Metinfo

metinfo

60 CVEs • 1 product

Products (1)

Click to collapse

Toggle

Metinfo

metinfo

60 CVEs

CVEs (60)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-29014 1Metinfo 1Metinfo Apr 7, 2026 Apr 1, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can...Show more MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.Show less
CVE-2025-63551 1Metinfo 1Metinfo Feb 4, 2026 Nov 6, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing...Show more A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.Show less
CVE-2025-60454 1Metinfo 1Metinfo Oct 7, 2025 Oct 3, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php comp...Show more A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.Show less
CVE-2025-60453 1Metinfo 1Metinfo Oct 7, 2025 Oct 3, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php comp...Show more A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.Show less
CVE-2025-60452 1Metinfo 1Metinfo Oct 7, 2025 Oct 3, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.c...Show more A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.Show less
CVE-2025-60451 1Metinfo 1Metinfo Oct 7, 2025 Oct 3, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\mod...Show more A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.Show less
CVE-2025-60450 1Metinfo 1Metinfo Oct 7, 2025 Oct 3, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\mod...Show more A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.Show less
CVE-2022-44849 1Metinfo 1Metinfo Apr 23, 2025 Dec 7, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.
CVE-2022-23335 1Metinfo 1Metinfo Nov 21, 2024 Feb 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.
CVE-2022-22295 1Metinfo 1Metinfo Nov 21, 2024 Feb 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.
CVE-2020-20600 1Metinfo 1Metinfo Nov 21, 2024 Dec 22, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.
CVE-2020-21127 1Metinfo 1Metinfo Nov 21, 2024 Sep 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
CVE-2020-21126 1Metinfo 1Metinfo Nov 21, 2024 Sep 15, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
CVE-2020-20981 1Metinfo 1Metinfo Nov 21, 2024 Aug 12, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information.
CVE-2020-19305 1Metinfo 1Metinfo Nov 21, 2024 Aug 3, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.
CVE-2020-19304 1Metinfo 1Metinfo Nov 21, 2024 Aug 3, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.
CVE-2020-18175 1Metinfo 1Metinfo Nov 21, 2024 Jul 30, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.
CVE-2020-18157 1Metinfo 1Metinfo Nov 21, 2024 Jul 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.
CVE-2020-21133 1Metinfo 1Metinfo Nov 21, 2024 Jul 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.
CVE-2020-21132 1Metinfo 1Metinfo Nov 21, 2024 Jul 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.

12 3 Next