Minicms
CVE-2024-31741
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login.
AnalysisAI
Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. Affected products include: 1234N Minicms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password. R
miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variabl
A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clickin
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs to
A vulnerability was found in bg5sbk MiniCMS 1.11. Rated medium severity (CVSS 6.9), this vulnerability is remotely explo
A vulnerability was found in bg5sbk MiniCMS up to 1.11 and classified as problematic.php. Rated medium severity (CVSS 6.
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-
A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. Rated medium severity (CVSS 6.1), this vulnerabilit
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. Rated medium severity (CVSS 6.1), thi
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233.
MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted URI because $_SERVER['REQUEST_URI'] is mishandled
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today