Packagist (Composer) package
thinkcmf/thinkcmf
pkg:composer/thinkcmf/thinkcmf
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-25915 | — | < 5.1.7 | 5.1.7 | Aug 11, 2023 | Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login. | ||
| CVE-2022-40849 | — | < 6.0.8 | 6.0.8 | Dec 1, 2022 | ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal t | ||
| CVE-2022-40489 | — | < 6.0.8 | 6.0.8 | Dec 1, 2022 | ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users. | ||
| CVE-2021-40616 | — | < 6.0.0 | 6.0.0 | Jun 14, 2022 | thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required. | ||
| CVE-2020-18151 | — | < 6.0.8 | 6.0.8 | Jul 14, 2021 | Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account. |
- CVE-2020-25915Aug 11, 2023affected < 5.1.7fixed 5.1.7
Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.
- CVE-2022-40849Dec 1, 2022affected < 6.0.8fixed 6.0.8
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal t
- CVE-2022-40489Dec 1, 2022affected < 6.0.8fixed 6.0.8
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.
- CVE-2021-40616Jun 14, 2022affected < 6.0.0fixed 6.0.0
thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required.
- CVE-2020-18151Jul 14, 2021affected < 6.0.8fixed 6.0.8
Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.