Skip to main content

Finecms CVE-2017-11180

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-07-12 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 12, 2017 - 00:29 cve.org
MEDIUM 6.1

DescriptionCVE.org

FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen.

AnalysisAI

FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen. Affected products include: Finecms Project Finecms. Version information: through 2017.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-10968 CRITICAL POC
9.8 Jul 07

In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the

CVE-2017-11585 CRITICAL POC
9.8 Jul 24

dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Templ

CVE-2017-12774 CRITICAL POC
9.8 Aug 09

finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database. Rated cri

CVE-2017-11167 CRITICAL POC
9.8 Jul 12

FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter th

CVE-2017-11584 CRITICAL POC
9.8 Jul 24

dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or actio

CVE-2017-11583 CRITICAL POC
9.8 Jul 24

dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. R

CVE-2017-11582 CRITICAL POC
9.8 Jul 24

dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Te

CVE-2017-11200 HIGH POC
8.8 Jul 13

SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter

CVE-2018-18191 HIGH POC
8.8 Oct 09

Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote

CVE-2017-11178 HIGH POC
7.5 Jul 12

In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files

CVE-2017-11586 MEDIUM POC
6.1 Jul 24

dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.

CVE-2017-11629 MEDIUM POC
6.1 Jul 26

dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=ap

Share

CVE-2017-11180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy