Show filters
15 Total Results
Displaying 1-10 of 15
Sort by:
Attacker Value
Unknown

CVE-2020-20975

Disclosure Date: August 12, 2021 (last updated February 23, 2025)
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2018-18487

Disclosure Date: October 18, 2018 (last updated November 27, 2024)
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.
0
0
Attacker Value
Unknown

CVE-2018-18488

Disclosure Date: October 18, 2018 (last updated November 27, 2024)
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.
0
0
Attacker Value
Unknown

CVE-2018-16655

Disclosure Date: September 07, 2018 (last updated November 27, 2024)
Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.
0
0
Attacker Value
Unknown

CVE-2018-16437

Disclosure Date: September 05, 2018 (last updated November 27, 2024)
Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.
0
0
Attacker Value
Unknown

CVE-2018-16436

Disclosure Date: September 05, 2018 (last updated November 27, 2024)
Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.
0
0
Attacker Value
Unknown

CVE-2018-15177

Disclosure Date: August 08, 2018 (last updated November 27, 2024)
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.
0
0
Attacker Value
Unknown

CVE-2018-14685

Disclosure Date: July 28, 2018 (last updated November 27, 2024)
The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.
0
0
Attacker Value
Unknown

CVE-2018-9852

Disclosure Date: April 08, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Home\HitsAction.class.php allows remote attackers to read data from a database by embedding a FROM clause in a query string within a Home-Hits request, as demonstrated hy sid=user,password%20from%20mysql.user%23.
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2018-9851

Disclosure Date: April 08, 2018 (last updated November 26, 2024)
In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to read any file via a modified pathname in an Admin-Tpl request, as demonstrated by use of '|' instead of '/' as a directory separator, in conjunction with a ".." sequence.
0
0
View More Topics  Next >