Codoforum

codoforum

Vendor: Codologic • 15 CVEs

CVEs (15)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-22540 1Codologic 1Codoforum Apr 18, 2025 Apr 15, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Stored Cross-Site Scripting (XSS) vulnerability in Codoforum v4.9, allows attackers to execute arbitrary code and obtain sensitive information via crafted payload to Category name component.
CVE-2020-22539 1Codologic 1Codoforum Apr 18, 2025 Apr 15, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the Add Category function of Codoforum v4.9 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2022-31854 1Codologic 1Codoforum Nov 21, 2024 Jul 7, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
CVE-2020-25879 1Codologic 1Codoforum Nov 21, 2024 Jul 9, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the 'Manage Users' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Username...Show more A stored cross site scripting (XSS) vulnerability in the 'Manage Users' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Username' parameter.Show less
CVE-2020-25876 1Codologic 1Codoforum Nov 21, 2024 Jul 9, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the 'Pages' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Page Title' param...Show more A stored cross site scripting (XSS) vulnerability in the 'Pages' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Page Title' parameter.Show less
CVE-2020-25875 1Codologic 1Codoforum Nov 21, 2024 Jul 9, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the 'Smileys' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Smiley Code' pa...Show more A stored cross site scripting (XSS) vulnerability in the 'Smileys' feature of Codoforum v5.0.2 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payload entered into the 'Smiley Code' parameter.Show less
CVE-2020-13873 1Codologic 1Codoforum Nov 21, 2024 May 12, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin....Show more A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.)Show less
CVE-2020-9007 1Codologic 1Codoforum Nov 21, 2024 Feb 16, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Codoforum 4.8.8 allows self-XSS via the title of a new topic.
CVE-2020-7050 1Codologic 1Codoforum Nov 21, 2024 Feb 15, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session...Show more Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts.Show less
CVE-2020-7051 1Codologic 1Codoforum Nov 21, 2024 Feb 13, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Codologic Codoforum through 4.8.4 allows stored XSS in the login area. This is relevant in conjunction with CVE-2020-5842 because session cookies lack the HttpOnly flag. The impact is account takeover.
CVE-2020-5842 1Codologic 1Codoforum Nov 21, 2024 Jan 7, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page.
CVE-2020-5843 1Codologic 1Codoforum Nov 21, 2024 Jan 7, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.
CVE-2020-5306 1Codologic 1Codoforum Nov 21, 2024 Jan 5, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Codoforum 4.8.3 allows XSS via a post using parameters display name, title name, or content.
CVE-2020-5305 1Codologic 1Codoforum Nov 21, 2024 Jan 5, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of a new user, i.e., on the Manage Users screen.
CVE-2014-9261 1Codologic 1Codoforum May 6, 2026 Mar 23, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.ph...Show more The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.php.Show less