RSS   Vulnerabilities for 'Easycms'   RSS

2022-02-16
 
CVE-2022-23358

CWE-89
 
 
EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.

 
2021-02-01
 
CVE-2020-24271

CWE-352
 
 
A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.

 
2019-01-15
 
CVE-2019-6294

CWE-352
 
 
An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI.

 
2018-09-17
 
CVE-2018-17113

CWE-79
 
 
App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173.

 
2018-09-10
 
CVE-2018-16773

CWE-79
 
 
EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent content field.

 
2018-09-09
 
CVE-2018-16759

CWE-79
 
 
The removeXSS function in App/Common/common.php (called from App/Modules/Index/Action/SearchAction.class.php) in EasyCMS v1.4 allows XSS via an onhashchange event.

 
2018-09-02
 
CVE-2018-16345

CWE-352
 
 
An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.

 
2018-06-29
 
CVE-2018-12971

CWE-352
 
 
EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.

 
2018-04-25
 
CVE-2018-10374

CWE-79
 
 
EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request.

 

Copyright 2024, cxsecurity.com

 

Back to Top