CVE-2018-11722
https://notcve.org/view.php?id=CVE-2018-11722
WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded. WUZHI CMS 4.1.0 tiene una inyección SQL en api/uc.php mediante el parámetro "code" debido a que "UC_KEY" está embebido. • https://github.com/wuzhicms/wuzhicms/issues/141 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-10221
https://notcve.org/view.php?id=CVE-2018-10221
An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload. Se ha descubierto un problema en WUZHI CMS V4.1.0. • https://github.com/wuzhicms/wuzhicms/issues/129 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-9926 – WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add Admin)
https://notcve.org/view.php?id=CVE-2018-9926
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. Se ha descubierto un problema en WUZHI CMS 4.1.0. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta admin mediante index.php? • https://www.exploit-db.com/exploits/44439 http://www.iwantacve.cn/index.php/archives/6 https://github.com/wuzhicms/wuzhicms/issues/128 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-9927 – Wuzhi CMS 4.1.0 Add User Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-9927
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. Se ha descubierto un problema en WUZHI CMS 4.1.0. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta de usuario mediante index.php? • http://www.iwantacve.cn/index.php/archives/7 https://github.com/wuzhicms/wuzhicms/issues/128 • CWE-352: Cross-Site Request Forgery (CSRF) •