Show filters
113 Total Results
Displaying 71-80 of 113
Sort by:
Attacker Value
Unknown
CVE-2018-14958
Disclosure Date: August 05, 2018 (last updated November 27, 2024)
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
0
Attacker Value
Unknown
CVE-2018-14959
Disclosure Date: August 05, 2018 (last updated November 27, 2024)
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
0
Attacker Value
Unknown
CVE-2018-14877
Disclosure Date: August 03, 2018 (last updated November 27, 2024)
An issue was discovered in WeaselCMS v0.3.5. XSS exists via Site Language, Site Title, Site Description, and Site Keywords on the SETTINGS page.
0
Attacker Value
Unknown
CVE-2018-14685
Disclosure Date: July 28, 2018 (last updated November 27, 2024)
The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.
0
Attacker Value
Unknown
CVE-2018-9852
Disclosure Date: April 08, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Home\HitsAction.class.php allows remote attackers to read data from a database by embedding a FROM clause in a query string within a Home-Hits request, as demonstrated hy sid=user,password%20from%20mysql.user%23.
0
Attacker Value
Unknown
CVE-2018-9851
Disclosure Date: April 08, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to read any file via a modified pathname in an Admin-Tpl request, as demonstrated by use of '|' instead of '/' as a directory separator, in conjunction with a ".." sequence.
0
Attacker Value
Unknown
CVE-2018-9850
Disclosure Date: April 08, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\DataAction.class.php allows remote attackers to delete any file via directory traversal sequences in the id parameter of an Admin-Data-del request.
0
Attacker Value
Unknown
CVE-2018-9847
Disclosure Date: April 07, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
0
Attacker Value
Unknown
CVE-2018-9848
Disclosure Date: April 07, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.
0
Attacker Value
Unknown
CVE-2018-9247
Disclosure Date: April 04, 2018 (last updated November 26, 2024)
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.
0
