FiyoCMS
by Fiyo
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-9148 | Cri | 0.69 | 9.8 | 0.24 | Oct 16, 2017 | Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur. | ||
| CVE-2015-3934 | Cri | 0.67 | 9.8 | 0.01 | Nov 21, 2017 | Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login. | ||
| CVE-2017-11631 | Cri | 0.64 | 9.8 | 0.00 | Jul 26, 2017 | dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter. | ||
| CVE-2017-11419 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title']. | ||
| CVE-2017-11418 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i]. | ||
| CVE-2017-11417 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id']. | ||
| CVE-2017-11416 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter. | ||
| CVE-2017-11415 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level']. | ||
| CVE-2017-11414 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id']. | ||
| CVE-2017-11413 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id']. | ||
| CVE-2017-11412 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id']. | ||
| CVE-2017-11354 | Cri | 0.64 | 9.8 | 0.00 | Jul 17, 2017 | Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name. | ||
| CVE-2017-7625 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code. | ||
| CVE-2017-6823 | Hig | 0.61 | 8.8 | 0.07 | Mar 12, 2017 | Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action. | ||
| CVE-2017-17103 | Hig | 0.57 | 8.8 | 0.00 | Dec 4, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges. | ||
| CVE-2014-9147 | Hig | 0.53 | 7.5 | 0.18 | Oct 16, 2017 | Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/. | ||
| CVE-2017-17104 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2017 | Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php via $_GET['src'] or $_GET['name']. | ||
| CVE-2017-17102 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2017 | Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['link']. | ||
| CVE-2017-11630 | Hig | 0.49 | 7.5 | 0.01 | Jul 26, 2017 | dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter in a type=database request, a different vulnerability than CVE-2017-8853. | ||
| CVE-2017-8853 | Hig | 0.49 | 7.5 | 0.01 | May 9, 2017 | Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/apps/app_config/controller/backuper.php via directory traversal in the file parameter during an act=db action. |
- risk 0.69cvss 9.8epss 0.24
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
- risk 0.67cvss 9.8epss 0.01
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
- risk 0.64cvss 9.8epss 0.00
dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter.
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name.
- risk 0.64cvss 9.8epss 0.01
In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.
- risk 0.61cvss 8.8epss 0.07
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
- risk 0.57cvss 8.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges.
- risk 0.53cvss 7.5epss 0.18
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
- risk 0.49cvss 7.5epss 0.00
Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php via $_GET['src'] or $_GET['name'].
- risk 0.49cvss 7.5epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['link'].
- risk 0.49cvss 7.5epss 0.01
dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter in a type=database request, a different vulnerability than CVE-2017-8853.
- risk 0.49cvss 7.5epss 0.01
Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/apps/app_config/controller/backuper.php via directory traversal in the file parameter during an act=db action.
Page 1 of 2