Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In March 2019
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI.
CVSS Score
8.8
EPSS Score
0.027
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/editUploadImage URI.
CVSS Score
8.8
EPSS Score
0.027
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.
CVSS Score
4.3
EPSS Score
0.014
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary file (specified by the file_name parameter). This is related to the save function in TemplateController.java.
CVSS Score
6.5
EPSS Score
0.014
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/comn/service/upload URI.
CVSS Score
8.8
EPSS Score
0.027
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI.
CVSS Score
7.2
EPSS Score
0.027
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. A command execution vulnerability exists via a template file with '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("' followed by the command.
CVSS Score
8.8
EPSS Score
0.026
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.
CVSS Score
7.2
EPSS Score
0.013
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.
CVSS Score
7.2
EPSS Score
0.027
Published
2019-03-06
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI.
CVSS Score
8.8
EPSS Score
0.027
Published
2019-03-06


Contact Us

Shodan ® - All rights reserved