CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20015
https://notcve.org/view.php?id=CVE-2018-20015
10 Dec 2018 — YzmCMS v5.2 has admin/role/add.html CSRF. YzmCMS v5.2 tiene Cross-Site Request Forgery (CSRF) en admin/role/add.html. • https://github.com/Jxysir/YZM-CSRF- • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19849
https://notcve.org/view.php?id=CVE-2018-19849
04 Dec 2018 — An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter. Se ha descubierto un problema en YzmCMS 5.2. Existe Cross-Site Scripting (XSS) mediante el parámetro searinfo en admin/content/search.html. • https://github.com/yzmcms/yzmcms/issues/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19092
https://notcve.org/view.php?id=CVE-2018-19092
07 Nov 2018 — An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie. Se ha descubierto un problema en YzmCMS v5.2. Tiene Cross-Site Scripting (XSS) mediante una cadena de consulta en search/index/archives/pubtime/, tal y como queda demostrado con el URI search/index/archives/pubtime/1526387722/page/1.html. • https://github.com/yzmcms/yzmcms/issues/7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17044
https://notcve.org/view.php?id=CVE-2018-17044
14 Sep 2018 — In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_config_add.html title parameter. En YzmCMS 5.1, existe Cross-Site Scripting (XSS) persistente mediante el parámetro title en admin system_manage user_config_add.html. • https://github.com/yzmcms/yzmcms/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11554
https://notcve.org/view.php?id=CVE-2018-11554
05 Jun 2018 — The forgotten-password feature in index.php/member/reset/reset_email.html in YzmCMS v3.2 through v3.7 has a Response Discrepancy Information Exposure issue and an unexpectedly long lifetime for a verification code, which makes it easier for remote attackers to hijack accounts via a brute-force approach. La funcionalidad de contraseña olvidada en index.php/member/reset/reset_email.html en YzmCMS, de la versión v3.2 hasta la v3.7 tiene un problema de exposición de información por discrepancia en la respuesta ... • https://github.com/littleheary/-YzmCMS-User-Traversal-Vulnerability/blob/master/README.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-10224
https://notcve.org/view.php?id=CVE-2018-10224
19 Apr 2018 — An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html. Se ha descubierto un problema en YzmCMS 3.8. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una etiqueta mediante /index.php/admin/tag/add.html. • http://www.8sec.cc/archives/601 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-10223
https://notcve.org/view.php?id=CVE-2018-10223
19 Apr 2018 — An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html. Se ha descubierto un problema en YzmCMS 3.8. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta admin mediante /index.php/admin/admin_manage/add.html. • http://www.8sec.cc/archives/596 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10026
https://notcve.org/view.php?id=CVE-2018-10026
11 Apr 2018 — The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php. El módulo WeChat en YzmCMS 3.7.1 tiene Cross-Site Scripting (XSS) reflejado a través del parámetro echostr en admin/module/init.html. Esto está relacionado con la función valid en application/wechat/controller/index.class.php. • https://github.com/SukaraLin/Drops/blob/master/YZMCMSxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8756
https://notcve.org/view.php?id=CVE-2018-8756
18 Mar 2018 — Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request. Inyección eval en yzmphp/core/function/global.func.php en YzmCMS v3.7.1 permite que atacantes remotos logren la ejecución de código arbitrario mediante código PHP en los datos POST de una petición index.php?m=memberc=member_contenta=init. • https://github.com/guiciwushuang/yzmcms/blob/master/yzmcms_eval_injection_chinese.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-8078
https://notcve.org/view.php?id=CVE-2018-8078
13 Mar 2018 — YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html. YzmCMS 3.7 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro title en advertisement/adver/edit.html. • https://github.com/Jx0n0/YZMCMSxss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •