CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9411 – OFCMS add.json add cross site scripting
https://notcve.org/view.php?id=CVE-2024-9411
01 Oct 2024 — A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack remotely. • https://gitee.com/oufu/ofcms/issues/IATECW • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-51807
https://notcve.org/view.php?id=CVE-2023-51807
16 Jan 2024 — Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component. Una vulnerabilidad de cross site scripting en OFCMS v.1.14 permite a un atacante remoto obtener información confidencial a través de un payload manipulado para el componente title addition. • https://gitee.com/oufu/ofcms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24760
https://notcve.org/view.php?id=CVE-2023-24760
16 Mar 2023 — An issue found in Ofcms v.1.1.4 allows a remote attacker to to escalate privileges via the respwd method in SysUserController. • https://gitee.com/oufu/ofcms/issues/I6BD2Q • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29653
https://notcve.org/view.php?id=CVE-2022-29653
31 May 2022 — OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json. Se ha detectado que OFCMS versión v1.1.4, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del componente /admin/comn/service/update.json • https://gitee.com/oufu/ofcms/issues/I53COA • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27961
https://notcve.org/view.php?id=CVE-2022-27961
10 Apr 2022 — A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box. Una vulnerabilidad de tipo cross-site scripting (XSS) en /ofcms/company-c-47 en OFCMS versión v1.1.4, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el cuadro de texto de Comentarios • https://gitee.com/oufu/ofcms/issues/I4Z8QU • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27960
https://notcve.org/view.php?id=CVE-2022-27960
10 Apr 2022 — Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information. Unos permisos no seguros configurados en el parámetro user_id en SysUserController.java de OFCMS versión v1.1.4 permiten a atacantes acceder y modificar arbitrariamente la información personal de usuarios • https://gitee.com/oufu/ofcms/issues/I4Z8SS • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9614
https://notcve.org/view.php?id=CVE-2019-9614
06 Mar 2019 — An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command. Se ha descubierto un problema en versiones anteriores a la 1.1.3 de OFCMS. Existe una vulnerabilidad de ejecución de comandos mediante un archivo de plantilla con '<#assign ex="freemarker.template.utility.Execute"? • https://www.seebug.org/vuldb/ssvid-97837 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9615
https://notcve.org/view.php?id=CVE-2019-9615
06 Mar 2019 — An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java. Se ha descubierto un problema en versiones anteriores a la 1.1.3 de OFCMS. Permite la ejecución SQL en admin/system/generate/create? • https://www.seebug.org/vuldb/ssvid-97836 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-9608
https://notcve.org/view.php?id=CVE-2019-9608
06 Mar 2019 — An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI. Se ha descubierto un problema en versiones anteriores a la 1.1.3 de OFCMS. Los atacantes remotos pueden ejecutar código arbitrario debido a que el bloqueo de archivos .jsp y .jspx no contempla (por ejemplo) file.jsp::$DATA en el URI admin/ueditor/uploadImage. • https://www.seebug.org/vuldb/ssvid-97832 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-9609
https://notcve.org/view.php?id=CVE-2019-9609
06 Mar 2019 — An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI. Se ha descubierto un problema en versiones anteriores a la 1.1.3 de OFCMS. Los atacantes remotos pueden ejecutar código arbitrario debido a que el bloqueo de archivos .jsp y jspx no contempla (por ejemplo) file.jsp::$DATA en el URI admin/comn/service/editUploadImage. • https://www.seebug.org/vuldb/ssvid-97830 • CWE-434: Unrestricted Upload of File with Dangerous Type •