Packagist (Composer) package
nukeviet/nukeviet
pkg:composer/nukeviet/nukeviet
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41147 | hig | — | <= 4.4.01 | — | May 15, 2026 | ### Impact NukeViet CMS <= 4.5.08 contains a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitt | |
| CVE-2024-36528 | — | <= 4.5 | — | Jun 10, 2024 | nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before have a Deserialization vulnerability which results in code execution via /admin/extensions/download.php and /admin/extensions/upload.php. | ||
| CVE-2022-3975 | — | < 4.5 | 4.5 | Nov 13, 2022 | A vulnerability, which was classified as problematic, has been found in NukeViet CMS. Affected by this issue is the function filterAttr of the file vendor/vinades/nukeviet/Core/Request.php of the component Data URL Handler. The manipulation of the argument attrSubSet leads to cro | ||
| CVE-2022-30874 | — | < 4.5.02 | 4.5.02 | Jun 21, 2022 | There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02. | ||
| CVE-2020-21809 | — | >= 4.0, < 4.0.29 | 4.0.29 | Jul 29, 2021 | SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php. | ||
| CVE-2020-21808 | — | >= 4.0.10, < 4.3.08 | 4.3.08 | Jul 29, 2021 | SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php. | ||
| CVE-2020-22765 | — | >= 4.4.0, < 4.4.01 | 4.4.01 | Jul 29, 2021 | Cross Site Scripting (XSS) vulnerability in NukeViet cms 4.4.0 via the editor in the News module. | ||
| CVE-2019-7726 | — | < 4.3.04 | 4.3.04 | Dec 31, 2020 | modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent). | ||
| CVE-2019-7725 | — | < 4.3.04 | 4.3.04 | Dec 31, 2020 | includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). | ||
| CVE-2020-13155 | — | — | — | Jun 23, 2020 | clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI. | ||
| CVE-2020-13156 | — | — | — | Jun 23, 2020 | modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI. | ||
| CVE-2020-13157 | — | — | — | Jun 23, 2020 | modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed. |
- affected <= 4.4.01
### Impact NukeViet CMS <= 4.5.08 contains a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitt
- CVE-2024-36528Jun 10, 2024affected <= 4.5
nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before have a Deserialization vulnerability which results in code execution via /admin/extensions/download.php and /admin/extensions/upload.php.
- CVE-2022-3975Nov 13, 2022affected < 4.5fixed 4.5
A vulnerability, which was classified as problematic, has been found in NukeViet CMS. Affected by this issue is the function filterAttr of the file vendor/vinades/nukeviet/Core/Request.php of the component Data URL Handler. The manipulation of the argument attrSubSet leads to cro
- CVE-2022-30874Jun 21, 2022affected < 4.5.02fixed 4.5.02
There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02.
- CVE-2020-21809Jul 29, 2021affected >= 4.0, < 4.0.29fixed 4.0.29
SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php.
- CVE-2020-21808Jul 29, 2021affected >= 4.0.10, < 4.3.08fixed 4.3.08
SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php.
- CVE-2020-22765Jul 29, 2021affected >= 4.4.0, < 4.4.01fixed 4.4.01
Cross Site Scripting (XSS) vulnerability in NukeViet cms 4.4.0 via the editor in the News module.
- CVE-2019-7726Dec 31, 2020affected < 4.3.04fixed 4.3.04
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
- CVE-2019-7725Dec 31, 2020affected < 4.3.04fixed 4.3.04
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
- CVE-2020-13155Jun 23, 2020
clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.
- CVE-2020-13156Jun 23, 2020
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
- CVE-2020-13157Jun 23, 2020
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.