← Back

Yxcms

yxcms

5 CVEs • 1 product

Products (1)

Click to collapse
Toggle
Yxcms
yxcms
5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2018-19404
1Yxcms
1Yxcms
Nov 21, 2024
Nov 21, 2018
N/A· v4
7.2 HIGH· v3
6.5 MEDIUM· v2
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at a...Show more
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= followed by that URL. This is related to the onlineinstall and import functions.Show less
CVE-2018-13025
1Yxcms
1Yxcms
Nov 21, 2024
Jun 29, 2018
N/A· v4
4.9 MEDIUM· v3
5.5 MEDIUM· v2
protected/apps/admin/controller/photoController.php in YXcms 1.4.7 allows remote attackers to delete arbitrary files via the index.php?r=admin/photo/delpic picname parameter.
CVE-2018-11003
1Yxcms
1Yxcms
Nov 21, 2024
May 12, 2018
N/A· v4
6.5 MEDIUM· v3
4.3 MEDIUM· v2
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admi...Show more
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.Show less
CVE-2018-8805
1Yxcms
1Yxcms
Nov 21, 2024
Mar 20, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.ph...Show more
Yxcms building system (compatible cell phone) v1.4.7 has XSS via the content parameter to protected\apps\default\view\default\extend_guestbook.php or protected\apps\default\view\mobile\extend_guestbook.php in an index.php?r=default/column/index&col=guestbook request.Show less
CVE-2018-8761
1Yxcms
1Yxcms
Nov 21, 2024
Mar 19, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
protected\apps\member\controller\shopcarController.php in Yxcms building system (compatible cell phone) v1.4.7 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet...Show more
protected\apps\member\controller\shopcarController.php in Yxcms building system (compatible cell phone) v1.4.7 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture.Show less