Windu CMS
by Windu CMS
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-7473 | Hig | 0.57 | 8.8 | 0.01 | Aug 1, 2019 | Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account. | ||
| CVE-2013-7474 | Med | 0.40 | 6.1 | 0.01 | Aug 1, 2019 | Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users. | ||
| CVE-2025-59111 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was… | |||
| CVE-2025-59115 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was… | |||
| CVE-2025-59114 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and confirmed as vulnerable.… | |||
| CVE-2025-59113 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version… | |||
| CVE-2025-59112 | 0.00 | — | 0.00 | Nov 18, 2025 | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as… |
- risk 0.57cvss 8.8epss 0.01
Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.
- risk 0.40cvss 6.1epss 0.01
Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.
- CVE-2025-59111Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was…
- CVE-2025-59115Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was…
- CVE-2025-59114Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and confirmed as vulnerable.…
- CVE-2025-59113Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version…
- CVE-2025-59112Nov 18, 2025risk 0.00cvss —epss 0.00
Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as…