RSS   Vulnerabilities for 'Gxlcms'   RSS

2021-08-12
 
CVE-2020-20975

CWE-89
 
 
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.

 
2018-10-18
 
CVE-2018-18488

CWE-89
 
 
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection exists via the ids[] parameter.

 
 
CVE-2018-18487

CWE-200
 
 
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.

 
2018-09-07
 
CVE-2018-16655

CWE-79
 
 
Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkException.tpl.php.

 
2018-09-05
 
CVE-2018-16437

CWE-22
 
 
Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable by an administrator.

 
 
CVE-2018-16436

CWE-89
 
 
Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.

 
2018-08-07
 
CVE-2018-15177

CWE-352
 
 
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.

 
2018-07-28
 
CVE-2018-14685

CWE-200
 
 
The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gxlcms v1.1.4 allows remote attackers to read arbitrary files via a crafted index.php?s=Admin-Tpl-ADD-id request, related to Lib/Common/Admin/function.php.

 
2017-10-02
 
CVE-2017-14979

CWE-noinfo
 
 
Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php.

 

 >>> Vendor: Gxlcms 3 Products
Gxlcms
Gxlcms qy
Gxlcmsqy

Copyright 2024, cxsecurity.com

 

Back to Top