Packagist (Composer) package

tribalsystems/zenario

pkg:composer/tribalsystems/zenario

Vulnerabilities (22)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-45964		—	<= 9.7.61188	—	Oct 2, 2024	Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.
CVE-2024-45960		—	<= 9.7.61188	—	Oct 2, 2024	Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.
CVE-2024-34461	Cri	9.8	< 9.5.60437	9.5.60437	May 4, 2024	Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator.
CVE-2024-34460	Med	6.5	< 9.5.60602	9.5.60602	May 4, 2024	The Tree Explorer tool from Organizer in Zenario before 9.5.60602 is affected by XSS. (This component was removed in 9.5.60602.)
CVE-2023-44769		—	<= 9.4.59197	—	Oct 24, 2023	A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
CVE-2023-44771		—	<= 9.4.59197	—	Oct 6, 2023	A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
CVE-2023-44770		—	<= 9.4.59197	—	Oct 6, 2023	A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
CVE-2022-44136		—	< 9.0.57473	9.0.57473	Nov 30, 2022	Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).
CVE-2022-4231		—	<= 9.3.57595	—	Nov 30, 2022	A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The ex
CVE-2022-44073		—	<= 9.3.57186	—	Nov 16, 2022	Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.
CVE-2022-44071		—	<= 9.3.57186	—	Nov 16, 2022	Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.
CVE-2022-44070		—	<= 9.3.57186	—	Nov 16, 2022	Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.
CVE-2022-44069		—	<= 9.3.57186	—	Nov 16, 2022	Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.
CVE-2020-36608		—	< 8.5.51340	8.5.51340	Nov 2, 2022	A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripting. The attack ma
CVE-2021-41952		—	< 9.0.55143	9.0.55143	Mar 14, 2022	Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim's cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.
CVE-2021-42171		—	< 9.0.55143	9.0.55143	Mar 14, 2022	Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.
CVE-2022-23043		—	< 9.2.55826	9.2.55826	Feb 22, 2022	Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run comman
CVE-2021-26830		—	< 8.8.53370	8.8.53370	Apr 16, 2021	SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
CVE-2021-27673		—	< 8.8.53370	8.8.53370	Apr 15, 2021	Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.
CVE-2021-27672		—	< 8.8.53370	8.8.53370	Apr 15, 2021	SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.

CVE-2024-45964Oct 2, 2024
affected <= 9.7.61188
Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.
CVE-2024-45960Oct 2, 2024
affected <= 9.7.61188
Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.
CVE-2024-34461CriMay 4, 2024
affected < 9.5.60437fixed 9.5.60437
Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator.
CVE-2024-34460MedMay 4, 2024
affected < 9.5.60602fixed 9.5.60602
The Tree Explorer tool from Organizer in Zenario before 9.5.60602 is affected by XSS. (This component was removed in 9.5.60602.)
CVE-2023-44769Oct 24, 2023
affected <= 9.4.59197
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
CVE-2023-44771Oct 6, 2023
affected <= 9.4.59197
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
CVE-2023-44770Oct 6, 2023
affected <= 9.4.59197
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
CVE-2022-44136Nov 30, 2022
affected < 9.0.57473fixed 9.0.57473
Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).
CVE-2022-4231Nov 30, 2022
affected <= 9.3.57595
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The ex
CVE-2022-44073Nov 16, 2022
affected <= 9.3.57186
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.
CVE-2022-44071Nov 16, 2022
affected <= 9.3.57186
Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.
CVE-2022-44070Nov 16, 2022
affected <= 9.3.57186
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.
CVE-2022-44069Nov 16, 2022
affected <= 9.3.57186
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.
CVE-2020-36608Nov 2, 2022
affected < 8.5.51340fixed 8.5.51340
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripting. The attack ma
CVE-2021-41952Mar 14, 2022
affected < 9.0.55143fixed 9.0.55143
Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim's cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.
CVE-2021-42171Mar 14, 2022
affected < 9.0.55143fixed 9.0.55143
Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.
CVE-2022-23043Feb 22, 2022
affected < 9.2.55826fixed 9.2.55826
Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run comman
CVE-2021-26830Apr 16, 2021
affected < 8.8.53370fixed 8.8.53370
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
CVE-2021-27673Apr 15, 2021
affected < 8.8.53370fixed 8.8.53370
Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.
CVE-2021-27672Apr 15, 2021
affected < 8.8.53370fixed 8.8.53370
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.

Page 1 of 2