CVSS: 10.0EPSS: 16%CPEs: 1EXPL: 0CVE-2023-39796 – WBCE 1.6.0 SQL Injection
https://notcve.org/view.php?id=CVE-2023-39796
10 Nov 2023 — SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter. Vulnerabilidad de inyección SQL en el módulo miniform en WBCE CMS v.1.6.0 permite a un atacante remoto no autenticado ejecutar código arbitrario a través del parámetro DB_RECORD_TABLE. WBCE version 1.6.0 suffers from a remote SQL injection vulnerability. • https://forum.wbce.org/viewtopic.php?pid=42046#p42046 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46054
https://notcve.org/view.php?id=CVE-2023-46054
21 Oct 2023 — Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and before allows a remote attacker to escalate privileges via a crafted script to the website_footer parameter in the admin/settings/save.php component. Vulnerabilidad de Cross Site Scripting (XSS) en WBCE CMS v.1.6.1 y anteriores permite a un atacante remoto escalar privilegios a través de un script manipulado al parámetro website_footer en el componente admin/settings/save.php. • https://github.com/aaanz/aaanz.github.io/blob/master/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 3CVE-2023-43871
https://notcve.org/view.php?id=CVE-2023-43871
28 Sep 2023 — A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS). Vulnerabilidad de carga de archivos en WBCE v.1.6.1 permite a un atacante local cargar un archivo pdf con Cross Site Scripting (XSS) oculto. • https://github.com/sromanhu/CVE-2023-43871-WBCE-Arbitrary-File-Upload--XSS---Media • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38947
https://notcve.org/view.php?id=CVE-2023-38947
03 Aug 2023 — An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file. • https://gitee.com/CTF-hacker/pwn/issues/I7LH2N • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-616: Incomplete Identification of Uploaded File Variables (PHP) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-29855
https://notcve.org/view.php?id=CVE-2023-29855
18 Apr 2023 — WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php. • https://github.com/WBCE/WBCE_CMS/issues/544 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2022-46020
https://notcve.org/view.php?id=CVE-2022-46020
20 Dec 2022 — WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. WBCE CMS v1.5.4 puede implementar getshell modificando el tipo de archivo de carga. • https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45036
https://notcve.org/view.php?id=CVE-2022-45036
25 Nov 2022 — A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the No Results field. Una vulnerabilidad de cross-site scripting (XSS) en el módulo de configuración de búsqueda de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Sin resultados. • https://shimo.im/docs/2wAlXR1j6BsJlDAP • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45037
https://notcve.org/view.php?id=CVE-2022-45037
25 Nov 2022 — A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field. Una vulnerabilidad de cross-site scripting (XSS) en /admin/users/index.php de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Nombre para mostrar. • https://shimo.im/docs/dPkpKPQEjXfvYoqO • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45038
https://notcve.org/view.php?id=CVE-2022-45038
25 Nov 2022 — A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. Una vulnerabilidad de cross-site scripting(XSS) en /admin/settings/save.php de WBCE CMS v1.5.4 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el campo Pie de página del sitio web. • https://shimo.im/docs/Ee32MrJd80iEwyA2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45039
https://notcve.org/view.php?id=CVE-2022-45039
25 Nov 2022 — An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file. Una vulnerabilidad de carga de archivos arbitrarios en el módulo de configuración del servidor de WBCE CMS v1.5.4 permite a los atacantes ejecutar código arbitrario a través de un archivo PHP manipulado. • https://shimo.im/docs/XKq4MKmDYDC8B1kN • CWE-434: Unrestricted Upload of File with Dangerous Type •