Vendor CVEs
Finecms Project
All CVEs
44 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6893 | Cri | 0.64 | 9.8 | 0.03 | Feb 12, 2018 | controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering. | ||
| CVE-2017-16920 | Cri | 0.64 | 9.8 | 0.02 | Nov 21, 2017 | v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php. | ||
| CVE-2017-12774 | Cri | 0.64 | 9.8 | 0.02 | Aug 9, 2017 | finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database | ||
| CVE-2017-11585 | Cri | 0.64 | 9.8 | 0.02 | Jul 24, 2017 | dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. | ||
| CVE-2017-11584 | Cri | 0.64 | 9.8 | 0.02 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. | ||
| CVE-2017-11583 | Cri | 0.64 | 9.8 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. | ||
| CVE-2017-11582 | Cri | 0.64 | 9.8 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. | ||
| CVE-2017-11167 | Cri | 0.64 | 9.8 | 0.02 | Jul 12, 2017 | FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input value. | ||
| CVE-2017-10968 | Cri | 0.64 | 9.8 | 0.02 | Jul 7, 2017 | In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request. | ||
| CVE-2018-18191 | Hig | 0.57 | 8.8 | 0.01 | Oct 9, 2018 | Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password. | ||
| CVE-2017-11200 | Hig | 0.57 | 8.8 | 0.01 | Jul 13, 2017 | SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter. | ||
| CVE-2017-11178 | Hig | 0.49 | 7.5 | 0.01 | Jul 12, 2017 | In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not… | ||
| CVE-2017-10973 | Med | 0.42 | 6.5 | 0.01 | Jul 6, 2017 | In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header. | ||
| CVE-2018-7476 | Med | 0.40 | 6.1 | 0.01 | Feb 25, 2018 | controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character. | ||
| CVE-2017-1000429 | Med | 0.40 | 6.1 | 0.01 | Jan 9, 2018 | rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Weixin.php. | ||
| CVE-2017-16866 | Med | 0.40 | 6.1 | 0.01 | Nov 16, 2017 | dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. | ||
| CVE-2017-14195 | Med | 0.40 | 6.1 | 0.01 | Sep 7, 2017 | The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer. | ||
| CVE-2017-14194 | Med | 0.40 | 6.1 | 0.01 | Sep 7, 2017 | The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. | ||
| CVE-2017-14193 | Med | 0.40 | 6.1 | 0.01 | Sep 7, 2017 | The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. | ||
| CVE-2017-14192 | Med | 0.40 | 6.1 | 0.01 | Sep 7, 2017 | The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field. | ||
| CVE-2017-13697 | Med | 0.40 | 6.1 | 0.01 | Aug 25, 2017 | controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable. | ||
| CVE-2017-11629 | Med | 0.40 | 6.1 | 0.02 | Jul 26, 2017 | dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. | ||
| CVE-2017-11586 | Med | 0.40 | 6.1 | 0.02 | Jul 24, 2017 | dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. | ||
| CVE-2017-11581 | Med | 0.40 | 6.1 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. | ||
| CVE-2017-11202 | Med | 0.40 | 6.1 | 0.01 | Jul 13, 2017 | FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180. | ||
| CVE-2017-11198 | Med | 0.40 | 6.1 | 0.01 | Jul 13, 2017 | Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter. | ||
| CVE-2017-11180 | Med | 0.40 | 6.1 | 0.01 | Jul 12, 2017 | FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen. | ||
| CVE-2017-11179 | Med | 0.40 | 6.1 | 0.01 | Jul 12, 2017 | FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account. | ||
| CVE-2017-10967 | Med | 0.40 | 6.1 | 0.01 | Jul 6, 2017 | In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters. | ||
| CVE-2017-9252 | Med | 0.40 | 6.1 | 0.01 | May 28, 2017 | andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action. | ||
| CVE-2017-9251 | Med | 0.40 | 6.1 | 0.01 | May 28, 2017 | andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php. | ||
| CVE-2017-6511 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2017 | andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. | ||
| CVE-2017-11201 | Med | 0.35 | 5.4 | 0.01 | Jul 13, 2017 | application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action. | ||
| CVE-2025-14008 | Med | 0.31 | 4.7 | 0.00 | Dec 4, 2025 | A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is… | ||
| CVE-2025-14004 | Med | 0.31 | 4.7 | 0.00 | Dec 4, 2025 | A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing a manipulation results in server-side request forgery. Remote exploitation of… | ||
| CVE-2023-43962 | Med | 0.31 | 4.8 | 0.00 | Dec 9, 2024 | Cross Site Scripting vulnerability in Xunrui CMS Public Edition v.4.6.1 allows a remote attacker to execute arbitrary code via the project name function in the project settings tab. | ||
| CVE-2025-15144 | Med | 0.28 | 4.3 | 0.00 | Dec 28, 2025 | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The… | ||
| CVE-2025-14006 | Low | 0.23 | 3.5 | 0.00 | Dec 4, 2025 | A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument… | ||
| CVE-2025-14005 | Low | 0.16 | 2.4 | 0.00 | Dec 4, 2025 | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing a manipulation of the argument… | ||
| CVE-2025-14007 | Low | 0.13 | 2.0 | 0.00 | Dec 4, 2025 | A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from… | ||
| CVE-2025-2131 | 0.00 | — | 0.00 | Mar 9, 2025 | A vulnerability was found in dayrui XunRuiCMS up to 4.6.3. It has been rated as problematic. This issue affects some unknown processing of the component Friendly Links Handler. The manipulation of the argument Website Address leads to cross site scripting. The attack may be… | |||
| CVE-2025-1186 | 0.00 | — | 0.01 | Feb 12, 2025 | A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The… | |||
| CVE-2025-1177 | 0.00 | — | 0.01 | Feb 11, 2025 | A vulnerability was found in dayrui XunRuiCMS 4.6.3. It has been classified as critical. Affected is the function import_add of the file dayrui/Fcms/Control/Admin/Linkage.php. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit… | |||
| CVE-2022-36224 | 0.00 | — | 0.00 | Aug 19, 2022 | XunRuiCMS V4.5.6 is vulnerable to Cross Site Request Forgery (CSRF). |
- risk 0.64cvss 9.8epss 0.03
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.
- risk 0.64cvss 9.8epss 0.02
v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY value and does not require key regeneration for each installation, which allows remote attackers to upload arbitrary .php files via a member api swfupload action to index.php.
- risk 0.64cvss 9.8epss 0.02
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database
- risk 0.64cvss 9.8epss 0.02
dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
- risk 0.64cvss 9.8epss 0.02
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.02
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input value.
- risk 0.64cvss 9.8epss 0.02
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.
- risk 0.57cvss 8.8epss 0.01
SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter.
- risk 0.49cvss 7.5epss 0.01
In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not…
- risk 0.42cvss 6.5epss 0.01
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header.
- risk 0.40cvss 6.1epss 0.01
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.
- risk 0.40cvss 6.1epss 0.01
rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Weixin.php.
- risk 0.40cvss 6.1epss 0.01
dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field.
- risk 0.40cvss 6.1epss 0.01
The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer.
- risk 0.40cvss 6.1epss 0.01
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer.
- risk 0.40cvss 6.1epss 0.01
The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer.
- risk 0.40cvss 6.1epss 0.01
The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field.
- risk 0.40cvss 6.1epss 0.01
controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable.
- risk 0.40cvss 6.1epss 0.02
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request.
- risk 0.40cvss 6.1epss 0.02
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.
- risk 0.40cvss 6.1epss 0.01
dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScript in visited URLs is not restricted either during logging or during the reading of logs, a different vulnerability than CVE-2017-11180.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_image.php in FineCMS through 2017-07-12 allows remote attackers to inject arbitrary web script or HTML via the folder, id, or name parameter.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-11 has stored XSS in the logging functionality, as demonstrated by an XSS payload in (1) the User-Agent header of an HTTP request or (2) the username entered on the login screen.
- risk 0.40cvss 6.1epss 0.01
FineCMS through 2017-07-11 has stored XSS in route=admin when modifying user information, and in route=register when registering a user account.
- risk 0.40cvss 6.1epss 0.01
In FineCMS before 2017-07-06, application\core\controller\config.php allows XSS in the (1) key_name, (2) key_value, and (3) meaning parameters.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php.
- risk 0.40cvss 6.1epss 0.01
andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php.
- risk 0.35cvss 5.4epss 0.01
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action.
- risk 0.31cvss 4.7epss 0.00
A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is…
- risk 0.31cvss 4.7epss 0.00
A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing a manipulation results in server-side request forgery. Remote exploitation of…
- risk 0.31cvss 4.8epss 0.00
Cross Site Scripting vulnerability in Xunrui CMS Public Edition v.4.6.1 allows a remote attacker to execute arbitrary code via the project name function in the project settings tab.
- risk 0.28cvss 4.3epss 0.00
A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The…
- risk 0.23cvss 3.5epss 0.00
A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument…
- risk 0.16cvss 2.4epss 0.00
A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing a manipulation of the argument…
- risk 0.13cvss 2.0epss 0.00
A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from…
- CVE-2025-2131Mar 9, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in dayrui XunRuiCMS up to 4.6.3. It has been rated as problematic. This issue affects some unknown processing of the component Friendly Links Handler. The manipulation of the argument Website Address leads to cross site scripting. The attack may be…
- CVE-2025-1186Feb 12, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The…
- CVE-2025-1177Feb 11, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in dayrui XunRuiCMS 4.6.3. It has been classified as critical. Affected is the function import_add of the file dayrui/Fcms/Control/Admin/Linkage.php. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit…
- CVE-2022-36224Aug 19, 2022risk 0.00cvss —epss 0.00
XunRuiCMS V4.5.6 is vulnerable to Cross Site Request Forgery (CSRF).