CVE-2018-10026
https://notcve.org/view.php?id=CVE-2018-10026
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php. El módulo WeChat en YzmCMS 3.7.1 tiene Cross-Site Scripting (XSS) reflejado a través del parámetro echostr en admin/module/init.html. Esto está relacionado con la función valid en application/wechat/controller/index.class.php. • https://github.com/SukaraLin/Drops/blob/master/YZMCMSxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-8756
https://notcve.org/view.php?id=CVE-2018-8756
Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request. Inyección eval en yzmphp/core/function/global.func.php en YzmCMS v3.7.1 permite que atacantes remotos logren la ejecución de código arbitrario mediante código PHP en los datos POST de una petición index.php?m=memberc=member_contenta=init. • https://github.com/guiciwushuang/yzmcms/blob/master/yzmcms_eval_injection_chinese.pdf https://github.com/guiciwushuang/yzmcms/blob/master/yzmcms_eval_injection_english.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-8078
https://notcve.org/view.php?id=CVE-2018-8078
YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html. YzmCMS 3.7 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro title en advertisement/adver/edit.html. • https://github.com/AlwaysHereFight/YZMCMSxss/blob/master/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-7653 – YzmCMS 3.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7653
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. En YzmCMS 3.6, index.php tiene Cross-Site Scripting (XSS) mediante los parámetros "a", "c" o "m". YzmCMS version 3.6 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44405 https://github.com/ponyma233/YzmCMS/blob/master/YzmCMS_3.6_bug.md https://packetstormsecurity.com/files/147065/YzmCMS-3.6-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-7579
https://notcve.org/view.php?id=CVE-2018-7579
\application\admin\controller\update_urls.class.php in YzmCMS 3.6 has SQL Injection via the catids array parameter to admin/update_urls/update_category_url.html. \application\admin\controller\update_urls.class.php en YzmCMS 3.6 tiene inyección SQL mediante el parámetro del array catids en admin/update_urls/update_category_url.html. • http://www.atksec.com/article/yzmcms-v3.6-sqli/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •