RSS   Vulnerabilities for 'Minicms'   RSS

2021-01-05
 
CVE-2020-36052

CWE-22
 
 
Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter.

 
 
CVE-2020-36051

CWE-22
 
 
Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter.

 
2019-07-05
 
CVE-2019-13341

CWE-79
 
 
In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment box), which can be used to get a user's cookie.

 
 
CVE-2019-13340

CWE-79
 
 
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the content box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, CVE-2018-20520, and CVE-2019-13186.

 
 
CVE-2019-13339

CWE-79
 
 
In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (content box), which can be used to get a user's cookie.

 
2019-07-03
 
CVE-2019-13186

CWE-79
 
 
In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via the tags box. An attacker can use it to get a user's cookie. This is different from CVE-2018-10296, CVE-2018-16233, and CVE-2018-20520.

 
2019-03-06
 
CVE-2019-9603

CWE-352
 
 
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891.

 
2018-12-27
 
CVE-2018-20520

CWE-79
 
 
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233.

 
2018-10-31
 
CVE-2018-18892

CWE-94
 
 
MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.

 
 
CVE-2018-18891

CWE-287
 
 
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.

 

Copyright 2021, cxsecurity.com

 

Back to Top