RSS   Vulnerabilities for 'Phpmywind'   RSS

2021-10-14
 
CVE-2020-19964

CWE-352
 
 
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.

 
2021-09-07
 
CVE-2021-39503

CWE-94
 
 
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.

 
2021-08-20
 
CVE-2020-18885

CWE-77
 
 
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'.

 
 
CVE-2020-18886

CWE-434
 
 
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/upload_file_do.php'.

 
2021-05-27
 
CVE-2020-18229

CWE-79
 
 
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_copyright" of component " /admin/web_config.php".

 
 
CVE-2020-18230

CWE-79
 
 
Cross Site Scripting (XSS) in PHPMyWind v5.5 allows remote attackers to execute arbitrary code by injecting scripts into the parameter "$cfg_switchshow" of component " /admin/web_config.php".

 
2019-09-23
 
CVE-2019-16704

CWE-79
 
 
admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS.

 
 
CVE-2019-16703

CWE-79
 
 
admin/infolist_add.php in PHPMyWind 5.6 has stored XSS.

 
2019-03-07
 
CVE-2019-7661

CWE-79
 
 
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.

 
 
CVE-2019-7660

CWE-79
 
 
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.

 

Copyright 2024, cxsecurity.com

 

Back to Top