VYPR

Cotonti

by Cotonti

Source repositories

CVEs (11)

  • CVE-2025-44115MedJun 2, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in Cotonti Siena v0.9.25. Affected by this vulnerability is the file /admin.php?m=config&n=edit&o=core&p=title. The manipulation of the value of title leads to cross-site scripting.

  • CVE-2024-24115MedFeb 8, 2024
    risk 0.35cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2022-39840MedSep 5, 2022
    risk 0.31cvss 4.8epss 0.00

    Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM).

  • CVE-2022-39839MedSep 5, 2022
    risk 0.31cvss 4.8epss 0.00

    Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.

  • CVE-2026-55746Jun 18, 2026
    risk 0.00cvss epss 0.00

    Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so…

  • CVE-2026-55745Jun 18, 2026
    risk 0.00cvss epss 0.00

    Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags)…

  • CVE-2026-55744Jun 18, 2026
    risk 0.00cvss epss 0.00

    Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the…

  • CVE-2026-55742Jun 18, 2026
    risk 0.00cvss epss 0.00

    Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without…

  • CVE-2026-55741Jun 18, 2026
    risk 0.00cvss epss 0.00

    Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without…

  • CVE-2021-47808Jan 15, 2026
    risk 0.00cvss epss 0.00

    Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.

  • CVE-2013-4789Aug 9, 2013
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.

VYPR — Vulnerability Intelligence