CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10505 – wuzhicms block.php edit code injection
https://notcve.org/view.php?id=CVE-2024-10505
30 Oct 2024 — A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. • https://github.com/wuzhicms/wuzhicms/issues/209 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32206
https://notcve.org/view.php?id=CVE-2024-32206
19 Apr 2024 — A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter. Una vulnerabilidad de Cross Site Scripting (XSS) almacenadas en el componente \affiche\admin\index.php de WUZHICMS v4.1.0 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado inyectado en el parámetro $formdata. • http://wuzhicms.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31008
https://notcve.org/view.php?id=CVE-2024-31008
03 Apr 2024 — An issue was discovered in WUZHICMS version 4.1.0, allows an attacker to execute arbitrary code and obtain sensitive information via the index.php file. Se descubrió un problema en la versión 4.1.0 de WUZHICMS que permite a un atacante ejecutar código arbitrario y obtener información confidencial a través del archivo index.php. • https://github.com/majic-banana/vulnerability/blob/main/POC/WUZHICMS4.1.0-Captcha%20bypass%20%28logic%20vulnerability%29.md • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-46482
https://notcve.org/view.php?id=CVE-2023-46482
01 Nov 2023 — SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component. Vulnerabilidad de inyección SQL en wuzhicms v.4.1.0 permite a un atacante remoto ejecutar código arbitrario a través de la funcionalidad de copia de seguridad de la base de datos en el componente coreframe/app/database/admin/index.php. • https://github.com/XTo-o1/PHP/blob/main/wuzhicms/WUZHI%20CMS%20v4.1.0%20SQL%20Injection%20Vulnerability%20in%20Database%20Backup%20Functionality.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36037
https://notcve.org/view.php?id=CVE-2020-36037
11 Aug 2023 — An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php. • https://github.com/wuzhicms/wuzhicms/issues/192 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20413
https://notcve.org/view.php?id=CVE-2020-20413
20 Jun 2023 — SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php. • https://github.com/SuperSalsa20/WUZHICMS-SQL-Injection/blob/master/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2020-21325
https://notcve.org/view.php?id=CVE-2020-21325
20 Jun 2023 — An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file. • https://github.com/wuzhicms/wuzhicms/issues/188 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30123
https://notcve.org/view.php?id=CVE-2023-30123
28 Apr 2023 — wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings. • https://github.com/wuzhicms/wuzhicms/issues/205#issue-1635153937 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-36168
https://notcve.org/view.php?id=CVE-2022-36168
25 Aug 2022 — A directory traversal vulnerability was discovered in Wuzhicms 4.1.0. via /coreframe/app/attachment/admin/index.php: Se ha detectado una vulnerabilidad de salto de directorio en Wuzhicms versión 4.1.0. por medio del archivo /coreframe/app/attachment/admin/index.php: • https://github.com/Cigar-Fasion/CVE/issues/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41654
https://notcve.org/view.php?id=CVE-2021-41654
16 Jun 2022 — SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php Se presentan vulnerabilidades de inyección SQL en Wuzhicms versión v4.1.0, que permiten a atacantes ejecutar comandos SQL arbitrarios por medio del parámetro $keyValue en el archivo /coreframe/app/pay/admin/index.php • https://github.com/wuzhicms/wuzhicms/issues/198 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •