taosir/wtcms

GitHub

github.com

Releases0

Stars113

基于thinkphp的内容管理系统，可快速搭建个人博客、公司学校官网、新闻类站点。

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-48237 ↗	Oct 25, 2024Friday, 25 October 2024, 22:15	9.8 CRITICAL	—
WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.
CVE-2024-48239 ↗	Oct 25, 2024Friday, 25 October 2024, 22:15	4.8 MEDIUM	—
An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting (XSS).
CVE-2024-48238 ↗	Oct 25, 2024Friday, 25 October 2024, 22:15	4.7 MEDIUM	—
WTCMS 1.0 is vulnerable to SQL Injection in the edit_post method of /Admin\Controller\NavControl.class.php via the parentid parameter.
CVE-2020-20348 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link field under the background menu management module.
CVE-2020-20343 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
WTCMS 1.0 contains a cross-site request forgery (CSRF) vulnerability in the index.php?g=admin&m=nav&a=add_post component that allows attackers to arbitrarily add articles in the administrator background.
CVE-2020-20344 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the keyword search function under the background articles module.
CVE-2020-20345 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the page management background which allows attackers to obtain cookies via a crafted payload entered into the search box.
CVE-2020-20347 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the source field under the article management module.
CVE-2020-20349 ↗	Sep 1, 2021Wednesday, 1 September 2021, 22:15	5.4 MEDIUM	3.5 LOW
WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link address field under the background links module.
CVE-2019-8911 ↗	Feb 18, 2019Monday, 18 February 2019, 18:29	—	4.3 MEDIUM
An issue was discovered in WTCMS 1.0. It has stored XSS via the third text box (for the website statistics code).
CVE-2019-8910 ↗	Feb 18, 2019Monday, 18 February 2019, 18:29	—	6.8 MEDIUM
An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF.
CVE-2019-8909 ↗	Feb 18, 2019Monday, 18 February 2019, 18:29	—	5 MEDIUM
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.
CVE-2019-8908 ↗	Feb 18, 2019Monday, 18 February 2019, 18:29	—	7.5 HIGH
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header.
CVE-2018-10267 ↗	Apr 22, 2018Sunday, 22 April 2018, 01:29	—	6.8 MEDIUM
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.