weng-xianhu/eyoucms

GitHub

github.com

Releases1

Frequency

Last Release almost 5 years ago

Stars103

EyouCms是基于TP5.0框架为核心开发的免费+开源的企业内容管理系统，专注企业建站用户需求。提供海量各行业模板，降低中小企业网站建设、网络营销成本，致力于打造用户舒适的建站体验。这是一套安全、简洁、免费的流行CMS，包含完整后台管理、前台展示，直接下载安装即可使用。演示网址：http://demo.eyoucms.com 官方网站：http://www.eyoucms.com

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-65868 ↗	Dec 3, 2025Wednesday, 3 December 2025, 21:15	7.5 HIGH	—
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
CVE-2024-23034 ↗	Feb 1, 2024Thursday, 1 February 2024, 23:15	6.1 MEDIUM	—
Cross Site Scripting vulnerability in the input parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVE-2024-23033 ↗	Feb 1, 2024Thursday, 1 February 2024, 23:15	6.1 MEDIUM	—
Cross Site Scripting vulnerability in the path parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVE-2024-23032 ↗	Feb 1, 2024Thursday, 1 February 2024, 23:15	6.1 MEDIUM	—
Cross Site Scripting vulnerability in num parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVE-2024-23031 ↗	Feb 1, 2024Thursday, 1 February 2024, 23:15	6.1 MEDIUM	—
Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVE-2024-22927 ↗	Feb 1, 2024Thursday, 1 February 2024, 23:15	6.1 MEDIUM	—
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
CVE-2023-50566 ↗	Dec 14, 2023Thursday, 14 December 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in EyouCMS-V1.6.5-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Registration Number parameter.
CVE-2023-48880 ↗	Nov 29, 2023Wednesday, 29 November 2023, 16:15	4.8 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.
CVE-2023-48881 ↗	Nov 29, 2023Wednesday, 29 November 2023, 16:15	4.8 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn.
CVE-2023-48882 ↗	Nov 29, 2023Wednesday, 29 November 2023, 16:15	4.8 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.
CVE-2023-46935 ↗	Nov 21, 2023Tuesday, 21 November 2023, 07:15	5.4 MEDIUM	—
eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lead to stealing sensitive information of logged-in users.
CVE-2023-37645 ↗	Jul 20, 2023Thursday, 20 July 2023, 22:15	5.3 MEDIUM	—
eyoucms v1.6.3 was discovered to contain an information disclosure vulnerability via the component /custom_model_path/recruit.filelist.txt.
CVE-2023-37135 ↗	Jul 6, 2023Thursday, 6 July 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the Image Upload module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-37136 ↗	Jul 6, 2023Thursday, 6 July 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the Basic Website Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-37134 ↗	Jul 6, 2023Thursday, 6 July 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the Basic Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-37133 ↗	Jul 6, 2023Thursday, 6 July 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the Column management module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-37132 ↗	Jul 6, 2023Thursday, 6 July 2023, 15:15	5.4 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in the custom variables module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-36093 ↗	Jun 22, 2023Thursday, 22 June 2023, 15:15	5.4 MEDIUM	—
There is a storage type cross site scripting (XSS) vulnerability in the filing number of the Basic Information tab on the backend management page of EyouCMS v1.6.3
CVE-2023-34657 ↗	Jun 19, 2023Monday, 19 June 2023, 04:15	4.8 MEDIUM	—
A stored cross-site scripting (XSS) vulnerability in Eyoucms v1.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the web_recordnum parameter.
CVE-2023-33492 ↗	Jun 12, 2023Monday, 12 June 2023, 13:15	5.4 MEDIUM	—
EyouCMS 1.6.2 is vulnerable to Cross Site Scripting (XSS).
CVE-2023-31708 ↗	May 23, 2023Tuesday, 23 May 2023, 01:15	4.3 MEDIUM	—
A Cross-Site Request Forgery (CSRF) in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function.
CVE-2023-30125 ↗	Apr 28, 2023Friday, 28 April 2023, 14:15	6.1 MEDIUM	—
EyouCms V1.6.1-UTF8-sp1 is vulnerable to Cross Site Scripting (XSS).
CVE-2022-45755 ↗	Feb 8, 2023Wednesday, 8 February 2023, 19:15	5.4 MEDIUM	—
Cross-site scripting (XSS) vulnerability in EyouCMS v1.6.0 allows attackers to execute arbitrary code via the home page description on the basic information page.
CVE-2022-45542 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	5.4 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in the FileManager component in GET parameter "filename" when editing any file.
CVE-2022-45541 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	6.1 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article attribute editor component in POST value "value" if the value contains a non-integer char.
CVE-2022-45540 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	6.1 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in article type editor component in POST value "name" if the value contains a malformed UTF-8 char.
CVE-2022-45539 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	6.1 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in FileManager component in GET value "activepath" when creating a new file.
CVE-2022-45538 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	6.1 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_GOBACK_URL".
CVE-2022-45537 ↗	Jan 20, 2023Friday, 20 January 2023, 19:15	6.1 MEDIUM	—
EyouCMS <= 1.6.0 was discovered a reflected-XSS in the article publish component in cookie "ENV_LIST_URL".
CVE-2021-39428 ↗	Dec 15, 2022Thursday, 15 December 2022, 19:15	5.4 MEDIUM	—
Cross Site Scripting (XSS) vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for edit_users_head_pic.
CVE-2022-45280 ↗	Nov 23, 2022Wednesday, 23 November 2022, 21:15	5.4 MEDIUM	—
A cross-site scripting (XSS) vulnerability in the Url parameter in /login.php of EyouCMS v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2022-44389 ↗	Nov 14, 2022Monday, 14 November 2022, 20:15	6.5 MEDIUM	—
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information.
CVE-2022-44387 ↗	Nov 14, 2022Monday, 14 November 2022, 20:15	8.8 HIGH	—
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module.
CVE-2022-44390 ↗	Nov 14, 2022Monday, 14 November 2022, 20:15	5.4 MEDIUM	—
A cross-site scripting (XSS) vulnerability in EyouCMS V1.5.9-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Record Number text field.
CVE-2022-43323 ↗	Nov 14, 2022Monday, 14 November 2022, 20:15	8.8 HIGH	—
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module.
CVE-2022-41500 ↗	Oct 18, 2022Tuesday, 18 October 2022, 23:15	8.8 HIGH	—
EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components.
CVE-2022-36225 ↗	Aug 19, 2022Friday, 19 August 2022, 17:15	8.8 HIGH	—
EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (CSRF) via the background, column management function and add.
CVE-2022-35509 ↗	Aug 10, 2022Wednesday, 10 August 2022, 20:15	5.4 MEDIUM	—
An issue was discovered in EyouCMS 1.5.8. There is a Storage XSS vulnerability that can allows an attacker to execute arbitrary Web scripts or HTML by injecting a special payload via the title parameter in the foreground contribution, allowing the attacker to obtain sensitive information.
CVE-2022-33122 ↗	Jun 24, 2022Friday, 24 June 2022, 21:15	4.8 MEDIUM	3.5 LOW
A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page.
CVE-2022-26279 ↗	Mar 24, 2022Thursday, 24 March 2022, 22:15	9.8 CRITICAL	7.5 HIGH
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
CVE-2021-42194 ↗	Mar 20, 2022Sunday, 20 March 2022, 22:15	7.2 HIGH	6.5 MEDIUM
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.
CVE-2021-46255 ↗	Jan 14, 2022Friday, 14 January 2022, 03:15	8.1 HIGH	5.5 MEDIUM
eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to insufficient filtering of the parameter filename.
CVE-2020-24000 ↗	Nov 3, 2021Wednesday, 3 November 2021, 17:15	9.8 CRITICAL	7.5 HIGH
SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php.
CVE-2019-17430 ↗	Oct 10, 2019Thursday, 10 October 2019, 12:10	6.1 MEDIUM	4.3 MEDIUM
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.