Eyoucms
by Eyoucms
CVEs (77)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-33122 | 0.00 | — | 0.00 | Jun 24, 2022 | A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page. | |||
| CVE-2022-26273 | 0.00 | — | 0.01 | Mar 28, 2022 | EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. | |||
| CVE-2022-26279 | 0.00 | — | 0.02 | Mar 24, 2022 | EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata. | |||
| CVE-2021-42194 | 0.00 | — | 0.01 | Mar 20, 2022 | The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | |||
| CVE-2021-46255 | 0.00 | — | 0.01 | Jan 14, 2022 | eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename. | |||
| CVE-2020-24000 | 0.00 | — | 0.02 | Nov 3, 2021 | SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php. | |||
| CVE-2021-39500 | 0.00 | — | 0.01 | Sep 7, 2021 | Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories. | |||
| CVE-2021-39499 | 0.00 | — | 0.01 | Sep 7, 2021 | A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function. | |||
| CVE-2021-39497 | 0.00 | — | 0.02 | Sep 7, 2021 | eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function. | |||
| CVE-2021-39496 | 0.00 | — | 0.01 | Sep 7, 2021 | Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS. | |||
| CVE-2020-20645 | 0.00 | — | 0.01 | Aug 19, 2021 | Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. | |||
| CVE-2020-19669 | 0.00 | — | 0.01 | Aug 18, 2021 | Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn. | |||
| CVE-2020-28146 | 0.00 | — | 0.01 | Aug 18, 2021 | Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter. | |||
| CVE-2020-21930 | 0.00 | — | 0.01 | Aug 10, 2021 | A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2020-21929 | 0.00 | — | 0.01 | Aug 10, 2021 | A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2020-18129 | 0.00 | — | 0.01 | Oct 22, 2020 | A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. | |||
| CVE-2019-17430 | 0.00 | — | 0.01 | Oct 10, 2019 | EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter. |
- CVE-2022-33122Jun 24, 2022risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page.
- CVE-2022-26273Mar 28, 2022risk 0.00cvss —epss 0.01
EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities.
- CVE-2022-26279Mar 24, 2022risk 0.00cvss —epss 0.02
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
- CVE-2021-42194Mar 20, 2022risk 0.00cvss —epss 0.01
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.
- CVE-2021-46255Jan 14, 2022risk 0.00cvss —epss 0.01
eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.
- CVE-2020-24000Nov 3, 2021risk 0.00cvss —epss 0.02
SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php.
- CVE-2021-39500Sep 7, 2021risk 0.00cvss —epss 0.01
Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories.
- CVE-2021-39499Sep 7, 2021risk 0.00cvss —epss 0.01
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function.
- CVE-2021-39497Sep 7, 2021risk 0.00cvss —epss 0.02
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
- CVE-2021-39496Sep 7, 2021risk 0.00cvss —epss 0.01
Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS.
- CVE-2020-20645Aug 19, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area.
- CVE-2020-19669Aug 18, 2021risk 0.00cvss —epss 0.01
Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
- CVE-2020-28146Aug 18, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.
- CVE-2020-21930Aug 10, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
- CVE-2020-21929Aug 10, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
- CVE-2020-18129Oct 22, 2020risk 0.00cvss —epss 0.01
A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php.
- CVE-2019-17430Oct 10, 2019risk 0.00cvss —epss 0.01
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.
Page 4 of 4