Page 5 of 25 results (0.028 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allows authenticated attackers to gain escalated privileges via a crafted POST request using the user_group_id_field parameter. Se ha detectado un problema en Cuppa CMS versiones anteriores al 31 de enero de 2021, que permite a atacantes autenticados conseguir privilegios por medio de una petición POST manipulada usando el parámetro user_group_id_field • https://github.com/CuppaCMS/CuppaCMS/issues/12 •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The file manager option in CuppaCMS before 2019-11-12 allows an authenticated attacker to upload a malicious file within an image extension and through a custom request using the rename function provided by the file manager is able to modify the image extension into PHP resulting in remote arbitrary code execution. La opción file manager en CuppaCMS versiones anteriores al 12-11-2019, permite a un atacante autenticado cargar un archivo malicioso dentro de una extensión de imagen y, por medio de una petición personalizada, usando la función rename proporcionada mediante el administrador de archivos, es capaz de modificar la extensión de la imagen a PHP, resultando en una ejecución de código arbitraria remota • https://github.com/CuppaCMS/CuppaCMS/issues/7 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI. CuppaCMS tiene Cross-Site Scripting (XSS) mediante un documento SVG cargado al URI "administrator/#/component/table_manager/view/cu_views". • https://github.com/CuppaCMS/CuppaCMS/issues/3 https://github.com/security-breachlock/CVE-2018-19918/blob/master/cuppa_svg.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter. CuppaCMS, en versiones anteriores a la 12/11/2018, tiene inyección SQL en administrator/classes/ajax/functions.php mediante el parámetro reference_id. • https://github.com/CuppaCMS/CuppaCMS/issues/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2

Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name. Existe Cross-Site Scripting (XSS) persistente en CuppaCMS hasta el 03/09/2018 mediante un nombre de sección en administrator/#/component/table_manager/view/cu_menus. • https://github.com/CuppaCMS/CuppaCMS/issues/4 https://github.com/security-breachlock/CVE-2018-17300/blob/master/cuppa_xss.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •