Cherry-toto/jizhicms
GitHub
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 9.8 CRITICAL | — | ||
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | |||
| 9.1 CRITICAL | — | ||
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | |||
| 6.1 MEDIUM | — | ||
jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function. | |||
| 7.3 HIGH | — | ||
Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request. | |||
| 8.8 HIGH | — | ||
File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory. | |||
| 5.4 MEDIUM | — | ||
jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package. | |||
| 7.2 HIGH | — | ||
An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file. | |||
| 6.5 MEDIUM | — | ||
A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application. | |||
| 8.8 HIGH | — | ||
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component. | |||
| 8.8 HIGH | — | ||
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /Member/memberedit.html component. | |||
| 9.8 CRITICAL | — | ||
jizhicms v2.3.1 has SQL injection in the background. | |||
| 8.8 HIGH | — | ||
An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin. | |||
| 9.1 CRITICAL | 6.4 MEDIUM | ||
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | |||
| 9.1 CRITICAL | 6.4 MEDIUM | ||
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | |||
| 9.8 CRITICAL | 7.5 HIGH | ||
Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php. | |||
| 8.8 HIGH | 6.8 MEDIUM | ||
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator. | |||