CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19836
https://notcve.org/view.php?id=CVE-2018-19836
03 Dec 2018 — In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter. En Metinfo 6.1.3, include/interface/applogin.php permite configurar cabeceras HTTP arbitrarias (incluyendo la cabecera Cookie), y common.inc.php permite registrar variables del valor $_C... • https://github.com/imagemlt/metinfo/tree/master/reflected_xss_bypass_chrome • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-732: Incorrect Permission Assignment for Critical Resource CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19835
https://notcve.org/view.php?id=CVE-2018-19835
03 Dec 2018 — Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter. Metinfo 6.1.3 tiene Cross-Site Scripting (XSS) reflejado a través del parámetro lang_columnerr4 en admin/column/move.php. • https://github.com/imagemlt/metinfo/tree/master/reflected_xss_bypass_chrome • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19050
https://notcve.org/view.php?id=CVE-2018-19050
07 Nov 2018 — MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset parameter. MetInfo 6.1.3 tiene Cross-Site Scripting (XSS) mediante el parámetro langset en admin/index.php?a=dogetpassword. • https://github.com/m3lon/XSS-Expoit/blob/master/METINFO_XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19051
https://notcve.org/view.php?id=CVE-2018-19051
07 Nov 2018 — MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type parameter. MetInfo 6.1.3 tiene Cross-Site Scripting (XSS) mediante el parámetro abt_type en admin/index.php?a=dogetpassword. • https://github.com/m3lon/XSS-Expoit/blob/master/METINFO_XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18374
https://notcve.org/view.php?id=CVE-2018-18374
16 Oct 2018 — XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter. Existe Cross-Site Scripting (XSS) en la página admin/index.php de MetInfo 6.1.2 mediante el parámetro anyid. • http://mang0.me/archives/a5c61176 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18296
https://notcve.org/view.php?id=CVE-2018-18296
15 Oct 2018 — MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action. MetInfo 6.1.2 tiene Cross-Site Scripting (XSS) mediante el parámetro bigclass en /admin/index.php en una acción n=columna=doadd. • http://www.iwantacve.cn/index.php/archives/52 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17129
https://notcve.org/view.php?id=CVE-2018-17129
17 Sep 2018 — MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field. MetInfo 6.1.0 tiene una inyección SQL en doexport() en app/system/feedback/admin/feedback_admin.class.php mediante el campo class1. • https://github.com/panghusec/exploit/issues/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-14419
https://notcve.org/view.php?id=CVE-2018-14419
19 Jul 2018 — MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page. MetInfo 6.0.0 permite Cross-Site Scripting (XSS) mediante un nombre modificado de la barra de navegación en la página principal. • https://github.com/AvaterXXX/Metinfo---XSS/blob/master/test • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14420
https://notcve.org/view.php?id=CVE-2018-14420
19 Jul 2018 — MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI. MetInfo 6.0.0 permite que un ataque Cross-Site Request Forgery (CSRF) añada una cuenta de usuario mediante una acción doaddsave en admin/index.php, tal y como queda demostrado con un URI admin/index.php?anyid=47n=adminc=admin_admina=doaddsave. • https://github.com/AvaterXXX/Metinfo---XSS/blob/master/CSRF • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13024
https://notcve.org/view.php?id=CVE-2018-13024
29 Jun 2018 — Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action. Metinfo v6.0.0 permite a los atacantes remotos escribir código en un archivo .php y ejecutar ese código a través del parámetro module en admin/column/save.php en una acción de carga del editor. • http://www.kingkk.com/2018/06/Metinfo-v6-0-0-getshell-in-background • CWE-434: Unrestricted Upload of File with Dangerous Type •