Filtered by vendor Wuzhicms
Subscriptions
Filtered by product Wuzhicms
Subscriptions
Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-24930 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 8.1 High |
| Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files. | ||||
| CVE-2020-21590 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 4.3 Medium |
| Directory traversal in coreframe/app/template/admin/index.php in WUZHI CMS 4.1.0 allows attackers to list files in arbitrary directories via the dir parameter. | ||||
| CVE-2020-19915 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the mailbox username in index.php. | ||||
| CVE-2020-19553 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php. | ||||
| CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 8.8 High |
| Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | ||||
| CVE-2020-18877 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 7.5 High |
| SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'. | ||||
| CVE-2020-18654 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php". | ||||
| CVE-2019-9108 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php. | ||||
| CVE-2018-9927 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. | ||||
| CVE-2018-9926 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. | ||||
| CVE-2018-20572 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. | ||||
| CVE-2018-14472 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file is coreframe/app/order/admin/goods.php. The $keywords parameter is taken directly into execution without any filtering, leading to SQL injection. | ||||
| CVE-2018-11722 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded. | ||||
| CVE-2018-10221 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | N/A |
| An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload. | ||||
| CVE-2024-10505 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-06 | 6.3 Medium |
| A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way. | ||||