Navigate Cms

navigate_cms

Vendor: Naviwebs • 22 CVEs

CVEs (22)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-37054 1Naviwebs 1Navigate Cms Feb 13, 2026 Jan 30, 2026 5.1 MEDIUM· v4 8.8 HIGH· v3 N/A· v2 Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arb...Show more Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.Show less
CVE-2020-37053 1Naviwebs 1Navigate Cms Feb 13, 2026 Jan 30, 2026 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to ext...Show more Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.Show less
CVE-2022-28117 1Naviwebs 1Navigate Cms Nov 21, 2024 Apr 28, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
CVE-2021-44299 1Naviwebs 1Navigate Cms Nov 21, 2024 Jan 19, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2021-44351 1Naviwebs 1Navigate Cms Nov 21, 2024 Jan 6, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter.
CVE-2021-36455 1Naviwebs 1Navigate Cms Nov 21, 2024 Aug 6, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
CVE-2021-36454 1Naviwebs 1Navigate Cms Nov 21, 2024 Aug 6, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons...Show more Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backups\backups.php, 2) blocks\blocks.php, 3) brands\brands.php, 4) comments\comments.php, 5) coupons\coupons.php, 6) feeds\feeds.php, 7) functions\functions.php, 8) items\items.php, 9) menus\menus.php, 10) orders\orders.php, 11) payment_methods\payment_methods.php, 12) products\products.php, 13) profiles\profiles.php, 14) shipping_methods\shipping_methods.php, 15) templates\templates.php, 16) users\users.php, 17) webdictionary\webdictionary.php, 18) websites\websites.php, and 19) webusers\webusers.php because the initial_url function is built in these files.Show less
CVE-2020-23711 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.
CVE-2020-14018 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 24, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail fiel...Show more An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail field. On the Edit user page, the XSS is only triggered via the E-Mail field; however, on the View user page the XSS is triggered via either the User field or the E-Mail field.Show less
CVE-2020-14017 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 24, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well as associated information such as CSRF tokens, are stored in cleartext files in the directory /private/sessions. An unauthenticated user could use a br...Show more An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well as associated information such as CSRF tokens, are stored in cleartext files in the directory /private/sessions. An unauthenticated user could use a brute-force approach to attempt to identify existing sessions, or view the contents of this file to discover details about a session.Show less
CVE-2020-14016 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 24, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature...Show more An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.Show less
CVE-2020-14015 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 24, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is sup...Show more An issue was discovered in Navigate CMS 2.9 r1433. When performing a password reset, a user is emailed an activation code that allows them to reset their password. There is, however, a flaw when no activation code is supplied. The system will allow an unauthorized user to continue setting a password, even though no activation code was supplied, setting the password for the most recently created user in the system (the user with the highest user id).Show less
CVE-2020-14014 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 24, 2020 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.
CVE-2020-14927 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 19, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "Web Sites > Create > Aliases > Add" screen.
CVE-2020-13798 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 3, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/feeds/feed.class.php.
CVE-2020-13797 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 3, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/websites/website.class.php.
CVE-2020-13796 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 3, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php.
CVE-2020-13795 1Naviwebs 1Navigate Cms Nov 21, 2024 Jun 3, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Navigate CMS through 2.8.7. It allows Directory Traversal because lib/packages/templates/template.class.php mishandles ../ and ..\ substrings.
CVE-2018-18029 1Naviwebs 1Navigate Cms Nov 21, 2024 Oct 9, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.
CVE-2018-17849 1Naviwebs 1Navigate Cms Nov 21, 2024 Oct 4, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File Upload) request with a multipart/form-data JavaScript payload.

12 Next