VYPR

Nc CMS

by Nc CMS

CVEs (4)

  • CVE-2018-18874CriOct 31, 2018
    risk 0.64cvss 9.8epss 0.02

    nc-cms through 2017-03-10 allows remote attackers to execute arbitrary PHP code via the "Upload File or Image" feature, with a .php filename and "Content-Type: application/octet-stream" to the index.php?action=file_manager_upload URI.

  • CVE-2019-7721HigFeb 11, 2019
    risk 0.49cvss 7.5epss 0.01

    lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters.

  • CVE-2018-18361MedOct 15, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html allows XSS via the name parameter, as demonstrated by a value beginning with home_content and containing a crafted SRC attribute of an IMG element.

  • CVE-2018-18290MedOct 14, 2018
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality