Phpmywind
by Phpmywind
CVEs (22)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-21060 | Hig | 0.57 | 8.8 | 0.01 | Apr 4, 2023 | SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page. | ||
| CVE-2020-21400 | Hig | 0.47 | 7.2 | 0.01 | Jun 20, 2023 | SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function. | ||
| CVE-2021-39503 | Hig | 0.47 | 7.2 | 0.03 | Sep 7, 2021 | PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file. | ||
| CVE-2020-18886 | Hig | 0.47 | 7.2 | 0.02 | Aug 20, 2021 | Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | ||
| CVE-2020-18885 | Hig | 0.47 | 7.2 | 0.04 | Aug 20, 2021 | Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'. | ||
| CVE-2018-17134 | Hig | 0.47 | 7.2 | 0.02 | Sep 17, 2018 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field. | ||
| CVE-2018-17133 | Hig | 0.47 | 7.2 | 0.02 | Sep 17, 2018 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting. | ||
| CVE-2018-17132 | Hig | 0.47 | 7.2 | 0.02 | Sep 17, 2018 | admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter. | ||
| CVE-2018-17131 | Hig | 0.47 | 7.2 | 0.02 | Sep 17, 2018 | admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field. | ||
| CVE-2017-12984 | Med | 0.43 | 6.1 | 0.02 | Aug 21, 2017 | PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php. | ||
| CVE-2020-19964 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2021 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. | ||
| CVE-2019-16703 | Med | 0.40 | 6.1 | 0.01 | Sep 23, 2019 | admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | ||
| CVE-2019-7661 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2019 | An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability. | ||
| CVE-2019-7660 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2019 | An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php. | ||
| CVE-2019-7402 | Med | 0.40 | 6.1 | 0.00 | Feb 5, 2019 | An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF. | ||
| CVE-2018-11487 | Med | 0.40 | 6.1 | 0.01 | May 26, 2018 | PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php. | ||
| CVE-2018-17130 | Med | 0.35 | 5.4 | 0.01 | Sep 17, 2018 | PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header, | ||
| CVE-2019-7403 | Med | 0.32 | 4.9 | 0.02 | Feb 5, 2019 | An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI. | ||
| CVE-2020-18230 | Med | 0.31 | 4.8 | 0.01 | May 27, 2021 | Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php". | ||
| CVE-2020-18229 | Med | 0.31 | 4.8 | 0.01 | May 27, 2021 | Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php". |
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.
- risk 0.47cvss 7.2epss 0.01
SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function.
- risk 0.47cvss 7.2epss 0.03
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
- risk 0.47cvss 7.2epss 0.02
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.
- risk 0.47cvss 7.2epss 0.04
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.
- risk 0.47cvss 7.2epss 0.02
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.
- risk 0.47cvss 7.2epss 0.02
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.
- risk 0.47cvss 7.2epss 0.02
admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.
- risk 0.47cvss 7.2epss 0.02
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.
- risk 0.43cvss 6.1epss 0.02
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
- risk 0.42cvss 6.5epss 0.01
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.
- risk 0.40cvss 6.1epss 0.01
admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
- risk 0.40cvss 6.1epss 0.00
An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.
- risk 0.40cvss 6.1epss 0.01
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
- risk 0.35cvss 5.4epss 0.01
PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,
- risk 0.32cvss 4.9epss 0.02
An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI.
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".
Page 1 of 2