VYPR

Vendor CVEs

Fiyo

All CVEs

26 total · sorted by risk
  • CVE-2014-9148CriOct 16, 2017
    risk 0.68cvss 9.8epss 0.11

    Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.

  • CVE-2015-3934CriNov 21, 2017
    risk 0.67cvss 9.8epss 0.03

    Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.

  • CVE-2017-11631CriJul 26, 2017
    risk 0.64cvss 9.8epss 0.01

    dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter.

  • CVE-2017-11419CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].

  • CVE-2017-11418CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].

  • CVE-2017-11417CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].

  • CVE-2017-11416CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.

  • CVE-2017-11415CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].

  • CVE-2017-11414CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].

  • CVE-2017-11413CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].

  • CVE-2017-11412CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].

  • CVE-2017-11354CriJul 17, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name.

  • CVE-2017-7625CriApr 10, 2017
    risk 0.64cvss 9.8epss 0.03

    In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.

  • CVE-2017-6823HigMar 12, 2017
    risk 0.61cvss 8.8epss 0.08

    Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.

  • CVE-2017-17103HigDec 4, 2017
    risk 0.57cvss 8.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges.

  • CVE-2014-9147HigOct 16, 2017
    risk 0.53cvss 7.5epss 0.11

    Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.

  • CVE-2017-17104HigDec 4, 2017
    risk 0.49cvss 7.5epss 0.02

    Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php via $_GET['src'] or $_GET['name'].

  • CVE-2017-17102HigDec 4, 2017
    risk 0.49cvss 7.5epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['link'].

  • CVE-2017-11630HigJul 26, 2017
    risk 0.49cvss 7.5epss 0.02

    dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter in a type=database request, a different vulnerability than CVE-2017-8853.

  • CVE-2017-8853HigMay 9, 2017
    risk 0.49cvss 7.5epss 0.01

    Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/apps/app_config/controller/backuper.php via directory traversal in the file parameter during an act=db action.

  • CVE-2017-13778MedAug 30, 2017
    risk 0.40cvss 6.1epss 0.01

    Fiyo CMS 2.0.7 has XSS in dapur\apps\app_config\sys_config.php via the site_name parameter.

  • CVE-2014-9146Apr 14, 2015
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.php.

  • CVE-2014-9145Apr 14, 2015
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/controller/article_list.php; or…

  • CVE-2020-35373Jun 17, 2021
    risk 0.00cvss epss 0.01

    In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.

  • CVE-2018-18545Oct 21, 2018
    risk 0.00cvss epss 0.01

    Fiyo CMS 2.0.7 has XSS via the dapur\apps\app_user\edit_user.php name parameter.

  • CVE-2014-4032Jun 11, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in apps/app_comment/form_comment.php in Fiyo CMS 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the Nama field.