Finecms
Source repositories
CVEs (33)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-13697 | Med | 0.40 | 6.1 | 0.01 | Aug 25, 2017 | controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable. | ||
| CVE-2017-11629 | Med | 0.40 | 6.1 | 0.02 | Jul 26, 2017 | dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. | ||
| CVE-2017-11586 | Med | 0.40 | 6.1 | 0.02 | Jul 24, 2017 | dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. | ||
| CVE-2017-11581 | Med | 0.40 | 6.1 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. | ||
| CVE-2017-11202 | Med | 0.40 | 6.1 | 0.01 | Jul 13, 2017 | FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180. | ||
| CVE-2017-11198 | Med | 0.40 | 6.1 | 0.01 | Jul 13, 2017 | Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter. | ||
| CVE-2017-11180 | Med | 0.40 | 6.1 | 0.01 | Jul 12, 2017 | FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen. | ||
| CVE-2017-11179 | Med | 0.40 | 6.1 | 0.01 | Jul 12, 2017 | FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account. | ||
| CVE-2017-10967 | Med | 0.40 | 6.1 | 0.01 | Jul 6, 2017 | In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters. | ||
| CVE-2017-9252 | Med | 0.40 | 6.1 | 0.01 | May 28, 2017 | andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action. | ||
| CVE-2017-9251 | Med | 0.40 | 6.1 | 0.01 | May 28, 2017 | andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php. | ||
| CVE-2017-6511 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2017 | andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. | ||
| CVE-2017-11201 | Med | 0.35 | 5.4 | 0.01 | Jul 13, 2017 | application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action. |
- risk 0.40cvss 6.1epss 0.01
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable.
- risk 0.40cvss 6.1epss 0.02
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
- risk 0.40cvss 6.1epss 0.02
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.
- risk 0.40cvss 6.1epss 0.01
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account.
- risk 0.40cvss 6.1epss 0.01
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php.
- risk 0.35cvss 5.4epss 0.01
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action.
Page 2 of 2