AvaterXXX/XiaoCms

AvaterXXX/XiaoCms

Unavailable

This project is no longer available (or publicly accessible) from GitHub

Releases0

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-19192 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	6.8 MEDIUM
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the data[content] parameter.
CVE-2018-19193 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	4.3 MEDIUM
An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen.
CVE-2018-19194 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	5 MEDIUM
An issue was discovered in XiaoCms 20141229. /admin/index.php?c=database allows full path disclosure in a "failed to open stream" error message.
CVE-2018-19195 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	4.3 MEDIUM
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\show_product.html file.
CVE-2018-19196 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	7.5 HIGH
An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types (jpg, jpeg, bmp, png, gif), as demonstrated by an admin/index.php?c=uploadfile&a=uploadify_upload&type=php URI.
CVE-2018-19197 ↗	Nov 12, 2018Monday, 12 November 2018, 05:29	—	5.5 MEDIUM
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths[]=../ directory traversal.