VYPR

Blackcat CMS

by Blackcat CMS

CVEs (15)

  • CVE-2017-14399HigSep 12, 2017
    risk 0.57cvss 8.8epss 0.01

    In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter, as demonstrated by changing the extension from .jpg to .php.

  • CVE-2017-14050HigAug 31, 2017
    risk 0.57cvss 8.8epss 0.01

    In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file.

  • CVE-2017-14048HigAug 31, 2017
    risk 0.57cvss 8.8epss 0.01

    BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php. NOTE: this can be exploited via CSRF.

  • CVE-2015-5079HigFeb 28, 2018
    risk 0.53cvss 7.5epss 0.18

    Directory traversal vulnerability in widgets/logs.php in BlackCat CMS before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the dl parameter.

  • CVE-2017-13670MedAug 31, 2017
    risk 0.42cvss 6.5epss 0.01

    In BlackCat CMS 1.2, remote authenticated users can upload any file via the media upload function in backend/media/ajax_upload.php, as demonstrated by a ZIP archive that contains a .php file.

  • CVE-2017-14049MedAug 31, 2017
    risk 0.35cvss 5.4epss 0.01

    In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows remote authenticated users to conduct XSS attacks via the Website header or Website footer field.

  • CVE-2017-9609MedJul 17, 2017
    risk 0.35cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.

  • CVE-2015-5521MedJul 14, 2015
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php.

  • CVE-2023-53892Dec 15, 2025
    risk 0.00cvss epss 0.01

    Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing…

  • CVE-2023-44042Sep 26, 2023
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website header parameter.

  • CVE-2023-44043Sep 26, 2023
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website title parameter.

  • CVE-2020-25877Jul 9, 2021
    risk 0.00cvss epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.

  • CVE-2020-25878Jul 9, 2021
    risk 0.00cvss epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules.

  • CVE-2018-16635Dec 10, 2018
    risk 0.00cvss epss 0.01

    Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.

  • CVE-2014-5259Sep 12, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.