VYPR

Wondercms

by Robiso

Source repositories

CVEs (6)

  • CVE-2017-14521HigJan 26, 2018
    risk 0.61cvss 8.8epss 0.07

    In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload.

  • CVE-2017-14523HigJan 26, 2018
    risk 0.52cvss 7.5epss 0.08

    WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack

  • CVE-2018-14387HigJul 18, 2018
    risk 0.50cvss 8.8epss 0.02

    An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can…

  • CVE-2017-14522MedJan 26, 2018
    risk 0.40cvss 6.1epss 0.01

    In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on…

  • CVE-2018-1000062MedFeb 9, 2018
    risk 0.29cvss 4.4epss 0.01

    WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be…

  • CVE-2018-7172MedFeb 27, 2018
    risk 0.00cvss 4.9epss 0.03

    In index.php in WonderCMS before 2.4.1, remote attackers can delete arbitrary files via directory traversal.