CVE-2020-18877
https://notcve.org/view.php?id=CVE-2020-18877
SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'. Una inyección SQL en Wuzhi CMS versión v4.1.0, permite a atacantes remotos obtener información confidencial por medio del parámetro "flag" en el componente "/coreframe/app/order/admin/index.php". • https://github.com/wuzhicms/wuzhicms/issues/175 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-18654
https://notcve.org/view.php?id=CVE-2020-18654
Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php". Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Wuzhi CMS versión v4.1.0 permite a atacantes remoto ejecutar código arbitrario por medio del parámetro "Title" en el componente "/coreframe/app/guestbook/myissue.php" • https://github.com/wuzhicms/wuzhicms/issues/174 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-21590
https://notcve.org/view.php?id=CVE-2020-21590
Directory traversal in coreframe/app/template/admin/index.php in WUZHI CMS 4.1.0 allows attackers to list files in arbitrary directories via the dir parameter. Un Salto de Directorio en el archivo coreframe/app/template/admin/index.php en WUZHI CMS versión 4.1.0, permite a atacantes listar archivos en directorios arbitrarios por medio del parámetro dir. • https://github.com/pwnninja/wuzhicms/issues/1 https://github.com/wuzhicms/wuzhicms/issues/190 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-9108
https://notcve.org/view.php?id=CVE-2019-9108
XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php. Existe Cross-Site Scripting (XSS) en WUZHI CMS 4.1.0 mediante index.php?m=coref=mapv=baidumapx=[XSS]y=[XSS] en coreframe/app/core/map.php. • https://gist.github.com/redeye5/ebfef23f0a063b82779151f9cde8e480 https://github.com/wuzhicms/wuzhicms/issues/171 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20572
https://notcve.org/view.php?id=CVE-2018-20572
WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. WUZHI CMS 4.1.0 permite la inyección SQL en coreframe/app/coupon/admin/copyfrom.php mediante el parámetro keywords en index.php?m=promotef=indexv=search. Esto está relacionado con CVE-2018-15893. • https://github.com/wuzhicms/wuzhicms/issues/166 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •