VYPR

Vendor CVEs

Finecms Project

All CVEs

44 total · sorted by risk
  • CVE-2018-6893CriFeb 12, 2018
    risk 0.64cvss 9.8epss 0.03

    controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.

  • CVE-2017-16920CriNov 21, 2017
    risk 0.64cvss 9.8epss 0.02

    v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.

  • CVE-2017-12774CriAug 9, 2017
    risk 0.64cvss 9.8epss 0.02

    finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database

  • CVE-2017-11585CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.02

    dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.

  • CVE-2017-11584CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.02

    dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.

  • CVE-2017-11583CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.01

    dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.

  • CVE-2017-11582CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.01

    dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.

  • CVE-2017-11167CriJul 12, 2017
    risk 0.64cvss 9.8epss 0.02

    FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input value.

  • CVE-2017-10968CriJul 7, 2017
    risk 0.64cvss 9.8epss 0.02

    In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request.

  • CVE-2018-18191HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.

  • CVE-2017-11200HigJul 13, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter.

  • CVE-2017-11178HigJul 12, 2017
    risk 0.49cvss 7.5epss 0.01

    In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not…

  • CVE-2017-10973MedJul 6, 2017
    risk 0.42cvss 6.5epss 0.01

    In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header.

  • CVE-2018-7476MedFeb 25, 2018
    risk 0.40cvss 6.1epss 0.01

    controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.

  • CVE-2017-1000429MedJan 9, 2018
    risk 0.40cvss 6.1epss 0.01

    rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Weixin.php.

  • CVE-2017-16866MedNov 16, 2017
    risk 0.40cvss 6.1epss 0.01

    dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.

  • CVE-2017-14195MedSep 7, 2017
    risk 0.40cvss 6.1epss 0.01

    The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer.

  • CVE-2017-14194MedSep 7, 2017
    risk 0.40cvss 6.1epss 0.01

    The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer.

  • CVE-2017-14193MedSep 7, 2017
    risk 0.40cvss 6.1epss 0.01

    The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer.

  • CVE-2017-14192MedSep 7, 2017
    risk 0.40cvss 6.1epss 0.01

    The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field.

  • CVE-2017-13697MedAug 25, 2017
    risk 0.40cvss 6.1epss 0.01

    controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable.

  • CVE-2017-11629MedJul 26, 2017
    risk 0.40cvss 6.1epss 0.02

    dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.

  • CVE-2017-11586MedJul 24, 2017
    risk 0.40cvss 6.1epss 0.02

    dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.

  • CVE-2017-11581MedJul 24, 2017
    risk 0.40cvss 6.1epss 0.01

    dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.

  • CVE-2017-11202MedJul 13, 2017
    risk 0.40cvss 6.1epss 0.01

    FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180.

  • CVE-2017-11198MedJul 13, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter.

  • CVE-2017-11180MedJul 12, 2017
    risk 0.40cvss 6.1epss 0.01

    FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen.

  • CVE-2017-11179MedJul 12, 2017
    risk 0.40cvss 6.1epss 0.01

    FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account.

  • CVE-2017-10967MedJul 6, 2017
    risk 0.40cvss 6.1epss 0.01

    In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters.

  • CVE-2017-9252MedMay 28, 2017
    risk 0.40cvss 6.1epss 0.01

    andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action.

  • CVE-2017-9251MedMay 28, 2017
    risk 0.40cvss 6.1epss 0.01

    andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php.

  • CVE-2017-6511MedMar 7, 2017
    risk 0.40cvss 6.1epss 0.01

    andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php.

  • CVE-2017-11201MedJul 13, 2017
    risk 0.35cvss 5.4epss 0.01

    application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action.

  • CVE-2025-14008MedDec 4, 2025
    risk 0.31cvss 4.7epss 0.00

    A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is…

  • CVE-2025-14004MedDec 4, 2025
    risk 0.31cvss 4.7epss 0.00

    A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing a manipulation results in server-side request forgery. Remote exploitation of…

  • CVE-2023-43962MedDec 9, 2024
    risk 0.31cvss 4.8epss 0.00

    Cross Site Scripting vulnerability in Xunrui CMS Public Edition v.4.6.1 allows a remote attacker to execute arbitrary code via the project name function in the project settings tab.

  • CVE-2025-15144MedDec 28, 2025
    risk 0.28cvss 4.3epss 0.00

    A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The…

  • CVE-2025-14006LowDec 4, 2025
    risk 0.23cvss 3.5epss 0.00

    A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument…

  • CVE-2025-14005LowDec 4, 2025
    risk 0.16cvss 2.4epss 0.00

    A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing a manipulation of the argument…

  • CVE-2025-14007LowDec 4, 2025
    risk 0.13cvss 2.0epss 0.00

    A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from…

  • CVE-2025-2131Mar 9, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in dayrui XunRuiCMS up to 4.6.3. It has been rated as problematic. This issue affects some unknown processing of the component Friendly Links Handler. The manipulation of the argument Website Address leads to cross site scripting. The attack may be…

  • CVE-2025-1186Feb 12, 2025
    risk 0.00cvss epss 0.01

    A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The…

  • CVE-2025-1177Feb 11, 2025
    risk 0.00cvss epss 0.01

    A vulnerability was found in dayrui XunRuiCMS 4.6.3. It has been classified as critical. Affected is the function import_add of the file dayrui/Fcms/Control/Admin/Linkage.php. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit…

  • CVE-2022-36224Aug 19, 2022
    risk 0.00cvss epss 0.00

    XunRuiCMS V4.5.6 is vulnerable to Cross Site Request Forgery (CSRF).