Wondercms
by Robiso
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14521 | Hig | 0.61 | 8.8 | 0.07 | Jan 26, 2018 | In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload. | ||
| CVE-2017-14523 | Hig | 0.52 | 7.5 | 0.08 | Jan 26, 2018 | WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack | ||
| CVE-2018-14387 | Hig | 0.50 | 8.8 | 0.02 | Jul 18, 2018 | An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can… | ||
| CVE-2017-14522 | Med | 0.40 | 6.1 | 0.01 | Jan 26, 2018 | In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on… | ||
| CVE-2018-1000062 | Med | 0.29 | 4.4 | 0.01 | Feb 9, 2018 | WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be… | ||
| CVE-2018-7172 | Med | 0.00 | 4.9 | 0.03 | Feb 27, 2018 | In index.php in WonderCMS before 2.4.1, remote attackers can delete arbitrary files via directory traversal. |
- risk 0.61cvss 8.8epss 0.07
In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload.
- risk 0.52cvss 7.5epss 0.08
WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack
- risk 0.50cvss 8.8epss 0.02
An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can…
- risk 0.40cvss 6.1epss 0.01
In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on…
- risk 0.29cvss 4.4epss 0.01
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be…
- risk 0.00cvss 4.9epss 0.03
In index.php in WonderCMS before 2.4.1, remote attackers can delete arbitrary files via directory traversal.