CVE-2015-1603
https://notcve.org/view.php?id=CVE-2015-1603
Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CMS before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to index.php or (2) id parameter in a users_users action to asys/site/system.php. Múltiples vulnerabilidades de XSS en Adminsystems CMS anterior a 4.0.2 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro page en index.php o (2) del parámetro id en una acción users_users en asys/site/system.php. • http://packetstormsecurity.com/files/130394/Landsknecht-Adminsystems-CMS-4.0.1-CSRF-XSS-File-Upload.html http://seclists.org/fulldisclosure/2015/Feb/50 http://sroesemann.blogspot.de/2015/01/sroeadv-2015-14.html http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-14.html http://www.openwall.com/lists/oss-security/2015/02/13/11 http://www.openwall.com/lists/oss-security/2015/02/14/1 http://www.openwall.com/lists/oss-security/2015/02/14/5 http://www • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1604
https://notcve.org/view.php?id=CVE-2015-1604
Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/files/. Vulnerabilidad de la subida de ficheros sin restricciones en asys/site/files.php en Adminsystems CMS anterior a 4.0.2 permite a usuarios remotos autenticados ejecutar código arbitrario mediante la subida de un fichero con una extensión ejecutable y posteriormente accediendo a ello a través de una solicitud directa al fichero en upload/files/. • http://packetstormsecurity.com/files/130394/Landsknecht-Adminsystems-CMS-4.0.1-CSRF-XSS-File-Upload.html http://seclists.org/fulldisclosure/2015/Feb/50 http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-14.html http://www.openwall.com/lists/oss-security/2015/02/13/11 http://www.openwall.com/lists/oss-security/2015/02/14/1 http://www.openwall.com/lists/oss-security/2015/02/14/5 http://www.securityfocus.com/bid/72605 https://github.com/kneecht/admins • CWE-20: Improper Input Validation •