Vulnerabilities for Yzmcms (...) - CXSECURITY.COM

Vulnerabilities for 'Yzmcms'

2022-03-10

CVE-2022-23383

CWE-287

YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out.

2022-02-15

CVE-2022-23384

CWE-352

YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add

2022-01-28

CVE-2022-23887

CWE-352

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.

CVE-2022-23888

CWE-352

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html.

CVE-2022-23889

CWE-674

The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.

2021-09-23

CVE-2020-19949

CWE-79

A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2020-19950

CWE-79

A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2020-19951

CWE-352

A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.

2021-07-30

CVE-2020-19118

CWE-79

Cross Site Scripting (XSS) vulnerabiity in YzmCMS 5.2 via the site_code parameter in admin/index/init.html.

2021-06-03

CVE-2020-35970

CWE-918

An issue was discovered in YzmCMS 5.8. There is a SSRF vulnerability in the background collection management that allows arbitrary file read.

Copyright 2024, cxsecurity.com