VYPR

Vendor CVEs

Metinfo

All CVEs

62 total · sorted by risk
  • CVE-2026-29014CriApr 1, 2026
    risk 0.66cvss 9.8epss 0.40

    MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution…

  • CVE-2018-12531CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.

  • CVE-2017-11715CriJul 28, 2017
    risk 0.64cvss 9.8epss 0.01

    job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.

  • CVE-2018-14420HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.01

    MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

  • CVE-2018-9934HigApr 10, 2018
    risk 0.57cvss 8.8epss 0.01

    The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.

  • CVE-2017-11347HigJul 17, 2017
    risk 0.57cvss 8.8epss 0.02

    Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a remote authenticated attacker to generate a PHP script with the content of a malicious image, related to admin/include/common.inc.php and admin/app/physical/physical.php.

  • CVE-2018-7271HigFeb 21, 2018
    risk 0.53cvss 8.1epss 0.02

    An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.

  • CVE-2017-11717HigJul 28, 2017
    risk 0.49cvss 7.5epss 0.01

    MetInfo through 5.3.17 accepts the same CAPTCHA response for 120 seconds, which makes it easier for remote attackers to bypass intended challenge requirements by modifying the client-server data stream, as demonstrated by the login/findpass page.

  • CVE-2017-11500HigJul 20, 2017
    risk 0.49cvss 7.5epss 0.02

    A directory traversal vulnerability exists in MetInfo 5.3.17. A remote attacker can use ..\ to delete any .zip file via the filenames parameter to /admin/system/database/filedown.php.

  • CVE-2018-13024HigJun 29, 2018
    risk 0.47cvss 7.2epss 0.01

    Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action.

  • CVE-2018-12530MedJun 18, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.

  • CVE-2018-9985MedApr 10, 2018
    risk 0.40cvss 6.1epss 0.01

    The front page of MetInfo 6.0 allows XSS by sending a feedback message to an administrator.

  • CVE-2018-9928MedApr 10, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter.

  • CVE-2018-7721MedMar 7, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index.php because app/system/feedback/web/feedback.class.php mishandles input data.

  • CVE-2017-11718MedJul 28, 2017
    risk 0.40cvss 6.1epss 0.01

    There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.

  • CVE-2017-11716MedJul 28, 2017
    risk 0.40cvss 6.1epss 0.01

    MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode.

  • CVE-2017-9764MedJul 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in a para action.

  • CVE-2017-14513MedSep 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Directory traversal vulnerability in MetInfo 5.3.17 allows remote attackers to read information from any ini format file via the f_filename parameter in a fingerprintdo action to admin/app/physical/physical.php.

  • CVE-2017-6878MedMar 27, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remote authenticated users to inject arbitrary web script or HTML via the name_2 parameter to admin/column/delete.php.

  • CVE-2018-17129MedSep 17, 2018
    risk 0.32cvss 4.9epss 0.01

    MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field.

  • CVE-2018-14419MedJul 20, 2018
    risk 0.31cvss 4.8epss 0.01

    MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.

  • CVE-2019-17418Oct 9, 2019
    risk 0.07cvss epss 0.49

    An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.

  • CVE-2019-16997Sep 30, 2019
    risk 0.07cvss epss 0.49

    In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.

  • CVE-2019-16996Sep 30, 2019
    risk 0.07cvss epss 0.12

    In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter.

  • CVE-2010-4976Nov 1, 2011
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in search/search.php in MetInfo 3.0 allows remote attackers to inject arbitrary web script or HTML via the searchword parameter (aka Search Box field). NOTE: some of these details are obtained from third party information.

  • CVE-2025-60453Oct 3, 2025
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload…

  • CVE-2025-60451Oct 3, 2025
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the…

  • CVE-2025-60452Oct 3, 2025
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to…

  • CVE-2025-60450Oct 3, 2025
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw…

  • CVE-2022-44849Dec 7, 2022
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.

  • CVE-2022-23335Feb 14, 2022
    risk 0.00cvss epss 0.02

    Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.

  • CVE-2022-22295Feb 14, 2022
    risk 0.00cvss epss 0.02

    Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.

  • CVE-2020-20600Dec 22, 2021
    risk 0.00cvss epss 0.01

    MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.

  • CVE-2020-21127Sep 15, 2021
    risk 0.00cvss epss 0.02

    MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.

  • CVE-2020-21126Sep 15, 2021
    risk 0.00cvss epss 0.01

    MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.

  • CVE-2020-20981Aug 12, 2021
    risk 0.00cvss epss 0.01

    A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information.

  • CVE-2020-19305Aug 3, 2021
    risk 0.00cvss epss 0.02

    An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.

  • CVE-2020-19304Aug 3, 2021
    risk 0.00cvss epss 0.02

    An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.

  • CVE-2020-18175Jul 29, 2021
    risk 0.00cvss epss 0.02

    SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.

  • CVE-2020-18157Jul 29, 2021
    risk 0.00cvss epss 0.01

    Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.

  • CVE-2020-21133Jul 12, 2021
    risk 0.00cvss epss 0.02

    SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.

  • CVE-2020-21132Jul 12, 2021
    risk 0.00cvss epss 0.02

    SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.

  • CVE-2020-21131Jul 12, 2021
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage.

  • CVE-2020-20585Jul 8, 2021
    risk 0.00cvss epss 0.02

    A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta allows attackers to access sensitive database information.

  • CVE-2020-21517Jun 21, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php.

  • CVE-2020-20907May 24, 2021
    risk 0.00cvss epss 0.02

    MetInfo 7.0 beta is affected by a file modification vulnerability. Attackers can delete and modify ini files in app/system/language/admin/language_general.class.php and app/system/include/function/file.func.php.

  • CVE-2020-20800Sep 29, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI.

  • CVE-2019-17676Oct 17, 2019
    risk 0.00cvss epss 0.01

    app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.

  • CVE-2019-17553Oct 14, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.

  • CVE-2019-17419Oct 9, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.

Page 1 of 2