VYPR

Bagecms

by Bagecms

CVEs (7)

  • CVE-2018-18258CriOct 11, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in BageCMS 3.1.3. The attacker can execute arbitrary PHP code on the web server and can read any file on the web server via an index.php?r=admini/template/updateTpl&filename= URI.

  • CVE-2018-19560HigNov 26, 2018
    risk 0.57cvss 8.8epss 0.01

    BageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate to modify a user account.

  • CVE-2018-19104HigNov 8, 2018
    risk 0.57cvss 8.8epss 0.01

    In BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can be used to upload arbitrary files and get server privileges.

  • CVE-2018-14582HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.01

    index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.

  • CVE-2018-18257HigOct 11, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in BageCMS 3.1.3. An attacker can delete any files and folders on the web server via an index.php?r=admini/template/batch&command=deleteFile&fileName= or index.php?r=admini/template/batch&command=deleteFolder&folderName=../ directory traversal URI.

  • CVE-2019-8421HigFeb 17, 2019
    risk 0.47cvss 7.2epss 0.01

    upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter.

  • CVE-2023-37122MedJul 6, 2023
    risk 0.35cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability in Bagecms v3.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Settings module.