gnat/nc-cms

gnat/nc-cms

Releases0

Stars27

:bulb: Embeddable, lightweight, simple PHP CMS. Content Management System.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2019-7721 ↗	Feb 11, 2019Monday, 11 February 2019, 04:29	—	5 MEDIUM
lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters.
CVE-2018-18874 ↗	Oct 31, 2018Wednesday, 31 October 2018, 16:29	—	7.5 HIGH
nc-cms through 2017-03-10 allows remote attackers to execute arbitrary PHP code via the "Upload File or Image" feature, with a .php filename and "Content-Type: application/octet-stream" to the index.php?action=file_manager_upload URI.
CVE-2018-18361 ↗	Oct 15, 2018Monday, 15 October 2018, 15:29	—	4.3 MEDIUM
An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html allows XSS via the name parameter, as demonstrated by a value beginning with home_content and containing a crafted SRC attribute of an IMG element.
CVE-2018-18290 ↗	Oct 14, 2018Sunday, 14 October 2018, 21:29	—	3.5 LOW
An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html&name=home_content allows XSS via the HTML Source Editor. NOTE: the vendor disputes this because the form requires administrator privileges, and entering JavaScript is supported functionality