Cms
Monthly
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the ushki Plugin's f_ushka_new or f_ushk parameters. The vulnerability requires user interaction to trigger, but publicly available exploit code exists. Vendor classified this as self-XSS and fixed the root cause (missing htmlspecialchars() filtering) in version 109.4.
Cross-site scripting (XSS) in MaxSite CMS Guestbook Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_text, f_slug, f_limit, or f_email parameters due to missing htmlspecialchars() output filtering. The vulnerability requires high-privilege authentication and user interaction (UI:P), limiting it to trusted administrators, but publicly available exploit code exists. Upgrading to version 109.4 resolves the issue by implementing proper output encoding.
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 affects the down_count plugin, where unsanitized input in the f_file and f_prefix parameters allows authenticated high-privilege users to inject malicious scripts via remote network access with user interaction. The vendor classifies this as self-XSS due to high privilege requirements (PR:H) and user interaction (UI:P), but the lack of output encoding via htmlspecialchars() represents a secure coding violation. Publicly available exploit code exists, and a patch is available in version 109.4.
Cross-site scripting (XSS) in MaxSite CMS mail_send plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_subject, f_files, or f_from parameters, resulting in stored XSS that can affect other users. The vulnerability stems from missing input sanitization via htmlspecialchars() and is classified by the vendor as self-XSS. Publicly available exploit code exists, and a patch is available in version 109.4.
Cross-site scripting vulnerability in MaxSite CMS Redirect Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_all or f_all404 parameters due to missing output encoding with htmlspecialchars(). The vulnerability requires high-privilege authentication and user interaction to execute, resulting in low impact (integrity only); however, publicly available exploit code exists and the vendor has classified this as a self-XSS violation of secure coding standards. Upgrade to version 109.4 or later to remediate.
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated administrators to inject malicious scripts via the f_logging_file parameter in the Antispam Plugin admin interface, leading to stored XSS with user interaction required. The vulnerability affects the /admin/plugin_antispam endpoint and results from insufficient output encoding. Vendor-released patch version 109.4 addresses the issue by implementing htmlspecialchars() filtering; publicly available exploit code exists.
Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.
Server-side request forgery in Qibo CMS 1.0 allows authenticated remote attackers to manipulate the 'starts' parameter in /index/image/headers endpoint, triggering arbitrary internal requests from the server. Publicly available exploit code exists. The vendor did not respond to early disclosure notification, leaving no patched version available.
Cross-site scripting (XSS) in Qibo CMS 1.0 Internal Message Module allows authenticated remote attackers to inject malicious scripts through message manipulation, affecting user sessions and data integrity. The vulnerability requires user interaction (UI:P) and valid authentication (PR:L), limiting exposure to authenticated users. Public exploit code is available, though the vendor has not responded to disclosure attempts.
A security vulnerability in Craft CMS (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 4.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the ushki Plugin's f_ushka_new or f_ushk parameters. The vulnerability requires user interaction to trigger, but publicly available exploit code exists. Vendor classified this as self-XSS and fixed the root cause (missing htmlspecialchars() filtering) in version 109.4.
Cross-site scripting (XSS) in MaxSite CMS Guestbook Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_text, f_slug, f_limit, or f_email parameters due to missing htmlspecialchars() output filtering. The vulnerability requires high-privilege authentication and user interaction (UI:P), limiting it to trusted administrators, but publicly available exploit code exists. Upgrading to version 109.4 resolves the issue by implementing proper output encoding.
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 affects the down_count plugin, where unsanitized input in the f_file and f_prefix parameters allows authenticated high-privilege users to inject malicious scripts via remote network access with user interaction. The vendor classifies this as self-XSS due to high privilege requirements (PR:H) and user interaction (UI:P), but the lack of output encoding via htmlspecialchars() represents a secure coding violation. Publicly available exploit code exists, and a patch is available in version 109.4.
Cross-site scripting (XSS) in MaxSite CMS mail_send plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_subject, f_files, or f_from parameters, resulting in stored XSS that can affect other users. The vulnerability stems from missing input sanitization via htmlspecialchars() and is classified by the vendor as self-XSS. Publicly available exploit code exists, and a patch is available in version 109.4.
Cross-site scripting vulnerability in MaxSite CMS Redirect Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_all or f_all404 parameters due to missing output encoding with htmlspecialchars(). The vulnerability requires high-privilege authentication and user interaction to execute, resulting in low impact (integrity only); however, publicly available exploit code exists and the vendor has classified this as a self-XSS violation of secure coding standards. Upgrade to version 109.4 or later to remediate.
Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated administrators to inject malicious scripts via the f_logging_file parameter in the Antispam Plugin admin interface, leading to stored XSS with user interaction required. The vulnerability affects the /admin/plugin_antispam endpoint and results from insufficient output encoding. Vendor-released patch version 109.4 addresses the issue by implementing htmlspecialchars() filtering; publicly available exploit code exists.
Mass deletion of content, assets, and user accounts in Statamic CMS versions prior to 5.73.20 and 6.13.0 occurs via query parameter manipulation on Control Panel endpoints (requiring minimal authentication like 'view entries' permission) or unauthenticated exploitation through REST/GraphQL APIs if explicitly enabled without authentication. Authenticated attackers with low-privilege viewer roles can escalate to delete resources they should only read. Unauthenticated attackers can exploit misconfigured API endpoints (non-default configuration) to achieve the same destructive impact. CVSS 8.1 (High) reflects network-accessible attack with low complexity, though exploitation conditions vary significantly by deployment configuration. No active exploitation confirmed (not in CISA KEV), EPSS data not provided.
Server-side request forgery in Qibo CMS 1.0 allows authenticated remote attackers to manipulate the 'starts' parameter in /index/image/headers endpoint, triggering arbitrary internal requests from the server. Publicly available exploit code exists. The vendor did not respond to early disclosure notification, leaving no patched version available.
Cross-site scripting (XSS) in Qibo CMS 1.0 Internal Message Module allows authenticated remote attackers to inject malicious scripts through message manipulation, affecting user sessions and data integrity. The vulnerability requires user interaction (UI:P) and valid authentication (PR:L), limiting exposure to authenticated users. Public exploit code is available, though the vendor has not responded to disclosure attempts.
A security vulnerability in Craft CMS (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 4.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.