VYPR
Vendor

Metinfo

Products
1
CVEs
62
Across products
62
Status
Private

Products

1

Recent CVEs

62
View all 62 CVEs →
  • CVE-2026-29014CriApr 1, 2026
    risk 0.66cvss 9.8epss 0.40

    MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution…

  • CVE-2018-12531CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.

  • CVE-2017-11715CriJul 28, 2017
    risk 0.64cvss 9.8epss 0.01

    job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.

  • CVE-2018-14420HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.01

    MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

  • CVE-2018-9934HigApr 10, 2018
    risk 0.57cvss 8.8epss 0.01

    The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.

  • CVE-2017-11347HigJul 17, 2017
    risk 0.57cvss 8.8epss 0.02

    Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a remote authenticated attacker to generate a PHP script with the content of a malicious image, related to admin/include/common.inc.php and admin/app/physical/physical.php.

  • CVE-2018-7271HigFeb 21, 2018
    risk 0.53cvss 8.1epss 0.02

    An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.

  • CVE-2017-11717HigJul 28, 2017
    risk 0.49cvss 7.5epss 0.01

    MetInfo through 5.3.17 accepts the same CAPTCHA response for 120 seconds, which makes it easier for remote attackers to bypass intended challenge requirements by modifying the client-server data stream, as demonstrated by the login/findpass page.

  • CVE-2017-11500HigJul 20, 2017
    risk 0.49cvss 7.5epss 0.02

    A directory traversal vulnerability exists in MetInfo 5.3.17. A remote attacker can use ..\ to delete any .zip file via the filenames parameter to /admin/system/database/filedown.php.

  • CVE-2018-13024HigJun 29, 2018
    risk 0.47cvss 7.2epss 0.01

    Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.

  • CVE-2018-12530MedJun 18, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.

  • CVE-2018-9985MedApr 10, 2018
    risk 0.40cvss 6.1epss 0.01

    The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator.

  • CVE-2018-9928MedApr 10, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter.

  • CVE-2018-7721MedMar 7, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data.

  • CVE-2017-11718MedJul 28, 2017
    risk 0.40cvss 6.1epss 0.01

    There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.

  • CVE-2017-11716MedJul 28, 2017
    risk 0.40cvss 6.1epss 0.01

    MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode.

  • CVE-2017-9764MedJul 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in a para action.

  • CVE-2017-14513MedSep 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Directory traversal vulnerability in MetInfo 5.3.17 allows remote attackers to read information from any ini format file via the f_filename parameter in a fingerprintdo action to admin/app/physical/physical.php.

  • CVE-2017-6878MedMar 27, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remote authenticated users to inject arbitrary web script or HTML via the name_2 parameter to admin/column/delete.php.

  • CVE-2018-17129MedSep 17, 2018
    risk 0.32cvss 4.9epss 0.01

    MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.