Finecms
Monthly
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.