha descubierto un problema en MiniCMS 1.10. Hay una vulnerabilidad de Cross-Site Scripting (XSS) en mc-admin/post.php? • https://github.com/bg5sbk/MiniCMS/issues/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •