Security Vulnerabilities - CVEs Published In November 2018
An issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images.
CVSS Score
9.8
EPSS Score
0.006
Published
2018-11-26
An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-11-26
CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter.
CVSS Score
9.8
EPSS Score
0.002
Published
2018-11-26
BageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate to modify a user account.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-11-26
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-26
An issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unzip allows remote attackers to execute arbitrary code via a "Login Background > Program Upgrade > Compressed Packet Upgrade" action in which a .php file is inside a ZIP archive.
CVSS Score
8.8
EPSS Score
0.013
Published
2018-11-26
JEECMS 9.3 has CSRF via the api/admin/content/save URI to add news.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-11-26
JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-26
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-26
JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-26