Finecms

CVEs (9)

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-16920	Cri	0.64	9.8	0.01	Nov 21, 2017	v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.
CVE-2017-11585	Cri	0.64	9.8	0.01	Jul 24, 2017	dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
CVE-2017-11584	Cri	0.64	9.8	0.01	Jul 24, 2017	dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
CVE-2017-11583	Cri	0.64	9.8	0.00	Jul 24, 2017	dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.
CVE-2017-11582	Cri	0.64	9.8	0.00	Jul 24, 2017	dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.
CVE-2017-16866	Med	0.40	6.1	0.00	Nov 16, 2017	dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.
CVE-2017-11629	Med	0.40	6.1	0.00	Jul 26, 2017	dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
CVE-2017-11586	Med	0.40	6.1	0.07	Jul 24, 2017	dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.
CVE-2017-11581	Med	0.40	6.1	0.00	Jul 24, 2017	dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.

CVE-2017-16920CriNov 21, 2017
risk 0.64cvss 9.8epss 0.01
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.
CVE-2017-11585CriJul 24, 2017
risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
CVE-2017-11584CriJul 24, 2017
risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
CVE-2017-11583CriJul 24, 2017
risk 0.64cvss 9.8epss 0.00
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.
CVE-2017-11582CriJul 24, 2017
risk 0.64cvss 9.8epss 0.00
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.
CVE-2017-16866MedNov 16, 2017
risk 0.40cvss 6.1epss 0.00
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.
CVE-2017-11629MedJul 26, 2017
risk 0.40cvss 6.1epss 0.00
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
CVE-2017-11586MedJul 24, 2017
risk 0.40cvss 6.1epss 0.07
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.
CVE-2017-11581MedJul 24, 2017
risk 0.40cvss 6.1epss 0.00
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.