RSS   Vulnerabilities for 'Maccms'   RSS

2021-10-04
 
CVE-2020-21386

CWE-352
 

 
A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges.

 
 
CVE-2020-21387

CWE-79
 

 
A cross-site scripting (XSS) vulnerability in the parameter type_en of Maccms 10 allows attackers to obtain the administrator cookie and escalate privileges via a crafted payload.

 
 
CVE-2020-21434

CWE-79
 

 
Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field.

 
2021-09-24
 
CVE-2020-20514

CWE-352
 

 
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.

 
2021-08-11
 
CVE-2020-21359

CWE-434
 

 
An arbitrary file upload vulnerability in the Template Upload function of Maccms10 allows attackers bypass the suffix whitelist verification to execute arbitrary code via adding a character to the end of the uploaded file's name.

 
 
CVE-2020-21362

CWE-79
 

 
A cross site scripting (XSS) vulnerability in the background search function of Maccms10 allows attackers to execute arbitrary web scripts or HTML via the 'wd' parameter.

 
 
CVE-2020-21363

CWE-610
 

 
An arbitrary file deletion vulnerability exists within Maccms10.

 
2019-06-07
 
CVE-2018-19465

CWE-79
 

 
Maccms through 8.0 allows XSS via the site_keywords field to index.php?m=system-config because of tpl/module/system.php and tpl/html/system_config.html, related to template/paody/html/vod_index.html.

 
2019-03-14
 
CVE-2019-9829

CWE-94
 

 
Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.

 
2019-02-27
 
CVE-2019-8410

CWE-79
 

 
Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key).

 


Copyright 2021, cxsecurity.com

 

Back to Top