Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In March 2019
CVE-2019-9608
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-03-06
CVE-2019-9609
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-03-06
CVE-2019-9610
An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-03-06
CVE-2019-9611
An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name parameter). This is related to the save function in TemplateController.java.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-03-06
CVE-2019-9612
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-03-06
CVE-2019-9613
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI.
CVSS Score
7.2
EPSS Score
0.023
Published
2019-03-06
CVE-2019-9614
An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command.
CVSS Score
8.8
EPSS Score
0.032
Published
2019-03-06
CVE-2019-9615
An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.
CVSS Score
7.2
EPSS Score
0.003
Published
2019-03-06
CVE-2019-9616
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.
CVSS Score
7.2
EPSS Score
0.023
Published
2019-03-06
CVE-2019-9617
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-03-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved