CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52600 – Statamic CMS has Path Traversal in Asset Upload
https://notcve.org/view.php?id=CVE-2024-52600
19 Nov 2024 — Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files... • https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.9EPSS: 0%CPEs: 19EXPL: 1CVE-2024-7065 – Spina CMS cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7065
24 Jul 2024 — A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. • https://github.com/topsky979/Security-Collections/blob/main/1700810/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46906
https://notcve.org/view.php?id=CVE-2023-46906
09 Jan 2024 — juzaweb <= 3.4 is vulnerable to Incorrect Access Control, resulting in an application outage after a 500 HTTP status code. The payload in the timezone field was not correctly validated. juzaweb <= 3.4 es vulnerable a un control de acceso incorrecto, lo que provoca una interrupción de la aplicación después de un código de estado HTTP 500. El payload en el campo de timezone no se validó correctamente. • https://github.com/juzaweb/cms • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46467
https://notcve.org/view.php?id=CVE-2023-46467
28 Oct 2023 — Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter of the registration page. Vulnerabilidad de Cross-Site Scripting (XSS) en juzawebCMS v.3.4 y anteriores permite a un atacante remoto ejecutar código arbitrario a través de un payload manipulado en el parámetro de nombre de usuario de la página de registro. • https://www.sumor.top/index.php/archives/872 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11198
https://notcve.org/view.php?id=CVE-2019-11198
05 Aug 2019 — Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. Múltiples vulnerabilidad... • https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 15%CPEs: 1EXPL: 1CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2019-9875
31 May 2019 — Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. Sitecore CMS and Experience Platform (XP) contain a deserializatio... • https://dev.sitecore.net/Downloads.aspx • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-100004
https://notcve.org/view.php?id=CVE-2014-100004
13 Jan 2015 — Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos d... • http://osvdb.org/102660 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 2CVE-2009-2163 – Sitecore CMS 6.0.0 rev. 090120 - 'default.aspx' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2163
22 Jun 2009 — Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Sitecore CMS versiones anteriores a v6.0.2 Update-1 090507 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el parámetro "sc_error". • https://www.exploit-db.com/exploits/34930 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2008-2842 – doITlive CMS 2.50 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-2842
25 Jun 2008 — Cross-site scripting (XSS) vulnerability in edit/showmedia.asp in doITLive CMS 2.50 and earlier allows remote attackers to inject arbitrary web script or HTML via the FILE parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) del archivo edit/showmedia.asp del programa doITLive CMS 2.5 y anteriores, que permiten a atacantes remotos injectar arbitrariamente secuencia de comandos web o código HTML a través del archivo de parámetros. • https://www.exploit-db.com/exploits/5849 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2008-2843 – doITlive CMS 2.50 - SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-2843
25 Jun 2008 — Multiple SQL injection vulnerabilities in doITLive CMS 2.50 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter in an USUB action to default.asp and the (2) Licence[SpecialLicenseNumber] (aka LicenceId) cookie to edit/default.asp. Múltiples vulnerabilidades de inyección SQL en doITLive CMS 2.50 y versiones anteriores, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro (1) ID en una ación USUB a default.asp y el (2) Licence[Specia... • https://www.exploit-db.com/exploits/5849 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •