VYPR

Thinkcmf

by Thinkcmf

Source repositories

CVEs (8)

  • CVE-2024-31615CriApr 25, 2024
    risk 0.64cvss 9.8epss 0.01

    ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.

  • CVE-2020-20601CriDec 22, 2021
    risk 0.64cvss 9.8epss 0.08

    An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.

  • CVE-2019-6713CriJan 23, 2019
    risk 0.64cvss 9.8epss 0.02

    app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.

  • CVE-2019-7580HigFeb 7, 2019
    risk 0.58cvss 8.8epss 0.10

    ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.

  • CVE-2022-40489HigDec 1, 2022
    risk 0.50cvss 8.8epss 0.00

    ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

  • CVE-2021-40616MedJun 14, 2022
    risk 0.42cvss 6.5epss 0.01

    thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required.

  • CVE-2020-25915MedAug 11, 2023
    risk 0.28cvss 5.4epss 0.00

    Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

  • CVE-2022-40849MedDec 1, 2022
    risk 0.28cvss 5.4epss 0.00

    ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal…