CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22953
https://notcve.org/view.php?id=CVE-2023-22953
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. • https://docs.expressionengine.com/latest/installation/changelog.html https://gist.github.com/ahmedsherif/7b8f18a54a80ae0ac5ff6307c35b7d43 https://hackerone.com/reports/1820492 •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8242
https://notcve.org/view.php?id=CVE-2020-8242
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack. Una entrada del usuario no saneada en la creación de miembros del panel de control de ExpressionEngine versiones anteriores a 5.4.0 incluyéndola, conlleva a una inyección SQL. El usuario necesita la creación de miembros/acceso al panel de control para ejecutar el ataque • https://hackerone.com/reports/968240 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33199
https://notcve.org/view.php?id=CVE-2021-33199
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. En Expression Engine versiones anteriores a 6.0.3, la función addonIcon en el archivo Addons/file/mod.file.php es basada en el valor de entrada no confiable de input-)get("file") en lugar de los nombres de archivo fijos de icon.png e icon.svg • https://github.com/ExpressionEngine/ExpressionEngine/compare/6.0.1...6.0.3#diff-17bcb23e5666fc2dccb79c7133e9eeb701847f67ae84fbde0a673c3fd3d109e0R508 https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 14%CPEs: 2EXPL: 2CVE-2021-27230 – ExpressionEngine 6.0.2 PHP Code Injection
https://notcve.org/view.php?id=CVE-2021-27230
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. ExpressionEngine versiones anteriores a 5.4.2 y versiones 6.x anteriores a 6.0.3, permite una inyección de código PHP por parte de determinados usuarios autenticados que pueden aprovechar a la función Translate::save() para escribir en un archivo _lang.php en el directorio system/user/language ExpressionEngine versions 6.0.2 and below suffer from a Translate::save PHP code injection vulnerability. • http://karmainsecurity.com/KIS-2021-03 http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html http://seclists.org/fulldisclosure/2021/Mar/32 https://expressionengine.com/features https://hackerone.com/reports/1093444 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13443
https://notcve.org/view.php?id=CVE-2020-13443
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. • https://expressionengine.com/blog https://gist.github.com/mariuszpoplwski/51604d8a6d7d78fffdf590c25e844e09 • CWE-434: Unrestricted Upload of File with Dangerous Type •