CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17417
https://notcve.org/view.php?id=CVE-2019-17417
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs. PbootCMS versión 2.0.2, permite un ataque de tipo XSS por medio de vectores que involucran los URIs Pboot/admin.php?p=/Single/index/mcode/1 y Pboot/? • https://github.com/lolipop1234/XXD/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8422
https://notcve.org/view.php?id=CVE-2019-8422
A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in apps\admin\controller\content\ContentController.php. Existe una vulnerabilidad de inyección SQL en PbootCMS v1.3.2 mediante el parámetro description en apps\admin\controller\content\ContentController.php. • https://github.com/wowwooo/vnotes/blob/master/PbootCMS%20SQL%20Injection%20Description.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7570
https://notcve.org/view.php?id=CVE-2019-7570
A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI. Se ha detectado una vulnerabilidad Cross-Site Request Forgery (CSRF) en PbootCMS v1.3.6 que puede eliminar usuarios mediante un URI admin.php/User/del/ucode/. • https://blog.csdn.net/yangfan0502/article/details/86189065 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19893
https://notcve.org/view.php?id=CVE-2018-19893
SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. SearchController.php en PbootCMS 1.2.1 tiene una inyección SQL mediante la cadena de consulta en index.php/Search/index.html. • https://github.com/Pbootcms/Pbootcms/issues/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2018-19595
https://notcve.org/view.php?id=CVE-2018-19595
PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\home\controller\ParserController.php parserIfLabel protection mechanism. PbootCMS V1.3.1, en su build del 14/11/2018, permite que los atacantes remotos ejecuten código arbitrario mediante el uso de "eval" con un caso mixto, tal y como queda demostrado con una URI index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}a=phpinfo();. Esto se debe a un mecanismo de protección parserIfLabel incorrecto en apps\home\controller\ParserController.php. • http://www.ttk7.cn/post-107.html https://www.pbootcms.com/changelog.html https://www.pbootcms.com/content/139.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •