Bludit
by Bludit
Source repositories
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-24554 | 0.00 | — | 0.00 | Jun 24, 2024 | Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API. | |||
| CVE-2024-24553 | 0.00 | — | 0.00 | Jun 24, 2024 | Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure… | |||
| CVE-2024-24552 | 0.00 | — | 0.00 | Jun 24, 2024 | A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their choosing. | |||
| CVE-2024-24551 | 0.00 | — | 0.01 | Jun 24, 2024 | A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. | |||
| CVE-2024-24550 | 0.00 | — | 0.01 | Jun 24, 2024 | A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads,… | |||
| CVE-2024-25297 | 0.00 | — | 0.01 | Feb 17, 2024 | Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive information via edit-content.php. | |||
| CVE-2023-24674 | 0.00 | — | 0.00 | Sep 1, 2023 | Permissions vulnerability found in Bludit CMS v.4.0.0 allows local attackers to escalate privileges via the role:admin parameter. | |||
| CVE-2020-20210 | 0.00 | — | 0.01 | Jun 26, 2023 | Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images. | |||
| CVE-2023-34845 | 0.00 | — | 0.01 | Jun 16, 2023 | Bludit v3.14.1 was discovered to contain an arbitrary file upload vulnerability in the component /admin/new-content. This vulnerability allows attackers to execute arbitrary web scripts or HTML via uploading a crafted SVG file. NOTE: the product's security model is that users… | |||
| CVE-2023-31572 | 0.00 | — | 0.01 | May 16, 2023 | An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privileges via a crafted request. | |||
| CVE-2020-19228 | 0.00 | — | 0.01 | May 11, 2022 | An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files. | |||
| CVE-2022-1590 | 0.00 | — | 0.01 | May 5, 2022 | A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input leads to cross site scripting.… | |||
| CVE-2021-45745 | 0.00 | — | 0.01 | Jan 6, 2022 | A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel. | |||
| CVE-2021-45744 | 0.00 | — | 0.01 | Jan 6, 2022 | A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel. | |||
| CVE-2020-20495 | 0.00 | — | 0.02 | Aug 31, 2021 | bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter. | |||
| CVE-2021-25808 | 0.00 | — | 0.01 | Jul 23, 2021 | A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file. | |||
| CVE-2020-23765 | 0.00 | — | 0.01 | May 21, 2021 | A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use unsafe plugins to upload a backup file and control the server. | |||
| CVE-2020-18190 | 0.00 | — | 0.02 | Oct 2, 2020 | Bludit v3.8.1 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /admin/ajax/upload-profile-picture. | |||
| CVE-2020-15026 | 0.00 | — | 0.01 | Jun 24, 2020 | Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ directory traversal approach for arbitrary file download via backup/plugin.php. | |||
| CVE-2020-15006 | 0.00 | — | 0.01 | Jun 24, 2020 | Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php. |
- CVE-2024-24554Jun 24, 2024risk 0.00cvss —epss 0.00
Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API.
- CVE-2024-24553Jun 24, 2024risk 0.00cvss —epss 0.00
Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure…
- CVE-2024-24552Jun 24, 2024risk 0.00cvss —epss 0.00
A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their choosing.
- CVE-2024-24551Jun 24, 2024risk 0.00cvss —epss 0.01
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
- CVE-2024-24550Jun 24, 2024risk 0.00cvss —epss 0.01
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads,…
- CVE-2024-25297Feb 17, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive information via edit-content.php.
- CVE-2023-24674Sep 1, 2023risk 0.00cvss —epss 0.00
Permissions vulnerability found in Bludit CMS v.4.0.0 allows local attackers to escalate privileges via the role:admin parameter.
- CVE-2020-20210Jun 26, 2023risk 0.00cvss —epss 0.01
Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.
- CVE-2023-34845Jun 16, 2023risk 0.00cvss —epss 0.01
Bludit v3.14.1 was discovered to contain an arbitrary file upload vulnerability in the component /admin/new-content. This vulnerability allows attackers to execute arbitrary web scripts or HTML via uploading a crafted SVG file. NOTE: the product's security model is that users…
- CVE-2023-31572May 16, 2023risk 0.00cvss —epss 0.01
An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privileges via a crafted request.
- CVE-2020-19228May 11, 2022risk 0.00cvss —epss 0.01
An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files.
- CVE-2022-1590May 5, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input leads to cross site scripting.…
- CVE-2021-45745Jan 6, 2022risk 0.00cvss —epss 0.01
A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.
- CVE-2021-45744Jan 6, 2022risk 0.00cvss —epss 0.01
A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.
- CVE-2020-20495Aug 31, 2021risk 0.00cvss —epss 0.02
bludit v3.13.0 contains an arbitrary file deletion vulnerability in the backup plugin via the `deleteBackup' parameter.
- CVE-2021-25808Jul 23, 2021risk 0.00cvss —epss 0.01
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.
- CVE-2020-23765May 21, 2021risk 0.00cvss —epss 0.01
A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use unsafe plugins to upload a backup file and control the server.
- CVE-2020-18190Oct 2, 2020risk 0.00cvss —epss 0.02
Bludit v3.8.1 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /admin/ajax/upload-profile-picture.
- CVE-2020-15026Jun 24, 2020risk 0.00cvss —epss 0.01
Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ directory traversal approach for arbitrary file download via backup/plugin.php.
- CVE-2020-15006Jun 24, 2020risk 0.00cvss —epss 0.01
Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php.
Page 2 of 3