VYPR
Vendor

Qibosoft

Products
2
CVEs
14
Across products
15
Status
Private

Products

2

Recent CVEs

14
  • CVE-2019-17613CriOct 15, 2019
    risk 0.64cvss 9.8epss 0.03

    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as…

  • CVE-2020-20944CriDec 27, 2021
    risk 0.59cvss 9.1epss 0.02

    An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.

  • CVE-2023-27037HigMar 16, 2023
    risk 0.57cvss 8.8epss 0.01

    Qibosoft QiboCMS v7 was discovered to contain a remote code execution (RCE) vulnerability via the Get_Title function at label_set_rs.php

  • CVE-2020-20945HigDec 27, 2021
    risk 0.57cvss 8.8epss 0.01

    A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.

  • CVE-2018-18201HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.00

    qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=addmember to add a user account.

  • CVE-2019-5725HigJan 8, 2019
    risk 0.49cvss 7.5epss 0.01

    qibosoft through V7 allows remote attackers to read arbitrary files via the member/index.php main parameter, as demonstrated by SSRF to a URL on the same web site to read a .sql file.

  • CVE-2024-1225HigFeb 5, 2024
    risk 0.48cvss 7.3epss 0.01

    A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Affected by this vulnerability is the function rmb_pay of the file /application/index/controller/Pay.php. The manipulation of the argument callback_class leads to deserialization. The attack can…

  • CVE-2021-27811HigMay 21, 2021
    risk 0.47cvss 7.2epss 0.01

    A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1 v1.0. An attacker is able execute arbitrary PHP code via exploitation of client_upgrade_edition.php and Upgrade.php.

  • CVE-2020-20808MedAug 3, 2023
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting vulnerability in Qibosoft qibosoft v.7 and before allows a remote attacker to execute arbitrary code via the eindtijd and starttijd parameters of do/search.php.

  • CVE-2020-18022MedApr 28, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting (XSS) in Qibosoft QiboCMS v7 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information by injecting arbitrary commands in a HTTP request to the "ewebeditor\3.1.1\kindeditor.js" component.

  • CVE-2020-20946MedDec 27, 2021
    risk 0.35cvss 5.4epss 0.01

    Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.

  • CVE-2020-20943MedDec 27, 2021
    risk 0.28cvss 4.3epss 0.00

    A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.

  • CVE-2025-22973Feb 20, 2025
    risk 0.00cvss epss 0.00

    An issue in QiboSoft QiboCMS X1.0 allows a remote attacker to obtain sensitive information via the http_curl() function in the '/application/common. php' file that directly retrieves the URL request response content.

  • CVE-2011-1064Feb 23, 2011
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in member/list.php in qibosoft Qi Bo CMS 7 allows remote attackers to execute arbitrary SQL commands via the aidDB[] parameter.