RSS   Vulnerabilities for 'Nukeviet'   RSS

2020-12-31
 
CVE-2019-7726

CWE-89
 

 
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).

 
 
CVE-2019-7725

CWE-502
 

 
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).

 
2020-06-23
 
CVE-2020-13157

CWE-352
 

 
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.

 
 
CVE-2020-13156

CWE-352
 

 
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.

 
 
CVE-2020-13155

CWE-352
 

 
clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.

 


Copyright 2021, cxsecurity.com

 

Back to Top