CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33445
https://notcve.org/view.php?id=CVE-2024-33445
29 Apr 2024 — An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. Un problema en hisiphp v2.0.111 permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado en el parámetro SystemPlugins::mkInfo en el componente SystemPlugins.php. • https://gist.github.com/LioTree/04a4ece38df53af4027d52b2aeb7aff6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28062
https://notcve.org/view.php?id=CVE-2020-28062
04 Apr 2022 — An Access Control vulnerability exists in HisiPHP 2.0.11 via special packets that are constructed in $files = Dir::getList($decompath. '/ Upload/Plugins /, which could let a remote malicious user execute arbitrary code. Se presenta una vulnerabilidad de Control de Acceso en HisiPHP versión 2.0.11, por medio de paquetes especiales que son construidos en $files = Dir::getList($decompath. "/ Upload/Plugins /, lo que podría permitir a un usuario remoto malicioso ejecutar código arbitrario • https://github.com/hisiphp/hisiphp/issues/10 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-21130
https://notcve.org/view.php?id=CVE-2020-21130
21 Jun 2021 — Cross Site Scripting (XSS) vulnerability in HisiPHP 2.0.8 via the group name in addgroup.html. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en HisiPHP versión 2.0.8, por medio del nombre del grupo en el archivo addgroup.html • https://github.com/hisiphp/hisiphp/issues/7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010193
https://notcve.org/view.php?id=CVE-2019-1010193
24 Jul 2019 — hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS). Hisiphp versión 1.0.8 esta afectado por: Cross Site Scripting (XSS). • https://github.com/hisiphp/hisiphp/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17826
https://notcve.org/view.php?id=CVE-2018-17826
01 Oct 2018 — HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico). HisiPHP 1.0.8 permite Cross-Site Request Forgery (CSRF) mediante admin.php/admin/user/adduser.html para añadir una cuenta de administrador. Después, el atacante puede emplear esa cuenta para ejecutar ... • https://github.com/rakjong/vuln/blob/master/hisiphp_getshell.pdf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17827
https://notcve.org/view.php?id=CVE-2018-17827
01 Oct 2018 — HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php. HisiPHP 1.0.8 permite que los atacantes remotos ejecuten código PHP arbitrario editando el nombre de un plugin para que contenga ese código. Ese nombre se inyecta en app/admin/model/AdminPlugins.php. • https://github.com/rakjong/vuln/blob/master/hisiphp_hetshell_2.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •