Minicms
Products
1- 19 CVEs
Recent CVEs
19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-19896 | Cri | 0.64 | 9.8 | 0.01 | Jun 28, 2022 | File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php. | ||
| CVE-2020-36052 | Cri | 0.64 | 9.8 | 0.02 | Jan 5, 2021 | Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. | ||
| CVE-2018-18892 | Cri | 0.64 | 9.8 | 0.03 | Nov 1, 2018 | MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php. | ||
| CVE-2021-33387 | Cri | 0.62 | 9.6 | 0.01 | Feb 24, 2023 | Cross Site Scripting Vulnerability in MiniCMS v.1.10 allows attacker to execute arbitrary code via a crafted get request. | ||
| CVE-2022-33121 | Hig | 0.53 | 8.1 | 0.00 | Jun 24, 2022 | A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. | ||
| CVE-2020-36051 | Hig | 0.49 | 7.5 | 0.02 | Jan 5, 2021 | Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter. | ||
| CVE-2018-18891 | Hig | 0.49 | 7.5 | 0.01 | Nov 1, 2018 | MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late. | ||
| CVE-2019-9603 | Med | 0.42 | 6.5 | 0.01 | Mar 6, 2019 | MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891. | ||
| CVE-2024-31741 | Med | 0.40 | 6.1 | 0.00 | Apr 26, 2024 | Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. | ||
| CVE-2020-17999 | Med | 0.40 | 6.1 | 0.02 | Apr 28, 2021 | Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php". | ||
| CVE-2019-13186 | Med | 0.40 | 6.1 | 0.01 | Jul 3, 2019 | In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520. | ||
| CVE-2018-20520 | Med | 0.40 | 6.1 | 0.01 | Dec 27, 2018 | MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233. | ||
| CVE-2023-46378 | Med | 0.35 | 5.4 | 0.00 | Oct 31, 2023 | Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php. | ||
| CVE-2021-44970 | Med | 0.35 | 5.4 | 0.00 | Feb 10, 2022 | MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php. | ||
| CVE-2018-18890 | Med | 0.35 | 5.3 | 0.01 | Nov 1, 2018 | MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename. | ||
| CVE-2019-13341 | Med | 0.31 | 4.8 | 0.01 | Jul 5, 2019 | In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie. | ||
| CVE-2019-13340 | Med | 0.31 | 4.8 | 0.01 | Jul 5, 2019 | In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186. | ||
| CVE-2019-13339 | Med | 0.31 | 4.8 | 0.01 | Jul 5, 2019 | In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie. | ||
| CVE-2012-5231 | 0.03 | — | 0.03 | Oct 1, 2012 | miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing files to content/, or (b) updatenews.php when writing files… |
- risk 0.64cvss 9.8epss 0.01
File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.
- risk 0.64cvss 9.8epss 0.02
Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter.
- risk 0.64cvss 9.8epss 0.03
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.
- risk 0.62cvss 9.6epss 0.01
Cross Site Scripting Vulnerability in MiniCMS v.1.10 allows attacker to execute arbitrary code via a crafted get request.
- risk 0.53cvss 8.1epss 0.00
A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link.
- risk 0.49cvss 7.5epss 0.02
Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter.
- risk 0.49cvss 7.5epss 0.01
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.
- risk 0.42cvss 6.5epss 0.01
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891.
- risk 0.40cvss 6.1epss 0.00
Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login.
- risk 0.40cvss 6.1epss 0.02
Cross Site Scripting (XSS) in MiniCMS v1.10 allows remote attackers to execute arbitrary code by injecting commands via a crafted HTTP request to the component "/mc-admin/post-edit.php".
- risk 0.40cvss 6.1epss 0.01
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520.
- risk 0.40cvss 6.1epss 0.01
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233.
- risk 0.35cvss 5.4epss 0.00
Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php.
- risk 0.35cvss 5.4epss 0.00
MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php.
- risk 0.35cvss 5.3epss 0.01
MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state=delete&delete= with an invalid filename.
- risk 0.31cvss 4.8epss 0.01
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.
- risk 0.31cvss 4.8epss 0.01
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.
- risk 0.31cvss 4.8epss 0.01
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.
- CVE-2012-5231Oct 1, 2012risk 0.03cvss —epss 0.03
miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing files to content/, or (b) updatenews.php when writing files…