xujeff/tianti on GitHub
java轻量级的CMS解决方案-天梯。天梯是一个用java相关技术搭建的后台CMS解决方案,用户可以结合自身业务进行相应扩展,同时提供了针对dao、service等的代码生成工具。技术选型:Spring Data JPA、Hibernate、Shiro、 Spring MVC、Layer、Mysql等。
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2018-19109 | 8.8 HIGH | 6.5 MEDIUM | |
| tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/cms/column/list directly to read the column list page or edit a column. | |||
| CVE-2018-19110 | 6.5 MEDIUM | 4 MEDIUM | |
| The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check. | |||
| CVE-2018-19089 | 5.4 MEDIUM | 3.5 LOW | |
| tianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp. | |||
| CVE-2018-19090 | 5.4 MEDIUM | 3.5 LOW | |
| tianti 2.3 has stored XSS in the article management module via an article title. | |||
| CVE-2018-19091 | 5.4 MEDIUM | 3.5 LOW | |
| tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter. | |||