CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-34654
https://notcve.org/view.php?id=CVE-2023-34654
05 Jul 2023 — taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS). • https://gist.github.com/ae6e361b/b7f162eba1a91df3ad9dc71ec9935960 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1947 – taoCMS admin.php code injection
https://notcve.org/view.php?id=CVE-2023-1947
07 Apr 2023 — A vulnerability was found in taoCMS 3.0.2. It has been classified as critical. Affected is an unknown function of the file /admin/admin.php. The manipulation leads to code injection. It is possible to launch the attack remotely. • https://gitee.com/misak7in/cve/blob/master/taocms.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34167
https://notcve.org/view.php?id=CVE-2021-34167
24 Feb 2023 — Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php. • https://github.com/taogogo/taocms/issues/6 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48006
https://notcve.org/view.php?id=CVE-2022-48006
30 Jan 2023 — An arbitrary file upload vulnerability in taocms v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploited via manipulation of the upext variable at /include/Model/Upload.php. • https://github.com/taogogo/taocms/issues/35 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-46998
https://notcve.org/view.php?id=CVE-2022-46998
25 Jan 2023 — An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF). Un problema en el fondo del sitio web de taocms v3.0.2 permite a los atacantes ejecutar Server-Side Request Forgery (SSRF). • https://www.yuque.com/shiyi-5yjak/hx4unh/kgnanw3lt8wg1tx2#%20%E3%80%8Ataocms-3.0.2-ssrf%E3%80%8B • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36261
https://notcve.org/view.php?id=CVE-2022-36261
23 Aug 2022 — An arbitrary file deletion vulnerability was discovered in taocms 3.0.2, that allows attacker to delete file in server when request url admin.php?action=file&ctrl=del&path=/../../../test.txt Se ha detectado una vulnerabilidad de eliminación arbitraria de archivos en taocms versión 3.0.2, que permite a un atacante eliminar un archivo en el servidor cuando es solicitada la url admin.php?action=file&ctrl=del&path=/../../../test.txt • https://github.com/chasingboy/cms-pentest/blob/main/taocms-arbitrary-file-deletion-vulnerability.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2022-36262
https://notcve.org/view.php?id=CVE-2022-36262
15 Aug 2022 — An issue was discovered in taocms 3.0.2. in the website settings that allows arbitrary php code to be injected by modifying config.php. Se ha detectado un problema en taocms versión 3.0.2. en la configuración del sitio web que permite inyectar código php arbitrario al modificar el archivo config.php. • http://taocms.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44915
https://notcve.org/view.php?id=CVE-2021-44915
05 Jul 2022 — Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category. Se detectó que Taocms versión 3.0.2, contenía una vulnerabilidad de inyección SQL ciega por medio de la función Edit category • https://github.com/taogogo/taocms/issues/8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23880
https://notcve.org/view.php?id=CVE-2022-23880
23 Mar 2022 — An arbitrary file upload vulnerability in the File Management function module of taoCMS v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. Una vulnerabilidad de carga de archivos arbitraria en el módulo de función File Management de taoCMS versión v3.0.2, permite a atacantes ejecutar código arbitrario por medio de un archivo PHP diseñado • https://github.com/taogogo/taocms/issues/25 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25505
https://notcve.org/view.php?id=CVE-2022-25505
21 Mar 2022 — Taocms v3.0.2 was discovered to contain a SQL injection vulnerability via the id parameter in \include\Model\Category.php. Se ha detectado que Taocms versión v3.0.2, contiene una vulnerabilidad de inyección SQL por medio del parámetro id en el archivo \include\Model\Category.php • https://github.com/taogogo/taocms/issues/27 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •