CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39500
https://notcve.org/view.php?id=CVE-2021-39500
Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories. Eyoucms versión 1.5.4, es vulnerable aun Salto de Directorio. Debido a una falta de saneo de los datos de entrada en los parámetros tpldir, filename, type, nid un atacante puede inyectar "../" para escapar y escribir archivos en directorios escribibles • https://github.com/KietNA-HPT/CVE https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39499
https://notcve.org/view.php?id=CVE-2021-39499
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function. Una vulnerabilidad de tipo Cross-site scripting (XSS) en Users en Qiong ICP EyouCMS versión 1.5.4, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro "title" en la función bind_email • https://github.com/KietNA-HPT/CVE https://github.com/eyoucms/eyoucms/issues/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39497
https://notcve.org/view.php?id=CVE-2021-39497
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function. eyoucms versión 1.5.4, carece de saneo de los datos de entrada, permitiendo a un atacante inyectar una url para desencadenar un ataque de tipo SSRF ciego por medio de la función saveRemote() • http://hptcybersec.com/ssrf_PoC.jpg https://github.com/KietNA-HPT/CVE https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39496
https://notcve.org/view.php?id=CVE-2021-39496
Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS. Eyoucms versión 1.5.4, carece de saneo de datos de entrada, permitiendo a un atacante inyectar código malicioso en el parámetro "filename" para desencadenar un ataque de tipo XSS Reflejado • https://github.com/KietNA-HPT/CVE https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20645
https://notcve.org/view.php?id=CVE-2020-20645
Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en EyouCMS versión 1.3.6, en el área basic_information. • https://github.com/eyoucms/eyoucms/issues/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •