RSS   Vulnerabilities for 'Gila cms'   RSS

2021-10-04
 
CVE-2021-37777

CWE-200
 

 
Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowing the other site name and fuzzing for picture names. This leads to sensitive information disclosure.

 
 
CVE-2021-39486

CWE-79
 

 
A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser.

 
2021-09-27
 
CVE-2020-20692

CWE-89
 

 
GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.

 
 
CVE-2020-20693

CWE-352
 

 
A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.

 
 
CVE-2020-20695

CWE-79
 

 
A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.

 
 
CVE-2020-20696

CWE-79
 

 
A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field.

 
2020-05-21
 
CVE-2019-20804

CWE-352
 

 
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.

 
 
CVE-2019-20803

CWE-79
 

 
Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.

 
2020-01-06
 
CVE-2020-5515

CWE-89
 

 
Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.

 
 
CVE-2020-5514

CWE-434
 

 
Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous Type via .phar or .phtml to the lzld/thumb?src= URI.

 


Copyright 2024, cxsecurity.com

 

Back to Top