Cotonti
by Cotonti
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-44115 | Med | 0.35 | 5.4 | 0.00 | Jun 2, 2025 | A vulnerability has been found in Cotonti Siena v0.9.25. Affected by this vulnerability is the file /admin.php?m=config&n=edit&o=core&p=title. The manipulation of the value of title leads to cross-site scripting. | ||
| CVE-2024-24115 | Med | 0.35 | 5.4 | 0.00 | Feb 8, 2024 | A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2022-39840 | Med | 0.31 | 4.8 | 0.00 | Sep 5, 2022 | Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM). | ||
| CVE-2022-39839 | Med | 0.31 | 4.8 | 0.00 | Sep 5, 2022 | Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post. | ||
| CVE-2026-55746 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so… | |||
| CVE-2026-55745 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags)… | |||
| CVE-2026-55744 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the… | |||
| CVE-2026-55742 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without… | |||
| CVE-2026-55741 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without… | |||
| CVE-2021-47808 | 0.00 | — | 0.00 | Jan 15, 2026 | Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. | |||
| CVE-2013-4789 | 0.00 | — | 0.03 | Aug 9, 2013 | SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php. |
- risk 0.35cvss 5.4epss 0.00
A vulnerability has been found in Cotonti Siena v0.9.25. Affected by this vulnerability is the file /admin.php?m=config&n=edit&o=core&p=title. The manipulation of the value of title leads to cross-site scripting.
- risk 0.35cvss 5.4epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
- risk 0.31cvss 4.8epss 0.00
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM).
- risk 0.31cvss 4.8epss 0.00
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.
- CVE-2026-55746Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so…
- CVE-2026-55745Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags)…
- CVE-2026-55744Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the…
- CVE-2026-55742Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without…
- CVE-2026-55741Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without…
- CVE-2021-47808Jan 15, 2026risk 0.00cvss —epss 0.00
Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.
- CVE-2013-4789Aug 9, 2013risk 0.00cvss —epss 0.03
SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.