Vendor CVEs
Eyoucms
All CVEs
77 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-45538 | 0.00 | — | 0.00 | Jan 20, 2023 | EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_GOBACK_URL". | |||
| CVE-2021-39428 | 0.00 | — | 0.01 | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for edit_users_head_pic. | |||
| CVE-2022-45280 | 0.00 | — | 0.00 | Nov 23, 2022 | A cross-site scripting (XSS) vulnerability in the Url parameter in /login.php of EyouCMS v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2022-44387 | 0.00 | — | 0.00 | Nov 14, 2022 | EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module. | |||
| CVE-2022-44390 | 0.00 | — | 0.00 | Nov 14, 2022 | A cross-site scripting (XSS) vulnerability in EyouCMS V1.5.9-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Record Number text field. | |||
| CVE-2022-44389 | 0.00 | — | 0.00 | Nov 14, 2022 | EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information. | |||
| CVE-2022-43323 | 0.00 | — | 0.00 | Nov 14, 2022 | EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module. | |||
| CVE-2022-41500 | 0.00 | — | 0.00 | Oct 18, 2022 | EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components. | |||
| CVE-2022-36225 | 0.00 | — | 0.00 | Aug 19, 2022 | EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (CSRF) via the background, column management function and add. | |||
| CVE-2022-35509 | 0.00 | — | 0.00 | Aug 9, 2022 | An issue was discovered in EyouCMS 1.5.8. There is a Storage XSS vulnerability that can allows an attacker to execute arbitrary Web scripts or HTML by injecting a special payload via the title parameter in the foreground contribution, allowing the attacker to obtain sensitive… | |||
| CVE-2022-33122 | 0.00 | — | 0.00 | Jun 24, 2022 | A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page. | |||
| CVE-2022-26273 | 0.00 | — | 0.01 | Mar 28, 2022 | EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. | |||
| CVE-2022-26279 | 0.00 | — | 0.02 | Mar 24, 2022 | EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata. | |||
| CVE-2021-42194 | 0.00 | — | 0.01 | Mar 20, 2022 | The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | |||
| CVE-2021-46255 | 0.00 | — | 0.01 | Jan 14, 2022 | eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename. | |||
| CVE-2020-24000 | 0.00 | — | 0.02 | Nov 3, 2021 | SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php. | |||
| CVE-2021-39500 | 0.00 | — | 0.01 | Sep 7, 2021 | Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories. | |||
| CVE-2021-39499 | 0.00 | — | 0.01 | Sep 7, 2021 | A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function. | |||
| CVE-2021-39497 | 0.00 | — | 0.02 | Sep 7, 2021 | eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function. | |||
| CVE-2021-39496 | 0.00 | — | 0.01 | Sep 7, 2021 | Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS. | |||
| CVE-2020-20645 | 0.00 | — | 0.01 | Aug 19, 2021 | Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area. | |||
| CVE-2020-19669 | 0.00 | — | 0.01 | Aug 18, 2021 | Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn. | |||
| CVE-2020-28146 | 0.00 | — | 0.01 | Aug 18, 2021 | Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter. | |||
| CVE-2020-21930 | 0.00 | — | 0.01 | Aug 10, 2021 | A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2020-21929 | 0.00 | — | 0.01 | Aug 10, 2021 | A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2020-18129 | 0.00 | — | 0.01 | Oct 22, 2020 | A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. | |||
| CVE-2019-17430 | 0.00 | — | 0.01 | Oct 10, 2019 | EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter. |
- CVE-2022-45538Jan 20, 2023risk 0.00cvss —epss 0.00
EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_GOBACK_URL".
- CVE-2021-39428Dec 15, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for edit_users_head_pic.
- CVE-2022-45280Nov 23, 2022risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Url parameter in /login.php of EyouCMS v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2022-44387Nov 14, 2022risk 0.00cvss —epss 0.00
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module.
- CVE-2022-44390Nov 14, 2022risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in EyouCMS V1.5.9-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Record Number text field.
- CVE-2022-44389Nov 14, 2022risk 0.00cvss —epss 0.00
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information.
- CVE-2022-43323Nov 14, 2022risk 0.00cvss —epss 0.00
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module.
- CVE-2022-41500Oct 18, 2022risk 0.00cvss —epss 0.00
EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components.
- CVE-2022-36225Aug 19, 2022risk 0.00cvss —epss 0.00
EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (CSRF) via the background, column management function and add.
- CVE-2022-35509Aug 9, 2022risk 0.00cvss —epss 0.00
An issue was discovered in EyouCMS 1.5.8. There is a Storage XSS vulnerability that can allows an attacker to execute arbitrary Web scripts or HTML by injecting a special payload via the title parameter in the foreground contribution, allowing the attacker to obtain sensitive…
- CVE-2022-33122Jun 24, 2022risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page.
- CVE-2022-26273Mar 28, 2022risk 0.00cvss —epss 0.01
EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities.
- CVE-2022-26279Mar 24, 2022risk 0.00cvss —epss 0.02
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
- CVE-2021-42194Mar 20, 2022risk 0.00cvss —epss 0.01
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.
- CVE-2021-46255Jan 14, 2022risk 0.00cvss —epss 0.01
eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.
- CVE-2020-24000Nov 3, 2021risk 0.00cvss —epss 0.02
SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php.
- CVE-2021-39500Sep 7, 2021risk 0.00cvss —epss 0.01
Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories.
- CVE-2021-39499Sep 7, 2021risk 0.00cvss —epss 0.01
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function.
- CVE-2021-39497Sep 7, 2021risk 0.00cvss —epss 0.02
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
- CVE-2021-39496Sep 7, 2021risk 0.00cvss —epss 0.01
Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS.
- CVE-2020-20645Aug 19, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in EyouCMS1.3.6 in the basic_information area.
- CVE-2020-19669Aug 18, 2021risk 0.00cvss —epss 0.01
Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
- CVE-2020-28146Aug 18, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.
- CVE-2020-21930Aug 10, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
- CVE-2020-21929Aug 10, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
- CVE-2020-18129Oct 22, 2020risk 0.00cvss —epss 0.01
A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php.
- CVE-2019-17430Oct 10, 2019risk 0.00cvss —epss 0.01
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.
Page 2 of 2