Ctcms
Monthly
Template injection in CTCMS up to version 2.1.2 allows authenticated remote attackers to bypass template engine protections via improper neutralization of special elements in the Frontend/Template Management Module. The vulnerability affects the CT_Parser.php library and enables information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS exploitation probability remains low at 0.09% (26th percentile), suggesting limited real-world weaponization despite POC availability.
Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.
Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.
A vulnerability was found in CTCMS Content Management System 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Template injection in CTCMS up to version 2.1.2 allows authenticated remote attackers to bypass template engine protections via improper neutralization of special elements in the Frontend/Template Management Module. The vulnerability affects the CT_Parser.php library and enables information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS exploitation probability remains low at 0.09% (26th percentile), suggesting limited real-world weaponization despite POC availability.
Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.
Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.
A vulnerability was found in CTCMS Content Management System 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.