Packagist (Composer) package
zoujingli/thinkadmin
pkg:composer/zoujingli/thinkadmin
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-48966 | — | <= 6.1.53 | — | Dec 4, 2023 | An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file. | ||
| CVE-2020-35296 | — | — | — | Mar 3, 2021 | ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. | ||
| CVE-2020-23653 | — | >= 4.0, < 6.1.0 | 6.1.0 | Jan 13, 2021 | An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution. | ||
| CVE-2020-29315 | — | < 6.0.22 | 6.0.22 | Dec 1, 2020 | ThinkAdmin version v1 v6 has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML. | ||
| CVE-2020-25540 | — | — | — | Sep 14, 2020 | ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter. | ||
| CVE-2019-11018 | — | — | — | Apr 8, 2019 | application\admin\controller\User.php in ThinkAdmin V4.0 does not prevent continued use of an administrator's cookie-based credentials after a password change. |
- CVE-2023-48966Dec 4, 2023affected <= 6.1.53
An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file.
- CVE-2020-35296Mar 3, 2021
ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access.
- CVE-2020-23653Jan 13, 2021affected >= 4.0, < 6.1.0fixed 6.1.0
An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.
- CVE-2020-29315Dec 1, 2020affected < 6.0.22fixed 6.0.22
ThinkAdmin version v1 v6 has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML.
- CVE-2020-25540Sep 14, 2020
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
- CVE-2019-11018Apr 8, 2019
application\admin\controller\User.php in ThinkAdmin V4.0 does not prevent continued use of an administrator's cookie-based credentials after a password change.