RSS   Podatności dla 'Hisiphp'   RSS

2022-04-04
 
CVE-2020-28062

CWE-434
 

 
An Access Control vulnerability exists in HisiPHP 2.0.11 via special packets that are constructed in $files = Dir::getList($decompath. '/ Upload/Plugins /, which could let a remote malicious user execute arbitrary code.

 
2021-06-21
 
CVE-2020-21130

CWE-79
 

 
Cross Site Scripting (XSS) vulnerability in HisiPHP 2.0.8 via the group name in addgroup.html.

 
2019-07-24
 
CVE-2019-1010193

CWE-79
 

 
hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS).

 
2018-10-01
 
CVE-2018-17827

CWE-94
 

 
HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php.

 
 
CVE-2018-17826

CWE-352
 

 
HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico).

 


Copyright 2024, cxsecurity.com

 

Back to Top