3 results (0.020 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2019-1010193

https://notcve.org/view.php?id=CVE-2019-1010193

24 Jul 2019 — hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS). Hisiphp versión 1.0.8 esta afectado por: Cross Site Scripting (XSS). • https://github.com/hisiphp/hisiphp/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2018-17826

https://notcve.org/view.php?id=CVE-2018-17826

01 Oct 2018 — HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico). HisiPHP 1.0.8 permite Cross-Site Request Forgery (CSRF) mediante admin.php/admin/user/adduser.html para añadir una cuenta de administrador. Después, el atacante puede emplear esa cuenta para ejecutar ... • https://github.com/rakjong/vuln/blob/master/hisiphp_getshell.pdf • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

CVE-2018-17827

https://notcve.org/view.php?id=CVE-2018-17827

01 Oct 2018 — HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php. HisiPHP 1.0.8 permite que los atacantes remotos ejecuten código PHP arbitrario editando el nombre de un plugin para que contenga ese código. Ese nombre se inyecta en app/admin/model/AdminPlugins.php. • https://github.com/rakjong/vuln/blob/master/hisiphp_hetshell_2.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •