CVSS: 9.9EPSS: 78%CPEs: 23EXPL: 3CVE-2020-7357 – Cayin CMS Command Injection
https://notcve.org/view.php?id=CVE-2020-7357
18 Jun 2020 — Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5. Cayin CMS sufre de una vulnerabilidad de inyección de comando semi-ciega autenticada del Sistem... • https://packetstorm.news/files/id/158139 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11198
https://notcve.org/view.php?id=CVE-2019-11198
05 Aug 2019 — Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidad... • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 14%CPEs: 1EXPL: 1CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2019-9875
31 May 2019 — Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. Sitecore CMS and Experience Platform (XP) contain a deserializatio... • https://dev.sitecore.net/Downloads.aspx • CWE-502: Deserialization of Untrusted Data •