NotCVE - vendor:"Expressionengine" product:"Expressionengine" version:" >= 6.0.0

3 results (0.002 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-22953

https://notcve.org/view.php?id=CVE-2023-22953

In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. • https://docs.expressionengine.com/latest/installation/changelog.html https://gist.github.com/ahmedsherif/7b8f18a54a80ae0ac5ff6307c35b7d43 https://hackerone.com/reports/1820492 •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-33199

https://notcve.org/view.php?id=CVE-2021-33199

In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. En Expression Engine versiones anteriores a 6.0.3, la función addonIcon en el archivo Addons/file/mod.file.php es basada en el valor de entrada no confiable de input-)get("file") en lugar de los nombres de archivo fijos de icon.png e icon.svg • https://github.com/ExpressionEngine/ExpressionEngine/compare/6.0.1...6.0.3#diff-17bcb23e5666fc2dccb79c7133e9eeb701847f67ae84fbde0a673c3fd3d109e0R508 https://github.com/ExpressionEngine/ExpressionEngine/releases/tag/6.0.3 • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 14%CPEs: 2EXPL: 2

CVE-2021-27230 – ExpressionEngine 6.0.2 PHP Code Injection

https://notcve.org/view.php?id=CVE-2021-27230

ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. ExpressionEngine versiones anteriores a 5.4.2 y versiones 6.x anteriores a 6.0.3, permite una inyección de código PHP por parte de determinados usuarios autenticados que pueden aprovechar a la función Translate::save() para escribir en un archivo _lang.php en el directorio system/user/language ExpressionEngine versions 6.0.2 and below suffer from a Translate::save PHP code injection vulnerability. • http://karmainsecurity.com/KIS-2021-03 http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html http://seclists.org/fulldisclosure/2021/Mar/32 https://expressionengine.com/features https://hackerone.com/reports/1093444 • CWE-94: Improper Control of Generation of Code ('Code Injection') •