jbroadway/elefant

jbroadway/elefant

www.elefantcms.com

Releases125

Frequency1 month 1 week

Last Release over 1 year ago

Stars211

Elefant, the refreshingly simple PHP CMS and web framework.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-16974 ↗	Sep 12, 2018Wednesday, 12 September 2018, 21:29	—	7.5 HIGH
An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters (for bypassing the blacklist).
CVE-2018-16975 ↗	Sep 12, 2018Wednesday, 12 September 2018, 21:29	—	7.5 HIGH
An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php.
CVE-2018-16387 ↗	Sep 3, 2018Monday, 3 September 2018, 02:29	—	6.8 MEDIUM
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.
CVE-2018-15601 ↗	Aug 21, 2018Tuesday, 21 August 2018, 02:29	—	7.5 HIGH
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.