VYPR

Discuz\!

by Discuz

CVEs (21)

  • CVE-2018-5377CriJan 12, 2018
    risk 0.64cvss 9.8epss 0.02

    Discuz! DiscuzX X3.4 allows remote attackers to bypass intended access restrictions via the archiver\index.php action parameter.

  • CVE-2018-14729HigMay 22, 2019
    risk 0.58cvss 8.8epss 0.11

    The database backup feature in upload/source/admincp/admincp_db.php in Discuz! 2.5 and 3.4 allows remote attackers to execute arbitrary PHP code.

  • CVE-2018-5259HigJan 8, 2018
    risk 0.57cvss 8.8epss 0.02

    Discuz! DiscuzX X3.4 allows remote authenticated users to bypass intended attachment-deletion restrictions via a modified aid parameter.

  • CVE-2018-20423HigDec 24, 2018
    risk 0.53cvss 8.1epss 0.01

    Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass a "disabled registration" setting by adding a non-existing wxopenid value to the plugin.php ac=wxregister query string.

  • CVE-2018-20422HigDec 24, 2018
    risk 0.53cvss 8.1epss 0.01

    Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass authentication by leveraging a non-empty #wechat#common_member_wechatmp to gain login access to an account via a plugin.php ac=wxregister request (the attacker does not have control over which…

  • CVE-2026-49954HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.01

    Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute.…

  • CVE-2026-49953MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a…

  • CVE-2022-45543MedFeb 15, 2023
    risk 0.40cvss 6.1epss 0.01

    Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

  • CVE-2018-5376MedJan 12, 2018
    risk 0.40cvss 6.1epss 0.01

    Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.php op parameter.

  • CVE-2018-5375MedJan 12, 2018
    risk 0.40cvss 6.1epss 0.01

    Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_space.php appid parameter in a delete action.

  • CVE-2018-20424MedDec 24, 2018
    risk 0.38cvss 5.9epss 0.01

    Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to delete the common_member_wechatmp data structure via an ac=unbindmp request to plugin.php.

  • CVE-2018-10298MedApr 22, 2018
    risk 0.35cvss 5.4epss 0.01

    Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.

  • CVE-2018-10297MedApr 22, 2018
    risk 0.35cvss 5.4epss 0.01

    Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.

  • CVE-2018-5331MedJan 10, 2018
    risk 0.35cvss 5.4epss 0.01

    Discuz! DiscuzX X3.4 has XSS via the view parameter to include/space/space_poll.php, as demonstrated by a mod=space do=poll request to home.php.

  • CVE-2020-36828LowMar 31, 2024
    risk 0.16cvss 3.5epss 0.00

    A vulnerability was found in DiscuzX up to 3.4-20200818. It has been classified as problematic. Affected is the function show_next_step of the file upload/install/include/install_function.php. The manipulation of the argument uchidden leads to cross site scripting. It is…

  • CVE-2008-6957Aug 12, 2009
    risk 0.03cvss epss 0.03

    member.php in Crossday Discuz! Board allows remote attackers to reset passwords of arbitrary users via crafted (1) lostpasswd and (2) getpasswd actions, possibly involving predictable generation of the id parameter.

  • CVE-2008-3554Aug 8, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Discuz! 6.0.1 allows remote attackers to execute arbitrary SQL commands via the searchid parameter in a search action.

  • CVE-2006-5561Oct 27, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admincp.php in Discuz! GBK 5.0.0 allows remote attackers to execute arbitrary SQL commands via the cdb_auth cookie.

  • CVE-2004-0254Nov 23, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag.

  • CVE-2024-30884Apr 11, 2024
    risk 0.00cvss epss 0.01

    Reflected Cross-Site Scripting (XSS) vulnerability in Discuz! version X3.4 20220811, allows remote attackers to execute arbitrary code and obtain sensitive information via crafted payload to the primarybegin parameter in the misc.php component.

Page 1 of 2