RSS   Vulnerabilities for 'Tianti'   RSS

2018-11-08
 
CVE-2018-19110

CWE-425
 

 
The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check.

 
 
CVE-2018-19109

CWE-425
 

 
tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/cms/column/list directly to read the column list page or edit a column.

 
2018-11-07
 
CVE-2018-19091

CWE-79
 

 
tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter.

 
 
CVE-2018-19090

CWE-79
 

 
tianti 2.3 has stored XSS in the article management module via an article title.

 
 
CVE-2018-19089

CWE-79
 

 
tianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp.

 


Copyright 2024, cxsecurity.com

 

Back to Top