CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-6779
https://notcve.org/view.php?id=CVE-2019-6779
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links. La versión 4.1.8 de Cscms permite Cross-Site Request Forgery (CSRF) en admin.php/links/save para añadir, modificar o eliminar enlaces de amigo. • https://github.com/chshcms/cscms/issues/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-17125
https://notcve.org/view.php?id=CVE-2018-17125
CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php. CScms 4.1 permite la eliminación de directorios arbitrarios mediante una subcadena dir=..\\ en plugins\sys\admin\Plugins.php. • https://github.com/AvaterXXX/CScms/blob/master/CScms_dirdel.md https://www.patec.cn/newsshow.php?cid=24&id=125 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 2CVE-2018-17126
https://notcve.org/view.php?id=CVE-2018-17126
CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php. CScms 4.1 permite la ejecución remota de código, tal y como queda demostrado con 1');eval($_POST[cmd]);# en Web Name en upload\plugins\sys\Install.php. • https://github.com/AvaterXXX/CScms/blob/master/CScms_xss.md#cscms_getshell https://www.patec.cn/newsshow.php?cid=24&id=125 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16730
https://notcve.org/view.php?id=CVE-2018-16730
\upload\plugins\sys\Install.php in CScms 4.1 has XSS via the site name. \upload\plugins\sys\Install.php en CScms 4.1 tiene Cross-Site Scripting (XSS) mediante el nombre del sitio. • https://github.com/AvaterXXX/CScms/blob/master/CScms_xss.md https://www.patec.cn/newsshow.php?cid=24&id=123 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16731
https://notcve.org/view.php?id=CVE-2018-16731
CScms 4.1 allows arbitrary file upload by (for example) adding the php extension to the default filetype list (gif, jpg, png), and then providing a .php pathname within fileurl JSON data. CScms 4.1 permite la subida de archivos arbitrarios añadiendo (por ejemplo) la extensión php a la lista de tipos de archivo por defecto (gif, jpg, png) y después proporcionando un nombre de ruta .php en los datos JSON fileurl. • https://github.com/AvaterXXX/CScms/blob/master/CScms_up.md https://www.patec.cn/newsshow.php?cid=24&id=123 • CWE-434: Unrestricted Upload of File with Dangerous Type •