gaozhifeng/PHPMyWind
GitHub
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 7.2 HIGH | — | ||
SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function. | |||
| 8.8 HIGH | — | ||
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page. | |||
| 6.5 MEDIUM | 4.3 MEDIUM | ||
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. | |||
| 7.2 HIGH | 6.5 MEDIUM | ||
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file. | |||
| 7.2 HIGH | 6.5 MEDIUM | ||
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'. | |||
| 7.2 HIGH | 6.5 MEDIUM | ||
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'. | |||
| 6.1 MEDIUM | 4.3 MEDIUM | ||
admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. | |||
| — | 3.5 LOW | ||
admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. | |||
| — | 4.3 MEDIUM | ||
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php. | |||