CVE-2021-3376
https://notcve.org/view.php?id=CVE-2021-3376
An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allows authenticated attackers to gain escalated privileges via a crafted POST request using the user_group_id_field parameter. Se ha detectado un problema en Cuppa CMS versiones anteriores al 31 de enero de 2021, que permite a atacantes autenticados conseguir privilegios por medio de una petición POST manipulada usando el parámetro user_group_id_field • https://github.com/CuppaCMS/CuppaCMS/issues/12 •
CVE-2020-26048
https://notcve.org/view.php?id=CVE-2020-26048
The file manager option in CuppaCMS before 2019-11-12 allows an authenticated attacker to upload a malicious file within an image extension and through a custom request using the rename function provided by the file manager is able to modify the image extension into PHP resulting in remote arbitrary code execution. La opción file manager en CuppaCMS versiones anteriores al 12-11-2019, permite a un atacante autenticado cargar un archivo malicioso dentro de una extensión de imagen y, por medio de una petición personalizada, usando la función rename proporcionada mediante el administrador de archivos, es capaz de modificar la extensión de la imagen a PHP, resultando en una ejecución de código arbitraria remota • https://github.com/CuppaCMS/CuppaCMS/issues/7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-19918
https://notcve.org/view.php?id=CVE-2018-19918
CuppaCMS has XSS via an SVG document uploaded to the administrator/#/component/table_manager/view/cu_views URI. CuppaCMS tiene Cross-Site Scripting (XSS) mediante un documento SVG cargado al URI "administrator/#/component/table_manager/view/cu_views". • https://github.com/CuppaCMS/CuppaCMS/issues/3 https://github.com/security-breachlock/CVE-2018-19918/blob/master/cuppa_svg.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19559
https://notcve.org/view.php?id=CVE-2018-19559
CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter. CuppaCMS, en versiones anteriores a la 12/11/2018, tiene inyección SQL en administrator/classes/ajax/functions.php mediante el parámetro reference_id. • https://github.com/CuppaCMS/CuppaCMS/issues/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-17300
https://notcve.org/view.php?id=CVE-2018-17300
Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name. Existe Cross-Site Scripting (XSS) persistente en CuppaCMS hasta el 03/09/2018 mediante un nombre de sección en administrator/#/component/table_manager/view/cu_menus. • https://github.com/CuppaCMS/CuppaCMS/issues/4 https://github.com/security-breachlock/CVE-2018-17300/blob/master/cuppa_xss.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •