alexlang24/bloofoxCMS

GitHub

github.com

Releases3

Frequency7 months 3 weeks

Last Release almost 6 years ago

Stars1

bloofoxCMS is a free open source web content management system (CMS).

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-37241 ↗	May 16, 2026Saturday, 16 May 2026, 16:16	5.3 MEDIUM	—
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
CVE-2021-47906 ↗	Jan 23, 2026Friday, 23 January 2026, 17:16	6.4 MEDIUM	—
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
CVE-2020-36082 ↗	Aug 11, 2023Friday, 11 August 2023, 14:15	9.8 CRITICAL	—
File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.
CVE-2023-23151 ↗	Jan 26, 2023Thursday, 26 January 2023, 21:18	6.5 MEDIUM	—
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php.
CVE-2022-28528 ↗	Apr 26, 2022Tuesday, 26 April 2022, 21:15	8.8 HIGH	6.5 MEDIUM
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.
CVE-2021-44608 ↗	Feb 24, 2022Thursday, 24 February 2022, 15:15	5.4 MEDIUM	3.5 LOW
Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php.
CVE-2021-44610 ↗	Feb 24, 2022Thursday, 24 February 2022, 15:15	9.8 CRITICAL	7.5 HIGH
Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php.
CVE-2020-35762 ↗	Jun 16, 2021Wednesday, 16 June 2021, 16:15	2.7 LOW	4 MEDIUM
bloofoxCMS 0.5.2.1 is infected with Path traversal in the 'fileurl' parameter that allows attackers to read local files.
CVE-2020-35759 ↗	Jun 16, 2021Wednesday, 16 June 2021, 16:15	6.5 MEDIUM	4.3 MEDIUM
bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
CVE-2020-35760 ↗	Jun 16, 2021Wednesday, 16 June 2021, 16:15	9.8 CRITICAL	7.5 HIGH
bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files).
CVE-2020-35761 ↗	Jun 16, 2021Wednesday, 16 June 2021, 16:15	5.4 MEDIUM	3.5 LOW
bloofoxCMS 0.5.2.1 is infected with XSS that allows remote attackers to execute arbitrary JS/HTML Code.
CVE-2020-35709 ↗	Dec 25, 2020Friday, 25 December 2020, 19:15	4.9 MEDIUM	4 MEDIUM
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.